IETF Logo Mail Archive

Re: [Doh] Fallback to untrusted DOH servers

Ted Lemon <mellon@fugue.com> Sat, 14 April 2018 17:34 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6CFF120725 for <doh@ietfa.amsl.com>; Sat, 14 Apr 2018 10:34:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2rBPTsLuFmNB for <doh@ietfa.amsl.com>; Sat, 14 Apr 2018 10:34:36 -0700 (PDT)
Received: from mail-pf0-x22d.google.com (mail-pf0-x22d.google.com [IPv6:2607:f8b0:400e:c00::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 395B91201FA for <doh@ietf.org>; Sat, 14 Apr 2018 10:34:36 -0700 (PDT)
Received: by mail-pf0-x22d.google.com with SMTP id p6so8503905pfn.4 for <doh@ietf.org>; Sat, 14 Apr 2018 10:34:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=nQMsNYI1eKP5WE4N6l9DyC727vO8UAinmZXhk55tO4U=; b=hlsMHEPCKS9uIhhhcrx9mQIiTPvZLKG0lZAscCJ6ZxlO56UVo3QFVOg8YvRMw71Smp niq9m/xxqcEXBTFj4DlEs03i9oTnP0P9ReHxSmzasL3HkA8hGpA5FaWwb1Y6MpmF7hVh YzPBGqsA2wcqcGh9+iEaTzghCnuhdlYoNe/3zNuozTvht4mn3NWHvXOMhA9fBDcxevOQ iqY2SHeBoxa+URSAFM4CGWAcJuZ/fRfgjckond4ftW6xFfWLuiYdrKoekcmt6+z29Va1 lx10/y3oU4kTw086G83pbM2kJQlZbpdIlMag52yUvLji5d2Qx0IJ/JyovHU6WegdyIbZ mnsg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=nQMsNYI1eKP5WE4N6l9DyC727vO8UAinmZXhk55tO4U=; b=E5wf6H9KS/0jz+wlUSTwe8ZNDtXhWDm7FTmREwzLpPyubcCwi15TzpzZUjcXzrcmaP oxugJuiOycZCfbAYDCFtUj9dOdpqtrFyNoAmSaaEollRJCxG3OVO6tn9nmenyLOdOmUl N///cQH9IEneOAPIGE+0VooTU9r9N/PEXCFM0yzTcCbc5nyLhwCdOfG4FrxMjfQuqZyK 3v3vs9DmMfsyzeThzeUXeofd+YmRT+qO8exCKs4D4FlLw+db1gZCAE6URMwml+/4md0M KvqTJ3fnFMYvrdOpk//WRm8oUX7kc4ph6FrQnyUgYFj6Y+4julT2OOnHTzxtsktH2KIb snvQ==
X-Gm-Message-State: ALQs6tAESZz3s6yqd8qEfRTQOnN7eBSgX2v2MP0qGqPbUVlqDJVvq/qA E3WP2aR2KK3QsJQYuEMipzCq98petGo=
X-Google-Smtp-Source: AIpwx4+tacrXINpVpAncMc++8E1ZxlcWwhCmvyt6lNABS44CRlGi9jCfX38DPsuxMvmBkAdBunctxg==
X-Received: by 10.98.196.83 with SMTP id y80mr15833679pff.117.1523727275639; Sat, 14 Apr 2018 10:34:35 -0700 (PDT)
Received: from cavall.lan ([162.255.121.238]) by smtp.gmail.com with ESMTPSA id v23sm15378790pfn.65.2018.04.14.10.34.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 14 Apr 2018 10:34:34 -0700 (PDT)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <0471D49C-3047-4161-8EC3-A31D41573841@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_2A409664-C992-4DCA-B6A7-7B2F741BD51C"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Date: Sat, 14 Apr 2018 10:34:31 -0700
In-Reply-To: <f17cbdf0-cd88-9fa9-c83d-26e2cf13b8c1@o2.pl>
Cc: doh@ietf.org
To: Mateusz Jończyk <mat.jonczyk@o2.pl>
References: <f17cbdf0-cd88-9fa9-c83d-26e2cf13b8c1@o2.pl>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/b92n3U_HfSFeUVRAhXRXIPHRw8g>
Subject: Re: [Doh] Fallback to untrusted DOH servers
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Apr 2018 17:34:39 -0000

On Apr 14, 2018, at 9:36 AM, Mateusz Jończyk <mat.jonczyk@o2.pl> wrote:
> It may happen that either no trustworthy DOH server has been configured, or the
> configured DOH server is not working. In such cases a DOH client would usually
> revert to using an untrusted DNS server on port 53, possibly one that was
> discovered through unsecure DHCP. This DNS resolver would also be able to poison
> DNS caches then.
> 
> I think that in this case it would be better to use whatever DOH server is
> available as an alternative to an even worse old-school DNS. To avoid cache
> poisoning attacks, the client would then have to drop DNS caches after switching
> to a more trustworthy DNS once it has been configured or is available.

What threat model do you want to address?   Two things spring to mind as things you might care about:
"do I trust the DNS server"
"is the connection to the DNS server private?"

If the resolver was configured with keying information that can be validated as part of making the connection to the server, then you trust the server.   What exactly that means is a question in itself, but let's take that for granted for now.

In the case of DOH-I-don't-know versus DNS-I-don't-know, you don't have (1), so it doesn't matter which one you use, except that if you use some method other than DHCP to get to the DOH server, potentially what you have reached is even _less_ trustworthy than the DNS server.   So you could as easily be worse off as better off.

What you do get with DOH-I-don't-know as compared to DNS-I-don't-know is (2), for some value of "private."

So what threats does preferring DOH protect you from?   What threats _doesn't_ it protect you from?   What vulnerabilities does it create?   I think you need to answer all three of these questions if you're going to make the case that untrusted DOH should be preferred over untrusted DNS.

Your question about the local resolver is interesting.   I think what it points to, though, is that what DOH does is to solve a very different problem than the problem you are trying to solve with it.

If you want to solve the problem you are proposing to solve, the place it needs to be solved is in the local stub resolver implementation.   This is something we've seen before, and there's even an RFC that talks about it, RFC7556.   From the perspective of RFC7556, your "trusted" DOH resolver represents a provisioning domain, and it's the domain in which you would prefer to look up names.   Your local DNS resolver represents another provisioning domain.   

Provisioning domain DNS caches must be separate, to avoid cache poisoning.   You might have a whitelist of domains that can be looked up using the local resolver, and all other domains are just not available if the trusted DOH server isn't present.   Or you could have a blacklist of domains that are only sent to the trusted DOH server, and other domains can go either way.   Or some other security policy.

v2.23.0 | Report a Bug | By Email