Re: [Driu] Suggestion: DHCP to choose a DNS provider from a list of trusted servers

Tom Pusateri <pusateri@bangj.com> Tue, 29 May 2018 22:03 UTC

Return-Path: <pusateri@bangj.com>
X-Original-To: driu@ietfa.amsl.com
Delivered-To: driu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14C6512D775 for <driu@ietfa.amsl.com>; Tue, 29 May 2018 15:03:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s0dZeiefX5HK for <driu@ietfa.amsl.com>; Tue, 29 May 2018 15:03:07 -0700 (PDT)
Received: from oj.bangj.com (amt0.gin.ntt.net [129.250.11.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 359BC12EAC0 for <driu@ietf.org>; Tue, 29 May 2018 15:03:02 -0700 (PDT)
Received: from butte-480.mountain2sea.com (69-77-155-155.static.skybest.com [69.77.155.155]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by oj.bangj.com (Postfix) with ESMTPSA id 4C323120; Tue, 29 May 2018 18:01:06 -0400 (EDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: Tom Pusateri <pusateri@bangj.com>
In-Reply-To: <6d6b7a24-a53d-5910-2817-f841258bf8df@o2.pl>
Date: Tue, 29 May 2018 18:03:00 -0400
Cc: driu@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <8008958C-6B0B-4E6D-AC70-EC5422334BB2@bangj.com>
References: <6d6b7a24-a53d-5910-2817-f841258bf8df@o2.pl>
To: =?utf-8?Q?Mateusz_Jo=C5=84czyk?= <mat.jonczyk@o2.pl>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/driu/uWt7InHg1EC9RFjnfoca8xojyBA>
Subject: Re: [Driu] Suggestion: DHCP to choose a DNS provider from a list of trusted servers
X-BeenThere: driu@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "DNS Resolver Identification and Use \(DRIU\)." <driu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/driu>, <mailto:driu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/driu/>
List-Post: <mailto:driu@ietf.org>
List-Help: <mailto:driu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/driu>, <mailto:driu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 May 2018 22:03:09 -0000


> On May 22, 2018, at 11:04 AM, Mateusz Jończyk <mat.jonczyk@o2.pl> wrote:
> 
> Hello,
> I have devised the following mechanism:
> 
> A DNS API client would have a list of "trustworthy" DNS API servers, but which
> DNS API server from that list is used could be selected using DHCP.
> 
> This would have the following advantages:
> 1. It would give network administrators an easy way to choose a DNS provider
> across a whole network (using DHCP) and configure it in one place instead of on
> multiple machines.
> 
> 2. It would also enable use of ISP's DNS API server (as a main server or as a
> fallback), which would make it possible to share global DNS load across many
> ISP's DNS servers.
> 
> At the same time, it would provide protection against phishing and rogue actors.
> 
> 
> 
> I have written some time ago why it is beneficial to enable fallback to ISP's
> DNS API servers (modified):
> 
> We may end up with the whole Internet using few DOH servers. There are probably
> few providers that would host publicly-available DOH servers: Cloudflare
> (1.1.1.1), Google, OpenDNS, IBM (or the folks responsible for 9.9.9.9) and
> possibly Microsoft and Apple (for use with Windows / macOS) [3]. I doubt that
> OpenDNS would be happy to have their DOH server configured in applications as
> default, and Microsoft and Apple as well (in products other then theirs).
> 
> This would be very different from the current situation where most people are
> using the DNS server of their own ISP.
> 
> That change may be great because it increases security, but could create several
> points of failure for the whole Internet [1]. It would be vulnerable to DoS. It
> is important to have some local fallback - i.e.
> DOH or DNS servers hosted by ISPs.

As evidenced by the recent Cloudflare BGP hijack, trusting an IP address isn’t sufficient.

You have to authenticate the server. Authentication via a Certificate Authority is not sufficient either. Any CA can sign any certificate. That leaves:
1. SPKI pinning
2. DANE/DNSSEC

You can’t trust the DNS information you learn via any mechanism (DHCP or hand configured) because it might not really be that server. You have to authenticate it.

This means that DHCP distribution is no more/less trustworthy than hand configuring. It’s just another source of DNS info that has to be verified.

Tom