IETF Logo Mail Archive

Re: [ietf] DNS spoofing at captive portals

Keith Moore <moore@network-heretics.com> Fri, 24 September 2010 19:45 UTC

Return-Path: <moore@network-heretics.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EE1C43A6B7D for <ietf@core3.amsl.com>; Fri, 24 Sep 2010 12:45:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.411
X-Spam-Level:
X-Spam-Status: No, score=-2.411 tagged_above=-999 required=5 tests=[AWL=-0.112, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rRWqk6zLqUOM for <ietf@core3.amsl.com>; Fri, 24 Sep 2010 12:45:56 -0700 (PDT)
Received: from m1.imap-partners.net (m1.imap-partners.net [64.13.152.131]) by core3.amsl.com (Postfix) with ESMTP id 28A373A6B82 for <ietf@ietf.org>; Fri, 24 Sep 2010 12:45:45 -0700 (PDT)
Received: from 99-205-255-194.pools.spcsdns.net (99-205-255-194.pools.spcsdns.net [99.205.255.194]) by m1.imap-partners.net (MOS 4.1.8-GA) with ESMTP id CFR95416 (AUTH admin@network-heretics.com); Fri, 24 Sep 2010 12:46:05 -0700
X-Mirapoint-Received-SPF: 99.205.255.194 99-205-255-194.pools.spcsdns.net <moore@network-heretics.com> 5 none
X-Mirapoint-Received-SPF: 99.205.255.194 99-205-255-194.pools.spcsdns.net <moore@network-heretics.com> 5 none
X-Mirapoint-Received-SPF: 99.205.255.194 99-205-255-194.pools.spcsdns.net <moore@network-heretics.com> 5 none
X-Mirapoint-Received-SPF: 99.205.255.194 99-205-255-194.pools.spcsdns.net <moore@network-heretics.com> 5 none
Subject: Re: [ietf] DNS spoofing at captive portals
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: text/plain; charset="iso-8859-1"
From: Keith Moore <moore@network-heretics.com>
In-Reply-To: <201009241238.OAA29283@TR-Sys.de>
Date: Fri, 24 Sep 2010 15:46:05 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <6D0AD9D1-3ADE-4E08-9481-AEAB32D901CE@network-heretics.com>
References: <201009241238.OAA29283@TR-Sys.de>
To: Alfred HÎnes <ah@TR-Sys.de>
X-Mailer: Apple Mail (2.1081)
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2010 19:45:58 -0000

On Sep 24, 2010, at 8:38 AM, Alfred HÎnes wrote:

> At Fri, 24 Sep 2010 07:21:21 -0400,  Michael Richardson wrote:
> 
>> Has the IETF (or rather then IAB) written any simple documents that
>> explain to less informed (i.e. marketing/product) managers why it
>> is a bad thing for a captive portal to spoof DNS replies?
>> (not just in regard to DNSSEC, but also in regards to just caching)
> 
> a) Most of the arguments explained in the 2003 IAB Commentary:
>   "Architectural Concerns on the use of DNS Wildcards",
>   <http://www.IAB.ORG/documents/docs/2003-09-20-dns-wildcards.html>,
>   apply in a similar fashion, but it indeed would be a good idea
>   to produce such document.  I think much text from 2003 could
>   be leveraged.

One important thing to realize is that this kind of "service" isn't always implemented using wildcards.  Sometimes the "service" is implemented using interception proxies.

> b) It should be clearly spelled out that this practice falls among the
>   category of actions commonly known as man-in-the-middle attacks.

Agreed.  Actually, when a server or interception proxy deliberately misrepresents the contents of others' DNS zones, the appropriate term (IMO) is "fraud".   

IANAL but would think that such practice should expose the operator of the server or proxy to civil and/or criminal action, both from the operators of the zones whose RRs are being misrepresented, and from the users' whose applications are affected.

> c) draft-livingood-dns-redirect and draft-livingood-dns-malwareprotect
>   descibe these "services" in a much too friendly tone;

Strongly agree, at least for the -redirect draft.  At the very least, a distinction needs to be made between services which the individual user deliberately chooses, and services which are imposed without the users' knowledge or consent.  The draft also glosses over the problems created by this practice for all applications other than web browsing by human beings.   Not only does this provide misleading error indications for all other applications, it even breaks applications that are layered on top of HTTP.

> d) In my personal opinion, the original idea of having recursive
>   DNS resolvers located "close to the hosts" should be given more
>   traction again in the future.  All kinds of SOHO access gateways
>   or home gateways should preferably offer (locally) full recursive
>   and validating DNS resolution service.

Agree with this also.  In many cases the ideal model seems to be one in which the host serves as its own primary DNS server, or at least as the master DNS zone. 

Keith

v2.23.0 | Report a Bug | By Email