Re: [perpass] DNS confidentiality
Dan York <york@isoc.org> Wed, 13 November 2013 15:32 UTC
Return-Path: <york@isoc.org>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C787121E8145 for <perpass@ietfa.amsl.com>; Wed, 13 Nov 2013 07:32:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.599
X-Spam-Level:
X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TkNIJ87MZD49 for <perpass@ietfa.amsl.com>; Wed, 13 Nov 2013 07:32:09 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0157.outbound.protection.outlook.com [207.46.163.157]) by ietfa.amsl.com (Postfix) with ESMTP id 5E02B21E8130 for <perpass@ietf.org>; Wed, 13 Nov 2013 07:32:09 -0800 (PST)
Received: from BN1PR06MB072.namprd06.prod.outlook.com (10.242.211.17) by BN1PR06MB070.namprd06.prod.outlook.com (10.242.211.12) with Microsoft SMTP Server (TLS) id 15.0.785.10; Wed, 13 Nov 2013 15:32:07 +0000
Received: from BN1PR06MB072.namprd06.prod.outlook.com ([169.254.5.185]) by BN1PR06MB072.namprd06.prod.outlook.com ([169.254.5.185]) with mapi id 15.00.0785.001; Wed, 13 Nov 2013 15:32:07 +0000
From: Dan York <york@isoc.org>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Thread-Topic: [perpass] DNS confidentiality
Thread-Index: AQHOuQI4t76GJ0/ks0CciXEiX6amc5nUwR0AgAGerYCAAAW+AIAAAWyAgEnVC4CAAwkwgA==
Date: Wed, 13 Nov 2013 15:32:06 +0000
Message-ID: <CEA8FA9E.CDB2%york@isoc.org>
In-Reply-To: <20131111121027.GA31723@sources.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [74.75.92.114]
x-forefront-prvs: 0029F17A3F
x-forefront-antispam-report: SFV:NSPM; SFS:(24454002)(189002)(199002)(52604005)(51704005)(479174003)(377454003)(4396001)(49866001)(66066001)(80022001)(65816001)(81686001)(63696002)(31966008)(15395725003)(79102001)(15975445006)(74662001)(74502001)(81816001)(47446002)(50986001)(47976001)(15202345003)(47736001)(51856001)(59766001)(74876001)(54316002)(2656002)(87266001)(81542001)(77982001)(74366001)(53806001)(54356001)(69226001)(76482001)(46102001)(81342001)(74706001)(56776001)(83072001)(80976001)(83322001)(19580395003)(77096001)(56816003)(85306002)(76786001)(76176001)(36756003)(76796001)(19580405001)(87936001); DIR:OUT; SFP:; SCL:1; SRVR:BN1PR06MB070; H:BN1PR06MB072.namprd06.prod.outlook.com; CLIP:74.75.92.114; FPR:; RD:InfoNoRecords; MX:1; A:1; LANG:en;
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <96B9160A6CEFCF40851EBB12CF075FB5@namprd06.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: isoc.org
Cc: perpass <perpass@ietf.org>, Andy Wilson <andrewgwilson@gmail.com>
Subject: Re: [perpass] DNS confidentiality
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The perpass list is for discussion of the privacy properties of IETF protocols and concrete ways in which those could be improved. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Nov 2013 15:32:13 -0000
Stephane, On 11/11/13 7:10 AM, "Stephane Bortzmeyer" <bortzmeyer@nic.fr> wrote: >> May be starting with the more modest but certainly useful "DNS >> privacy considerations" Internet-Draft? Such a document, just >> documenting the problem, would be a good idea, IMHO. > >Done. >http://tools.ietf.org/html/draft-bortzmeyer-perpass-dns-privacy Excellent draft! Thank you for taking the time to write this and I very much support the draft and the material you've written. A few comments: In section 3.2, "On the wire", it might be worth expanding a bit to note that the attack surface between the stub resolver and the caching resolver can vary widely depending upon how the end user's computer is configured. It seems to me there are typically 4 different locations that may be configured as the caching resolver. Here is some draft text for your consideration: ---- 1. Resolver at the ISP - For most residential users and potentially other networks the typical case is for the end user's computer to be configured (typically automatically through DHCP) with the addresses of the DNS resolver at the ISP. The attack surface for on-the-wire attacks is therefore from the end user system across the local network and across the ISPs network to the ISP's resolvers. 2. Resolver at the local network edge - For many/most enterprise networks and for some residential users the caching resolver may exist on a server at the edge of the local network. In this case the attack surface is the local network. Note that in large enterprise networks the DNS resolver may not be located at the edge of the local network but rather at the edge of the overall enterprise network. In this case the enterprise network could be thought of as similar to the ISP network referenced above. 3. Resolver at a public DNS service - Some end users may be configured to use public DNS resolvers such as those operated by Google's Public DNS or the OpenDNS team. The end user may have configured their machine to use these DNS resolvers themselves - or their ISP may choose to use the public DNS resolvers rather than operating their own resolvers. In this case the attack surface is the entire public Internet between the end user's connection and the public DNS service. 4. Resolver on the end user's computer - In a small number of cases, individuals may choose to operate their own DNS resolver on their local machine. In this case the attack surface for the stub resolver to caching resolver connection is limited to that single machine. ---- There could be additional cases but those are what came to my mind. From an attack perspective it's obviously much harder to do an on-the-wire attack between a stub resolver and caching resolver against someone running a caching resolver on the edge of their local network (or on their machine) than it is against someone using a public DNS service. In some of Geoff Huston's recent DNSSEC measurements that he's presented at various events, one interesting aspect was the very high percentage of people in some regions who were using Google's Public DNS servers. I seem to recall at Geoff's presentation at the IEPG meeting in Berlin in July he mentioned that it seemed like the major ISPs in some countries had all decided to use Google's servers vs running their own. In section 3.3.2 you state: ---- As of today, all the instances of one root name server, L-root, receive together around 20 kq/s. ---- I can't find "kq/s" defined anywhere in the draft and so you might want to expand this here. I'm assuming you mean "kilo-queries per second", correct? In section 6.1 about possible solutions to "On the wire" attacks, I would suggest perhaps putting all the text into a 6.1.1 titled "Encryption" and then creating a 6.1.2 called perhaps "Reducing the attack surface" with text along these lines (assuming text similar to what I wrote above is incorporated into section 3.2): ---- One mechanism to potentially mitigate on the wire attacks between stub resolvers and caching resolvers is to determine if the network location of the caching resolver can be moved closer to the end user's computer. As noted earlier in section 3.2, if an end user's computer is configured with a caching resolver on the edge of the local network, an attacker would need to gain access to that local network in order to successfully execute an on the wire attack against the stub resolver. On the other hand, if the end user's computer is configured to use a public DNS service as the caching resolver, the attacker needs to simply get in the network path between the end user and the public DNS server and so there is a much greater opportunity for a successful attack. Configuring a caching resolver closer to the end user can reduce the possibility of on the wire attacks. ---- Or something like thatŠ I enjoyed your section 7! :-) I have a few other editorial nits regarding wording that I'll send you privately. AgainŠ great draft. Thanks for taking the time to put it together. Dan -- Dan York Senior Content Strategist, Internet Society york@isoc.org <mailto:york@isoc.org> +1-802-735-1624 Jabber: york@jabber.isoc.org <mailto:york@jabber.isoc.org> Skype: danyork http://twitter.com/danyork http://www.internetsociety.org/deploy360/
- Re: [perpass] DNS confidentiality Wiley, Glen
- Re: [perpass] DNS confidentiality Andy Wilson
- [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Paul Wouters
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Ben Laurie
- Re: [perpass] DNS confidentiality Mark Handley
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Joseph Lorenzo Hall
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Paul Wouters
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Phillip Hallam-Baker
- Re: [perpass] DNS confidentiality Phillip Hallam-Baker
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Phillip Hallam-Baker
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality manning bill
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Karl Malbrain
- Re: [perpass] DNS confidentiality Hosnieh Rafiee
- Re: [perpass] DNS confidentiality Christian Huitema
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Wiley, Glen
- Re: [perpass] DNS confidentiality Ted Hardie
- Re: [perpass] DNS confidentiality Martin Thomson
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Wiley, Glen
- Re: [perpass] DNS confidentiality Ted Lemon
- Re: [perpass] DNS confidentiality Stephen Farrell
- Re: [perpass] DNS confidentiality Yoav Nir
- Re: [perpass] DNS confidentiality Christian Huitema
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Ondřej Surý
- Re: [perpass] DNS confidentiality Michael Richardson
- Re: [perpass] DNS confidentiality Ted Lemon
- Re: [perpass] DNS confidentiality Dan York
- Re: [perpass] DNS confidentiality Ted Hardie
- Re: [perpass] DNS confidentiality Wiley, Glen
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephane Bortzmeyer
- Re: [perpass] DNS confidentiality Stephen Farrell