Re: [Resolverless-dns] Paper on Resolver-less DNS

Ben Schwartz <> Wed, 14 August 2019 21:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 544BB120FA2 for <>; Wed, 14 Aug 2019 14:11:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -17.499
X-Spam-Status: No, score=-17.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jH3rEMAoEyjd for <>; Wed, 14 Aug 2019 14:11:37 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::32b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1287B120F64 for <>; Wed, 14 Aug 2019 14:11:36 -0700 (PDT)
Received: by with SMTP id f17so1395386otq.4 for <>; Wed, 14 Aug 2019 14:11:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+PfrGei01iwIXGK2k8HLW84IN+Mv40ZwXt739pA+t5k=; b=XDixzwsWyoE9C4Wi36iba/fSOIvGaPNOMeivjgc8zEK9vCh9mpKtXGZaJV1Z/9DTbc c2E6GyXkSsUTdTIfV6NgYoio2idLQS6LtsGzSUus8jR2//y73V9/ySnBMJsmm4ih5XWh 0Y7p3ENHJSvSM8/7hOP/j4/EAfnQLs1rotPri6a13mHiZ9xm3vXPX342Hd73dLfte6c0 Es2V3cGJ1DclaFTqg6pQnN8zjdn1YevsyTko/ZVDWkj8jiy7xLej9U53VIP3yMTN8CKM b8AdCEeF2LOm2iERkvBVkf8C1unjuJ4HUhu8p95esDmMAeaZtJlTgV5sCSptlwCjKOEm iFcA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+PfrGei01iwIXGK2k8HLW84IN+Mv40ZwXt739pA+t5k=; b=qb3UP9es7KXWi42ogUgloXqgEMPJW9I2RTHNSw+FRZmYImfPhnMJRKhYL/QTWiZTDP Lv4U5Ji5k5F/Ae+93ABrh0EplhHDNaVeimUHWXNNqgs2O6gS7+e9PR2nnTT/BVIO+fjy YBzK8jaOjz4b+6yKQwZX6aJIoX4NlcHXulogGdzQr2TpGISvYEnnguztSo8NWZFsk/oH kD5DIS38HILvc9B+wt5L03h2iyQ5yoAAl04CIVrZR8eeo54gsKLSyiADbaF8kiPwr45V eggwolcdRvrrWyq+QLl3Z6lqjrp21UfJbtjXP2dD+WxrbHgt5zDGXXTZM0RicWoB05Ig EYxw==
X-Gm-Message-State: APjAAAUb6e8aCQBVg9SGTyVSnC+O2Zjg3qKX7JdAD8HwH+lNYhzPoLKH rIURbD2uZ1sJBd08g33CPhXvgYlqTr14YOwbQUW8+2EcLFg=
X-Google-Smtp-Source: APXvYqxqM/zFPrmVWVbHXoYVRXDOrepGXf355tVT9Asne///zz2lDelCncwNpf1TTxlg9TBhG3Zv/OWBSkCczv+e9pw=
X-Received: by 2002:a5d:8759:: with SMTP id k25mr1901858iol.307.1565817094938; Wed, 14 Aug 2019 14:11:34 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Ben Schwartz <>
Date: Wed, 14 Aug 2019 17:11:22 -0400
Message-ID: <>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000c3a71d05901a3311"
Archived-At: <>
Subject: Re: [Resolverless-dns] Paper on Resolver-less DNS
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Resolverless DNS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 14 Aug 2019 21:11:43 -0000

Thanks for conducting this investigation, Erik!

In my view, the two main concerns with resolverless architectures have been
(1) simplifying stolen key attacks and (2) potential interference with
DNS-based load balancing.

Currently, an attacker who has stolen a TLS private key also needs control
of the victim's network in order to mount an impersonation attack.
Resolverless DNS (especially without DNSSEC, as in your model) might make
these attacks much easier to execute, by sending the victim a DNS record
that points the compromised domain to the attacker's IP address.

Domains that rely on DNS-based load balancing have concerns about third
parties handing out DNS records for their domains.  These third parties
might (accidentally) provide the same DNS record to all of their users,
overloading a particular server instead of spreading the load across many

If you're interested in this topic, I hope you'll think a bit about these
problems, and see if you find a way to solve them.

On Tue, Aug 13, 2019 at 8:07 AM Erik Sy <>

> Hi all,
> I wrote a paper to clarify the design of resolver-less DNS and to
> investigate its feasibility.
> You can find the paper here:
> In total, I think this is a great performance-optimization especially
> for clients on high-latency access networks. Furthermore, it can improve
> the client's privacy posture towards the recursive DNS resolver.
> Best regards,
> Erik
> --
> Resolverless-dns mailing list