Re: [Resolverless-dns] Paper on Resolver-less DNS

Paul Vixie <paul@redbarn.org> Thu, 22 August 2019 01:08 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: resolverless-dns@ietfa.amsl.com
Delivered-To: resolverless-dns@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 717BA120132 for <resolverless-dns@ietfa.amsl.com>; Wed, 21 Aug 2019 18:08:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ve-E-br-LbAT for <resolverless-dns@ietfa.amsl.com>; Wed, 21 Aug 2019 18:08:50 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5539C12010E for <resolverless-dns@ietf.org>; Wed, 21 Aug 2019 18:08:50 -0700 (PDT)
Received: from linux-9daj.localnet (vixp1.redbarn.org [24.104.150.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 33FA2892E8; Thu, 22 Aug 2019 01:08:49 +0000 (UTC)
From: Paul Vixie <paul@redbarn.org>
To: Ted Lemon <mellon@fugue.com>
Cc: resolverless-dns@ietf.org, sy@informatik.uni-hamburg.de
Date: Thu, 22 Aug 2019 01:08:48 +0000
Message-ID: <1950174.j2oo942mI2@linux-9daj>
Organization: none
In-Reply-To: <BC165966-60EC-415E-B4F1-8A51ABA6E20F@fugue.com>
References: <20190819203948.2BE688829F4@ary.qy> <9495312.8Az2s6tnoE@linux-9daj> <BC165966-60EC-415E-B4F1-8A51ABA6E20F@fugue.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/resolverless-dns/ltxG-L8gSP92zJYiQZ3Xgv_V31w>
Subject: Re: [Resolverless-dns] Paper on Resolver-less DNS
X-BeenThere: resolverless-dns@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Resolverless DNS <resolverless-dns.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/resolverless-dns>, <mailto:resolverless-dns-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/resolverless-dns/>
List-Post: <mailto:resolverless-dns@ietf.org>
List-Help: <mailto:resolverless-dns-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/resolverless-dns>, <mailto:resolverless-dns-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2019 01:08:52 -0000

On Wednesday, 21 August 2019 20:09:11 UTC Ted Lemon wrote:
> On Aug 21, 2019, at 4:03 PM, Paul Vixie <paul@redbarn.org> wrote:
> > the idea of having a web object tell my web browser which malware server
> > to go to in order to download a bitcoin miner, without being subject to
> > either control or monitoring by my private network operator (parental
> > controls, or corporate security), should terrify pretty much everybody.
> 
> How would you prevent that?  The web page can always embed an IP address.

my experience with HSTS is that dotted-quad links are nearly impossible to use 
from an HTTPS web object, since they point either to an HTTP web object (which 
is a downgrade) or do an HTTPS object whose SNI is a dotted quad (which is 
hard to get a certificate for.)

in any case it's not common and those may be the reasons. defacement attacks 
rely on the ability to move their ultimate payload around and they use a DNS 
name as an indirection layer so that they can keep it available during cat and 
mouse takedown games.

if linking to dotted quads worked securely and robustly, i expect that we'd 
see more of this in the non-criminal web, and less pressure for "resolverless 
dns" as a way to avoid DNS lookups.

-- 
Paul