Re: [Resolverless-dns] Paper on Resolver-less DNS

Paul Vixie <> Thu, 22 August 2019 01:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 717BA120132 for <>; Wed, 21 Aug 2019 18:08:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Ve-E-br-LbAT for <>; Wed, 21 Aug 2019 18:08:50 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5539C12010E for <>; Wed, 21 Aug 2019 18:08:50 -0700 (PDT)
Received: from linux-9daj.localnet ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id 33FA2892E8; Thu, 22 Aug 2019 01:08:49 +0000 (UTC)
From: Paul Vixie <>
To: Ted Lemon <>
Date: Thu, 22 Aug 2019 01:08:48 +0000
Message-ID: <1950174.j2oo942mI2@linux-9daj>
Organization: none
In-Reply-To: <>
References: <20190819203948.2BE688829F4@ary.qy> <9495312.8Az2s6tnoE@linux-9daj> <>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <>
Subject: Re: [Resolverless-dns] Paper on Resolver-less DNS
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Resolverless DNS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 22 Aug 2019 01:08:52 -0000

On Wednesday, 21 August 2019 20:09:11 UTC Ted Lemon wrote:
> On Aug 21, 2019, at 4:03 PM, Paul Vixie <> wrote:
> > the idea of having a web object tell my web browser which malware server
> > to go to in order to download a bitcoin miner, without being subject to
> > either control or monitoring by my private network operator (parental
> > controls, or corporate security), should terrify pretty much everybody.
> How would you prevent that?  The web page can always embed an IP address.

my experience with HSTS is that dotted-quad links are nearly impossible to use 
from an HTTPS web object, since they point either to an HTTP web object (which 
is a downgrade) or do an HTTPS object whose SNI is a dotted quad (which is 
hard to get a certificate for.)

in any case it's not common and those may be the reasons. defacement attacks 
rely on the ability to move their ultimate payload around and they use a DNS 
name as an indirection layer so that they can keep it available during cat and 
mouse takedown games.

if linking to dotted quads worked securely and robustly, i expect that we'd 
see more of this in the non-criminal web, and less pressure for "resolverless 
dns" as a way to avoid DNS lookups.