Re: [Resolverless-dns] Paper on Resolver-less DNS

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 02 September 2019 21:32 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: resolverless-dns@ietfa.amsl.com
Delivered-To: resolverless-dns@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D848F12004A for <resolverless-dns@ietfa.amsl.com>; Mon, 2 Sep 2019 14:32:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hT3HE2dyMVkp for <resolverless-dns@ietfa.amsl.com>; Mon, 2 Sep 2019 14:32:42 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F8231200E7 for <resolverless-dns@ietf.org>; Mon, 2 Sep 2019 14:32:42 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 95EE429B4E4; Mon, 2 Sep 2019 17:32:41 -0400 (EDT)
Date: Mon, 02 Sep 2019 17:32:41 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: resolverless-dns@ietf.org
Message-ID: <20190902213241.GI70599@straasha.imrryr.org>
Reply-To: resolverless-dns@ietf.org
References: <220061a8-608c-0a87-4656-213c87979284@informatik.uni-hamburg.de> <849BE7D4-A07E-496B-B413-E1C979390DA8@osterweil.net> <b2b3e56a-c577-f08a-627a-f54e2e6fadb6@informatik.uni-hamburg.de> <f093a605-6e7d-0237-df5c-441d6789c66f@erik-sy.de> <54892F22-27E4-4444-9CC8-2D9E84A9668F@dukhovni.org> <4ec7dd1d-e914-0adb-4240-296f2f762b5f@informatik.uni-hamburg.de> <ADC6E119-0EED-4990-A975-F594C9282872@dukhovni.org> <64650d58-924f-c0f3-d181-614d59527477@informatik.uni-hamburg.de> <20190830053023.GE90696@straasha.imrryr.org> <f81ec73d-879e-0427-e11b-0973e01034c3@informatik.uni-hamburg.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <f81ec73d-879e-0427-e11b-0973e01034c3@informatik.uni-hamburg.de>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/resolverless-dns/wtNy_pvaRHdctd9KoBytMGWslNM>
Subject: Re: [Resolverless-dns] Paper on Resolver-less DNS
X-BeenThere: resolverless-dns@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Resolverless DNS <resolverless-dns.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/resolverless-dns>, <mailto:resolverless-dns-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/resolverless-dns/>
List-Post: <mailto:resolverless-dns@ietf.org>
List-Help: <mailto:resolverless-dns-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/resolverless-dns>, <mailto:resolverless-dns-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Sep 2019 21:32:45 -0000

On Mon, Sep 02, 2019 at 10:52:30PM +0200, Erik Sy wrote:

> > IIRC the protocol allows any authenticated server (with Let's
> > Encrypt, that's everybody) to return "out-of-bailiwick" answers
> > (for any unrelated domain).
> >
> > Yes, a client's designated resolver can also do that, but some
> > clients perform local DNSSEC validation,
>
> Can you name a popular client doing DNSSEC validation in a web browsing
> scenario?

Any client behind a nearby (local or private network) validating
resolver.

> >  and in any case there's a
> > big difference between trusting name resolution to a set of dedicated
> > resolvers, vs. each and every server one happens to visit (by
> > clicking on a malicious link for example).
>
> Note, that in resolver-less DNS the client does not trust received DNS
> records like it is common for the traditional DNS. Instead, the client
> validates these DNS records.

No, it validates that the server on the other end of the connection
has the expected certificate, which is rather different from the
actual addresses being valid.

> >>> It introduce a new cache-poisoning channel, and surprising differences
> >>> between the IP addresses a browser might use to reach a site from cold
> >>> start vs. after visiting some unrelated site.
> >> Also traditional DNS resolvers are vulnerable to cache-poisoning attacks.
> > Not with DNSSEC validation,
>
> Do you mean the client is doing DNSSEC validation?

In most cases the resolver, not the client.  But the server may be
sufficiently local, and it is much easier for attackers to entice
users to visit a hostile site than to perform a off-path cache
poisoning attack.

> > and modestly difficult off-path.  But
> > with this proposal, you get cache poisoing by design from any
> > off-path server the client happens to visit.
> 
> Do you mind describing an concrete attack?

The hostile website vends fake IPv6 addresses for domains it does
not control (in an address range it does control) to the browser.
When the user later visits one of the cache poisoned sites, the
connection is tracked.  Further surprising to the user is that
unlike visits to links via the site tracked via redirects, the
target domain need not even be one vended in any link from the
hostile site.  Use of a TTL captures furthe interaction with the
remote site, not just the initial connection.

> It is an easy task for an web server to track user visits to other sites
> by using for example redirects as Google Search is doing.

Resolverless-DNS as proposed makes this far more troubling.  I don't
have to click on Google's tracked links.  But as proposed, a website
can arbitrarily populate my cache for destinations it wants to
monitor (for some time after I've long left the original site, given
that the records have a TTL).

> First, it is quite uncommon that people run their own DNS resolver.

Times change.  Some security-conscious users are starting to use
more secure home routers:

	https://www.turris.cz/en/omnia/

which include a sufficiently local validating resolver, that
communicates with a trusted upstream via DoT.

> Second, running an own DNS resolver generates new privacy and
> performance problems.

FWIW, my validating resolver forwards to (load shares its queries
across) multiple public validating resolvers (Cloudflare, Google,
Verisign and Quad9).  So there are no new privacy issues, just
a reasonable expectation that validation happens sufficiently
close to my browser to make cache poisoning rather difficult.

> >  Your proposal would delegate this ability
> > to every random server I visit.  That's a security fail.
> 
> I do not understand why this should be a security fail. In my opinion it
> is not even an additional privacy failure because the privacy leak
> existed before using common techniques such as redirects.

The scope is much worse, as explained above.

-- 
	Viktor.