[dns-operations] Kaminsky: Protect IP Act Would Break DNS

Joe Greco jgreco at ns.sol.net
Sun Jul 17 12:08:04 UTC 2011

> [Authoritative DNS servers operator hat on.]
> On Sat, Jul 16, 2011 at 07:29:24AM -0500,
>  Joe Greco <jgreco at ns.sol.net> wrote 
>  a message of 74 lines which said:
> > Also, in the past decade, what was once considered a heavy duty
> > server is now available in the form factor of my cell phone.  The
> > resources to do resolution locally exist.
> The hardware resources. For the software, there are still a few
> improvments to make. For instance, to have a local resolver on your
> Ubuntu box, you need to:
> * install the server ('aptitude install unbound')
> * edit the DHCP config so ::1 is put before the DHCP-learned servers
> * work around the brokenness of middleboxes
> The first two point are not a big deal for a dns-operations subscriber
> but still too complicated for the average user. 

That's probably not the most likely point at which to tackle the
issue, due to choices made years ago by Microsoft, etc.  Since your
average consumer doesn't use Ubuntu, you might as well discuss the
difficulty of setting up a local resolver on a Sun workstation.

Let's talk real world.  Let's talk your next door neighbor's network.  That's a Windows XP box, a Mac, some wifi, and random other devices
on a DHCP network hanging off a D-Link router.  The obvious place for
this sort of thing to start out is at the D-Link router; it offers a
single point at which a resolver can be installed for this "site" with
minimal hassle, and a bonus that the configuration of the rest of the
network is automagic.

Now the point here is that what probably should have happened a long
time ago is that users should have been given the option, on common
platforms, to run their own local recurser, but the software to do
that still isn't included and made easy to run several decades after
DNS has been introduced.  I'm not looking at this as a problem where
Windows XP users are going to have to be trained on how to download
some package and then configure it.  I'd really like to see modern
releases including local recursion capabilities, possibly with an
option to run in forwarding mode.  That would actually *reduce* the
load on ISP recursers, but provide a tickbox solution for going 
independent if the ISP were to engage in, oh, say, DNS redirection
for search and ad pages.

> The third point is
> really more complicated (there was a good talk at the SATIN conference
> this year about this issue, Wesley Hardaker "Enabling DNSSEC in
> Applications", which described the many broken things that lie between
> the user's machine and the authoritative name servers).
> For my cell phone (an Android CyanogenMod), I'm not sure there is a
> software solution ready.

There doesn't have to be.  I already said this wouldn't be a flag day
event.  There's nothing that forces you to avoid using a service
provider's recurser if you want to or must.

> > So, my question is this: Why aren't we pushing the recurser closer
> > to the user at this point?
> If we imagine a world where every laptop, pad and cell phone, has a
> full resolver, we have to think of the consequences on the
> authoritative name servers (increased traffic). Like David Conrad, I
> think it may be possible but we lack hard data. More research would be
> welcome.

That's like saying we lack hard data about climate change.  It's
technically true, and the most convincing way to test it is to see
what happens.  But the truth of the matter is that the consequences
for authoritative name servers are more or less irrelevant.  We're
talking about a gradual change, one that'd take place over years,
not one where you walk in tomorrow morning and the authoritative
server that was running at 10% CPU yesterday is now running at 200%
overload.  Your load very gradually goes up and the next time you 
replace your auth name servers, you might budget for a bigger box.

There would, on one hand, be an increase in auth server traffic.  On
the other hand, there would be a drop in ISP recurser server traffic.
It seems reasonable to expect that auth traffic would go up by a fair
bit, but this isn't twenty years ago, and resources are somewhat less
expensive than they used to be.  

> May be using the ISP's resolver as a forwarder would help. BTW, the 
> point was already discussed here 
> <https://lists.dns-oarc.net/pipermail/dns-operations/2011-February/006751.html>

We've been using a forwarding strategy for many years here, and that
works very nicely.  I've seen a lot of sites where they do some task
on a box that's lookup-intensive and it causes lots of network traffic
or even problems, especially where they're on the far end of a WAN
circuit of some sort.  The fun ones are where they're looking for 
something trivial like localhost, haha.

> > Your average CPE device is already offering DHCP and maybe some
> > basic content filtering services to LAN clients.  The CPU (but maybe
> > not the RAM) on these guys is sufficient for doing modest amounts of
> > recursion work for local clients.
> Does not work for the roaming machine, which has no CPE except itself.

Nothing works for everything, so, what are you saying, let's do 
nothing?  Poor argument.

I would rather see *something* done, and the home router is a great 
point to consider as it acts as a gateway to an entire home network.
No need to modify the home's client devices; that could come with
time and vendor-supplied OS patches.

> > If we remain married to this idea of centralized control over
> > recursion, that control is going to remain a tempting target for
> > policymakers who want to impose a fix for their Big Problem Of The
> > Day.
> The problem exists, yes (for instance, in France, in the censorship
> law, LOPPSI), but I'm not sure local resolvers will help: it is too
> easy to block port 53 outbound. Some ISP already do it, to be sure
> users go through their lying resolver.

That's just another good reason to have a resolver on the CPE:  it
could offer CPE manufacturers an opportunity to tunnel DNS requests
to a platform provider like OpenDNS; OpenDNS already partners with
some of them (Netgear comes to mind) for things like parental
controls.  That goes in a different technical direction than what
I'm talking about, but results in the solution I'm toying with: 
end-user choice and less interference from local authorities, etc.,
with DNS resolution.

... JG
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

More information about the dns-operations mailing list