[dns-operations] Massive DNS poisoning attacks in Brazil

[Paul Hoffman]

On Oct 3, 2012, at 6:38 AM, Vernon Schryver <vjs at rhyolite.com> wrote:

>> From: Tony Finch <dot at dotat.at>
>> To: Paul Vixie <paul at redbarn.org>
> 
>> Paul Vixie <paul at redbarn.org> wrote:
>>> 
>>> in <http://www.ietf.org/mail-archive/web/dnsext/current/msg11700.html> i
>>> was thinking that we'd add "send chain" as an edns option, and then add
> 
>> I like this plan.
> 
> All of those DNS tunneling, triggering, alternate port, and other
> varient protocol schemes for dealing with hotels and public access
> points attacks on DNS are either unnecessary in the long run or depend
> on practically no one ever using them.  They are like the ad hoc schemes
> subscribers to this mailing list use to tunnel other protocols home.
> 
> Any popular scheme that works around DNS, HTTP, ssh, etc.
> man-in-the-middle attacks that become popular will be blocked,
> proxied, or hijacked unless most users normally use tools that
> detect and refuse to work with men in the middle.
> 
> If the browsers and stubb DNS servers of most users did DNSSEC, DANE,
> and HSTS, then any men in the middle will be obvious and won't be
> installed except for purposes that users tolerate including access
> point login, employment behind corporate firewalls, and living under
> authoritative regimes.  In addition, those tunneling schemes will not
> unnecessary.
> 
> To put it another way, if HTTP replaced IP as the Internet protocol
> without any real improvements in end to end security, then the
> censors and hijackers would apply their tools to HTTP.

I fully agree with all of this, but it leaves the question: what about tunneling DNS in TLS-over-HTTP? The earlier statement about why this would not work (corporations getting MITM certificates from bad actors in the root pile) doesn't actually apply because the client will have a single TLS trust anchor, possibly even one not even in the root pile.

--Paul Hoffman