[dns-operations] Capturing 8.8.8.8 Traffic
Mike Jones
mike at mikejones.in
Tue Feb 26 22:09:58 UTC 2013
On 26 February 2013 21:39, Mark Andrews <marka at isc.org> wrote:
>
> In message <CAAAas8GO=c52a+UA1n9SALqy8uYBTBO1L3v_+EvO+3h7TXmrgw at mail.gmail.com>
> , Mike Jones writes:
>> On 26 February 2013 14:34, Cutler James R <james.cutler at consultant.com> wrote
>> :
>> > On Feb 26, 2013, at 8:32 AM, Carlos M. Martinez <carlosm3011 at gmail.com> wro
>> te:
>> >
>> >> <Rant alert>
>> >>
>> >> Google might be doing X,Y or Z with DNS data, but IMO, the fact doesn't
>> >> excuse ISPs border filtering requests or spoofing 8.8.8.8/8.8.4.4
>> >>
>> >>> <SNIP/>
>> >
>> > There is no business justification for spending the time and money to desig
>> n and deploy DNS spoofing on speculation.
>> >
>> > Even more expensive will be the increase in support call costs.
>> >
>> > Topping it all will be the cost of good will loss when tampering with custo
>> mer traffic is discovered.
>>
>> I wonder if anyone can come up with a justification for why you would
>> intercept 8.8.8.8, but not 4.2.2.2, or 141.1.1.1, or 74.82.42.42,
>> or....?
>>
>> There are cases where it is arguably OK to intercept DNS traffic, such
>> as tightly controlled networks or certain netorks with visitors that
>> might have manual DNS servers set instead of getting them from DHCP.
>
> Twenty years ago that may have been reasonable but it hasn't been
> for the last decade. DHCP is use everywhere even with fixed equipment
> to assign static addresses. Today intecepting DNS just breaks
> people trying to do DNSSEC.
>
> You can't just divert DNS packets to a recursive server and have
> it work. You need a specialised server that doesn't follow the
> full DNS protocol. It has to recurse when not asked to. It has
> to fake "aa" responses. It has to pass through signed requests
> TSIG/SIG(0).
When your laptop and my laptop don't work because we have some
'special configuration' with a local validating resolver, but everyone
else is working fine - are they going to consider their network
broken? While you are correct about the 'right way' to do it,
unfortunately I suspect the most people don't care as much as we do.
The normal answer is 'you should be using our DNS servers instead'.
Those annoying 'real world' networks are why my I gave my laptop an
encrypted VPN* link back to other resolvers it could use. I found it
preferable to using the resolvers of someone that wants to mess with
my packets.
- Mike
More information about the dns-operations
mailing list