[dns-operations] resolvers considered harmful

Jelte Jansen jelte.jansen at sidn.nl
Thu Oct 23 13:29:09 UTC 2014 

On 10/23/2014 03:07 AM, Mark Allman wrote:
> 
> On the other hand, an endpoint can look up a name without listening for
> any request from the network.  We suggest this be an entirely local
> operation.  Think of it like this: just because I want to load the
> cnn.com web page I don't have to run httpd.  Well, just because I want
> to look up an A record for cnn.com doesn't mean I have to run bind.
> 
> Could there be attacks against the internal lookup process on a host?
> Of course.  But, those are attacks that require some sort of access to
> the end host first.
> 

Not necessarily; for instance, to 'do' kaminsky you need to cause
queries to be made, you don't need to make them yourself; you could have
some injected javascript in a hidden frame or something cause them.

I don't think there's an essential difference between a resolver at the
edge and a shared resolver in any other way than the 'shared' part. (BTW
I personally *do* run my own resolver, and on some systems even a local
one. This has more to do with not wanting to rely on my ISP than it has
to do with security, and it's certainly not a very good idea to do it
rom a privacy point of view).

But back to the paper:

Like others, I think it can use much more information on scalability
issues for auths; One 'type' it haven't seen discussed it the root
servers. Perhaps it won't be noticed in all the garbage they get right
now, but perhaps the garbage they get will increase by a lot.

On increasing TTL: Most implementations don't keep state between
restarts, so even if a TTL of a week was practical from the operator's
view, any device that is restarted often (like, say, my desktop
computer) loses all of its cache. So while increasing the TTL may reduce
the number of queries, it's not completely clear how much from static
trace data.

I do not think putting multiple questions in one request isn't reliably
possible without heavy protocol changes; sure the protocol doesn't
forbid adding more records to the question section, but it doesn't
really have any way to answer them either; mostly because there is only
one rcode field. So I don't think that option is as easy as the paper
makes it out to be.

Jelte

More information about the dns-operations mailing list