[dns-operations] resolvers considered harmful

Stephane Bortzmeyer bortzmeyer at nic.fr
Thu Oct 23 16:28:35 UTC 2014


On Wed, Oct 22, 2014 at 12:47:39PM -0400,
 Mark Allman <mallman at icir.org> wrote 
 a message of 64 lines which said:

> Short paper / crazy idea for your amusement ...

The biggest problem I have with this paper is of terminology. I
thought at the beginning that the idea was to get rid of resolvers,
then it appeared you want a resolver, but on the end host, and the,
during the discussion here (your answer to David Conrad), it seems you
want to move the resolver to every application? I feel you redefined
the term resolver in a strange way. You cannot do DNS without a
resolver (or it would be a change of the protocol). The resolver can
be a big cluster farm with BIND on powerful servers at the ISP, or it
can be Unbound running on David Conrad's laptop (or mine) answering
only to localhost, or it can even be a library loaded by _all_
applications, it is still a resolver. "Removing the resolver" makes no
sense.

So, what is the real proposal? Having each application, on every host
(including printers, cameras and so on), include a DNS resolver? You
mention the example of HTTPS where each application includes a TLS
library. But the number of different TLS bugs in many libraries, or in
their use ("The most dangerous code in the world: validating SSL
certificates in non-browser software", by M. Georgiev, S. Iyengar,
S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov, In proceedings of ACM
CCS '12, pp. 38-49, 2012), bugs which are difficult to fix, seem to
indicate that this will be a maintenance nightmare. You declare in a
very offhand way that "removing the resolver" will make the attack
surface decrease while you suggest (apparently) to multiply the bugs
in resolvers by the number of apps * the nummber of devices.

Then, when it comes to privacy (the biggest problem with your
proposal), I strongly disagree with the way you get rid of the
problems by saying "we note that many users are willing to use open
shared resolvers (e.g., Google DNS) and are therefore comfortable with
directly attributable DNS requests arriving at a large third-party
network". This is propaganda, not science. Users use Google Public DNS
because their ISP's resolver is broken or slow, or because the ISP
censors <http://www.bortzmeyer.org/dns-routing-hijack-turkey.html> or
because the IP address is cool or simply because they feel that it's
Google so it must be nice. They never perform an assessment of the
public resolver privacy policy and practices, and they certainly don't
analyze the tradeoffs. Most users (even most IT professionals) have
no idea of the complex privacy issues associated with DNS.





More information about the dns-operations mailing list