[dns-operations] resolvers considered harmful

Phillip Hallam-Baker phill at hallambaker.com
Thu Oct 23 21:10:16 UTC 2014


On Thu, Oct 23, 2014 at 2:31 PM, Paul Vixie <paul at redbarn.org> wrote:

>
>
>   Phillip Hallam-Baker <phill at hallambaker.com>
>  Thursday, October 23, 2014 11:25 AM
>
>
> ...
> Bottom line is that if you try to use port 53 for client-recursive you
> will find yourself under MITM attack much of the time. And its not even all
> malicious. A lot of ISPs are MITM the DNS traffic so they don't get one of
> the big TLDs onto their case for allowing their customers to do DDoS.
>
>
> my bottom line is related and similar: rdns is hard, and can't scale to
> the actual internet access edge, currently two billion or more devices, and
> growing; we need a well guarded path (like HTTPS without any X.509 CA
> intermediaries telling us what key to trust -- SSL keying material has to
> be exchanged in some more-trustful way), to get from large numbers of stubs
> to moderate numbers of recursives.
>

My view precisely. Except that I am prepared to make the default mechanism
to be to use of SSL and an EV cert to jump start the process of making the
initial contact between the relying party and the resolution service. With
the option of manual keying if you choose.


So the very first time you bought your very first a machine and started it
up, you would choose your DNS resolution provider, e.g. dnsbycomodo.com. If
you are using a public resolver, you give it the DNS name of the service
provider and it uses legacy DHCP DNS and the WebPKI (preferably an EV cert)
to establish first contact over TLS. Once the service credentials are
exchanged the binding between that machine and the DNS service selected can
be permanent.

If you are using a private resolver then you are probably not providing
open service to anyone on the net. You are going to only want to provide
access to people who have been issued accounts. So the binding mechanism is
likely to involve some sort of account and PIN code activation or
confirmation of the access request from another device.



> otherwise the DNS data path leading to the edge will continue to look
> like, and be treated like, raw meat by the thin margin internet access
> providers looking to plump up their revenue by selling ads one way and
> telemetry the other way.
>

Since any new protocol is going to be encrypted there is no reason to use
the same port or indeed a well known port for discovery.

Looking ahead to IPv6, the large address space offers a lot of options for
DDoS mitigation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141023/d7dc1c46/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141023/d7dc1c46/attachment.jpg>


More information about the dns-operations mailing list