[dns-operations] DNS training at the NSA

David Dagon dagon at sudo.sh
Mon Jan 19 16:30:48 UTC 2015

On Sun, Jan 18, 2015 at 11:28:44AM +0100, Stephane Bortzmeyer wrote:
> On <http://www.spiegel.de/media/media-35658.pdf> p. 9 (NSA slides,
> leaked to the press), the DNS resolution process is strange, as if
> recursion, instead of iteration, were used by all DNS servers of the
> world, including the root name servers. Too much haste in using
> PowerPoint? Ignorance? Deliberate attempt to obfuscate the issue?
> I'm trying to find out if this NSA attack is a good use case for

I believe you're asking the question: Would DNSSEC create 'no-go
zones' for certain types of attacks?  (Apologies for the pun. :)

Absent some other unknown attack, real-time spoofing attacks require
pre-Kaminsky resolution logic (no SPR, no 0x20, perhaps even lack of
RFC 2181 handling logic, or misplaced reliance on djb dnscache, which
is readily poisonable, etc.)

>From my own sinkhole authority resolvers, some 10-15% of recursives
still don't appear to do SPR, (or equivalently have their SPR
flattened out by CGN equipment).  I suspect they are trivially
vulnerable to a variety of off-path attacks.  

A ccTLD or popular authority would likely see a larger sampling of the
world's recursives, but I suspect my view is representative of an
Internet-wide average.  I do note that some types of activities, e.g.,
torrent use, tend to sample from recursives that are more secure.

So while DNSSEC would help avoid off-path DNS attacks, so would SPR,
0x20, etc.  One could say DNSSEC would help, but one could also say
that its adoption would be slow, given the lack of SPR is some

Other complications appear: From what I read in the press, some of the
DNS attacks were used to repurpose botnet infections.  It seems
unlikely that botmasters will sign their C&C zones.  Ironically, small
portions of the security community seem opposed to DNSSEC, usually
based on misunderstandings of the technology, misperceptions about
governement control of zsks, or for unstated commercial competitive
reasons, etc.  This opposition, most prominent in the penetration
testing communities, might persaude fewer sites to sign their zones,
and fewer recursives to update old software.  In any event, I believe
botnet C&C zones are unlikely to be signed.  (So in that case, DNSSEC
would help, but would never be used, due to misperceptions and

I suspect qname minimization would also help, in an unusual way.
While I'm clearly guessing, it would seem to make targetting more
difficult (depending on the qname structure one hoped to poison, of
course).  So real-time attacks against mail.$TARGET.$TLD would not be
able to distinguish the recursive's delegation chase for
low-value-image-cache.$TARGET.$TLD.  Presumably this makes things more
difficult: (a) attackers either have to insert NS records and answer
for the entire zone, and not just the inserted A records discussed in
press articles; and (b) this potentially introduces another hop length
(for the NS substitution)---an important factor in spoofing,
packet-races, and other time-critical attacks.

Summary: Does DNSSEC help?  In general, yes; but only if used.
(Validation stops spoofing.) I suspect this is also true of qname
minimization.  (Parsimonious revelation of qnames during delegation
discovery may obscure the iterating recurisve targets, or complicate
their subversion by requiring whole-zone substitution by the

David Dagon
dagon at sudo.sh
D970 6D9E E500 E877 B1E3  D3F8 5937 48DC 0FDC E717

More information about the dns-operations mailing list