[dns-operations] DNS training at the NSA

Damian Menscher damian at google.com
Mon Jan 19 23:15:24 UTC 2015


On Mon, Jan 19, 2015 at 8:30 AM, David Dagon <dagon at sudo.sh> wrote:

> On Sun, Jan 18, 2015 at 11:28:44AM +0100, Stephane Bortzmeyer wrote:
> > On <http://www.spiegel.de/media/media-35658.pdf> p. 9 (NSA slides,
> > leaked to the press), the DNS resolution process is strange, as if
> > recursion, instead of iteration, were used by all DNS servers of the
> > world, including the root name servers. Too much haste in using
> > PowerPoint? Ignorance? Deliberate attempt to obfuscate the issue?
> >
> > I'm trying to find out if this NSA attack is a good use case for
> > DNSSEC.
>
> I believe you're asking the question: Would DNSSEC create 'no-go
> zones' for certain types of attacks?  (Apologies for the pun. :)
>
> Absent some other unknown attack, real-time spoofing attacks require
> pre-Kaminsky resolution logic (no SPR, no 0x20, perhaps even lack of
> RFC 2181 handling logic, or misplaced reliance on djb dnscache, which
> is readily poisonable, etc.)
>

I think the NSA attacks are on-path so none of these changes help.

>From my own sinkhole authority resolvers, some 10-15% of recursives
> still don't appear to do SPR, (or equivalently have their SPR
> flattened out by CGN equipment).  I suspect they are trivially
> vulnerable to a variety of off-path attacks.


Any thoughts on what fraction of users are behind those recursives?  If
they're all serving only small organizations it may not be so bad.  But if
they're places like Comcast....

Damian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150119/6957c79c/attachment.html>


More information about the dns-operations mailing list