[dns-operations] Embedding MAC address in DNS requests for selective filtering

Shane Kerr shane at time-travellers.org
Mon Jan 25 17:10:07 UTC 2016


At 2016-01-25 10:36:03 -0500
bert hubert <bert.hubert at powerdns.com> wrote:

> We have heard of implementations where 'per-device DNS filtering' is being  
> offered, even behind NAT.  So this means you might get parental filtering on
> your kids' iPads, but not on your own desktop.
> This is then probably implemented by the home router (CPE) appending the MAC 
> address to queries, presumably over EDNS.  The ISP nameserver can then
> conditionally filter queries or not, based on customer IP and client MAC
> address.

Alternately this could be implemented by having the DHCP server give
the clients a different DNS server (possibly even in a different
subnet, if you wanted to do actual isolation instead of DNS filtering

> In the interest of interoperability, could those parties that are
> implementing this functionality please speak up how they are doing it? I
> know you are on this list.
> One very simple way of doing it would be to reuse RFC 5001, which is
> normally
> used for server identification, and use it for client identification too.
> If any vendor is in fact using NSID this way, please document this. It might
> prevent surprises later on. Thank you.
> If anyone thinks NSID is not a good way to do this, please also let us know.
> PowerDNS will be implementing either NSID or what "the CPE market" is doing.

I'm not sure that NSID is the right way to do this. NSID doesn't speak
about stub resolvers, but it is clear that NSID is meant to be stripped
off by each hop. Surely this would cause problems with any
multi-layered resolver cache setup?

Probably it would make more sense to munge the query in some other way,
or possibly grabbing one of the 65001-65534 EDNS options reserved for
Local/Experimental use if one didn't want to go through the pain of
working with the IETF.



More information about the dns-operations mailing list