[dns-operations] Can Root DNS server modify the response?

David Conrad drc at virtualized.org
Tue Mar 26 15:18:57 UTC 2019

On Mar 26, 2019, at 2:36 AM, Jeroen Massar <jeroen at massar.ch> wrote:
> On 2019-03-26 04:06, Dave Warren wrote:
>> Is there any evidence of censorship on Cloudflare's resolver or root servers?
> Unless we get a leaker telling the truth..... one will never know, to easy to avoid any kind of monitoring of the results and SERVFAIL can be that you got censored or that well, there was a packet dropped and something was b0rked for a bit.

This is too pessimistic.

In the case of root servers, the core functionality provided by DNSSEC is to provide exactly the assurance you say one will never know. If you get a signed response (and it validates, all the way up to the trust anchor you have configured in your validator), you actually do know that there has been no censorship, at least from the point of view of the holder of the private portion of the signing key.

Without the signed response, you have to rely on trust either in the resolver or the infrastructure.

> Noting that Mozilla with their firefox is clearly steering towards DoH, "as ISPs are not to be trusted"

AFAIK, Cloudflare hasn’t mucked with responses. Some ISPs have. Ergo...

> Commercialization of the Internet is the question there… at least your local (sometimes monopolistic) ISP is the one you pay, but in the case of this situation you do not have any actual agreement with them…

I gather you’re speaking of DOH or maybe public DNS services like,,, etc. For the former, one could argue by using Firefox, you are implicitly entering into an agreement do tolerate whatever Mozilla thinks is the “right thing to do”.  For the latter, you’re agreeing by using the service.

Want to get out of those implicit agreements? Don’t use Firefox (plenty of other browsers out there). Run your own validating (QNAME minimizing) resolver on localhost. Maybe tunnel via an encrypted VPN to some random VPSes somewhere.  Sorry, what problem are we trying to solve again?

> Would be really cool if we had a framework that gave us some kind of assurance though.

It’s all about who you trust and the threats you concern yourself with.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190326/3ca149b0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190326/3ca149b0/attachment.sig>

More information about the dns-operations mailing list