[dns-operations] Can Root DNS server modify the response?

Jeroen Massar jeroen at massar.ch
Tue Mar 26 16:26:03 UTC 2019 

TLDR:
 - No transparency of (root) DNS server (auth/recursive) operations
   - would be cool if operators would provide that transparency
   - Big Data is where the money is, DNSSEC does not really matter.
 - Browsers are owned by 2/3 corporations depending on how you count.
 - The general uninformed public is forced into these monitored connections

...

On 2019-03-26 16:18, David Conrad wrote:
> On Mar 26, 2019, at 2:36 AM, Jeroen Massar <jeroen at massar.ch <mailto:jeroen at massar.ch>> wrote:
>> On 2019-03-26 04:06, Dave Warren wrote:
>>> Is there any evidence of censorship on Cloudflare's resolver or root servers?
>> Unless we get a leaker telling the truth..... one will never know, to easy to avoid any kind of monitoring of the results and SERVFAIL can be that you got censored or that well, there was a packet dropped and something was b0rked for a bit.
> 
> This is too pessimistic.

Interesting statement, I am typically considered an optimist ;)

[..]
> Without the signed response, you have to rely on trust either in the resolver or the infrastructure. 

Yes, DNSSEC can identify lies.

But that is not why they provide the services: it is about what the content of the questions (and answers) is.
The money is in big data, not in lying.

Big Data As A Service: About 1.480.000.000 results (0,62 seconds) 
Lying As A Service:    About   286.000.000 results (0,33 seconds) 

Makes a clear statement, though I had expected the latter to be much less, seems there is business there too...
(oh politics, be that world or network).

>> Noting that Mozilla with their firefox is clearly steering towards DoH, "as ISPs are not to be trusted" 
> 
> AFAIK, Cloudflare hasn’t mucked with responses. Some ISPs have. Ergo...
> 
>> Commercialization of the Internet is the question there… at least your local (sometimes monopolistic) ISP is the one you pay, but in the case of this situation you do not have any actual agreement with them…
> 
> I gather you’re speaking of DOH or maybe public DNS services like 1.1.1.1, 8.8.8.8, 9.9.9.9, etc. For the former, one could argue by using Firefox, you are implicitly entering into an agreement do tolerate whatever Mozilla thinks is the “right thing to do”.  For the latter, you’re agreeing by using the service. 

Grandma does not install Firefox at all (either still stuck with the non-browser MSIE or hopefully using an iPad), and if she has it, somebody else installed it for her and made that 'decision'. But an upgrade might "unlock" DoH, and guess what, the original intent was not that...

People expect browser to be just that. It seems though one has to expect that it is just the AOL of today: your browser is the service you get and how they invade your privacy by sneakily doing things, well, you "signed up for it" right?



> Want to get out of those implicit agreements? Don’t use Firefox (plenty of other browsers out there).

I am far from a Firefox user; even only rarely check if some HTML works with it.

And, no there are not "plenty of other browsers"

- Firefox has it's own engine, neat, but default to Google who pays for them
- Chrome (80%+++ marketshare btw) bases on Webkit, though 99% is Google-based
- MSIE / Edge is deprecated by Microsoft itself, soon to be Chrome based too.
- Safari is Webkit, but even for Apple hard to keep up.

and then outside of that are only few browsers that remotely matter; getting resources to build a new one that can remotely compete will be hard (mozilla originally was 'the' browser, got overtaken and has already a hard time keeping up).

Maybe time the EU sponsors a browser... free for the public and with compliance to actual intent of GDPR (note intent, not the letter as corps take it).


> Run your own validating (QNAME minimizing) resolver on localhost.

DoH bypasses that, thus what is the point?

> Maybe tunnel via an encrypted VPN to some random VPSes somewhere.  Sorry, what problem are we trying to solve again?

DoH bypasses your own DNS server selection, VPN does not help there either.


You are right in "use a different browser" but not much left there is there? (see above).


>> Would be really cool if we had a framework that gave us some kind of assurance though.
> 
> It’s all about who you trust and the threats you concern yourself with.

While that works for people on this list, the rest of the general public is unfortunately less educated.

Also, how can we trust corps that do not have any transparency whatsoever.


I think, that we (dns-operations types of people), as people who have the proper insight, should be a little bit more pro-people and the original intents and promises of the Internet: freedom of communication and innovation (instead of corporate lock-ins)

Greets,
 Jeroen

More information about the dns-operations mailing list