[dns-operations] need ideas for selective proxying to defeat the economic poison pill built into DOH
gtaylor at tnetconsulting.net
Fri May 17 05:10:12 UTC 2019
On 5/16/19 9:58 PM, Mukund Sivaraman wrote:
> Hi Grant
> If a path to the peer is not opened at the firewall before the DNS
> response is received by the client, the client may race ahead and
> attempt a SYN to the peer before the firewall is ready, which will
> get blocked.
> The resolver would have to synchronously ensure a hole has been punched
> in the firewall for the answer it is returning before returning the
> answer to the client.
I agree that what you describe is an ideal situation. But I don't
believe it's a required situation.
Rather I think that (at least) TCP clients will timeout shortly and
retransmit the SYN. Is relying on such client side retransmission
ideal, no. Would it function, I think so.
I feel like there might be some other hacks that could be done to help
avoid such retransmission. Specifically, have the firewall itself sniff
and potentially take action on incoming DNS reply traffic. (There is an
issue of which client is allowed to connect. Though there might be
options for this too.) It may also be possible to allow the outgoing
SYN, and filter on the incoming SYN+ACK reply. Thereby changing the
timing in the race condition to include the round trip time out the
There may also be some possibility of queuing the outgoing SYN somewhere
to give the firewall a chance to be updated.
Remember how the first few pings might fail when using a dial-on-demand
system or when the layer 3 equipment needs to perform an ARP for the
layer 2 MAC address. ;-)
In short, I think there are some games that could be played to make this
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
More information about the dns-operations