[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
DNSSEC and ISPs faking DNS responses
- Subject: DNSSEC and ISPs faking DNS responses
- From: marka at isc.org (Mark Andrews)
- Date: Fri, 13 Nov 2015 16:30:29 +1100
- In-reply-to: Your message of "Thu, 12 Nov 2015 21:05:49 -0800." <[email protected]>
- References: <[email protected]> <[email protected]>
In message <5CA68A46-2F63-466A-B418-30DA71B2BAC5 at delong.com>, Owen DeLong write
> > On Nov 12, 2015, at 20:50 , John Levine <johnl at iecc.com> wrote:
> > In article <56455885.8090409 at vaxination.ca> you write:
> >> The Qu??bec government is wanting to pass a law that will force ISPs to
> >> block and/or redirect certain sites it doesn't like. (namely sites
> >> that offer on-line gambling that compete against its own Loto Qu??bec).
> > Blocking is prettty easy, just don't return the result, or fake an
> > NXDOMAIN. For a signed domain, a DNSSEC client will see a SERVERFAIL
> > instead, but they still won't get a result.
> > Redirecting is much harder -- as others have explained there is a
> > chain of signatures from the root to the desired record, and if the
> > chain isn't intact, it's SERVERFAIL again. Inserting a replacement
> > record with a fake signature into the original chain is intended to be
> > impossible. (If you figure out how, CSIS would really like to talk to
> > you.) It is possible to configure an ISP's DNS caches to trust
> > specific signatures for specific parts of the tree, but that is kludgy
> > and fragile and is likely to break DNS for everyone.
> If you know that the client is using ONLY your resolver(s), couldn???t you
> simply fake the entire chain and sign everything yourself?
Which is exactly how we test validation in nameservers. If you
tell the validator to use a bogus trust anchor you get bogus trust.
> Or, alternatively, couldn???t you just fake the answers to all the ???is this
> signed???? requests and say ???Nope!??? regardless of the state of the
> authoritative zone in question?
No. You can detect that.
> Sure, if the client has any sort of independent visibility it can verify
> you???re lying, but if it can only talk to your resolvers, doesn???t that
> much mean it can???t tell that you???re lying to it?
No. The root's trust anchor are published independently of whatever
your ISP does. This isn't something you learn via DHCP.
> > And anyway, it's pointless. What they're saying is to take the
> > gambling sites out of the phone book, but this is the Internet and
> > there are a million other phone books available, outside of Quebec,
> > such as Google's 22.214.171.124 located in the US, that people can configure
> > their computers to use with a few mouse clicks. Or you can run your
> > own cache on your home network like I do, just run NSD or BIND on a
> > linux laptop.
> I believe the traditional statement is ???This type of regulation is
> damage and will be routed around.???
> > They could insist that ISPs block the actual web traffic to the sites,
> > by blocking IP ranges, but that is also a losing battle since it's
> > trivial to circumvent with widely available free VPN software. If
> > they want to outlaw VPNs, they're outlawing telework, since VPNs is
> > how remote workers connect to their employers' systems, and the
> > software is identical.
> It???s also fairly easy for the gambling sites to become somewhat IP Agile
> creating a game of Whack-a-mole for the regulators and the ISPs they
> are inflicting this pain on.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org