DNSSEC and ISPs faking DNS responses

Fri Nov 13 05:05:49 UTC 2015

> On Nov 12, 2015, at 20:50 , John Levine <johnl at iecc.com> wrote:
> 
> In article <56455885.8090409 at vaxination.ca> you write:
>> The Québec government is wanting to pass a law that will force ISPs to
>> block and/or redirect certain sites it doesn't like.  (namely sites that
>> offer on-line gambling that compete against its own Loto Québec).
> 
> Blocking is prettty easy, just don't return the result, or fake an
> NXDOMAIN.  For a signed domain, a DNSSEC client will see a SERVERFAIL
> instead, but they still won't get a result.
> 
> Redirecting is much harder -- as others have explained there is a
> chain of signatures from the root to the desired record, and if the
> chain isn't intact, it's SERVERFAIL again.  Inserting a replacement
> record with a fake signature into the original chain is intended to be
> impossible.  (If you figure out how, CSIS would really like to talk to
> you.)  It is possible to configure an ISP's DNS caches to trust
> specific signatures for specific parts of the tree, but that is kludgy
> and fragile and is likely to break DNS for everyone.

If you know that the client is using ONLY your resolver(s), couldn’t you
simply fake the entire chain and sign everything yourself?

Or, alternatively, couldn’t you just fake the answers to all the “is this
signed?” requests and say “Nope!” regardless of the state of the authoritative
zone in question?

Sure, if the client has any sort of independent visibility it can verify that
you’re lying, but if it can only talk to your resolvers, doesn’t that pretty
much mean it can’t tell that you’re lying to it?

> 
> And anyway, it's pointless.  What they're saying is to take the
> gambling sites out of the phone book, but this is the Internet and
> there are a million other phone books available, outside of Quebec,
> such as Google's 8.8.8.8 located in the US, that people can configure
> their computers to use with a few mouse clicks.  Or you can run your
> own cache on your home network like I do, just run NSD or BIND on a
> linux laptop.

I believe the traditional statement is “This type of regulation is considered
damage and will be routed around.”

> 
> They could insist that ISPs block the actual web traffic to the sites,
> by blocking IP ranges, but that is also a losing battle since it's
> trivial to circumvent with widely available free VPN software.  If
> they want to outlaw VPNs, they're outlawing telework, since VPNs is
> how remote workers connect to their employers' systems, and the
> software is identical.

It’s also fairly easy for the gambling sites to become somewhat IP Agile
creating a game of Whack-a-mole for the regulators and the ISPs they
are inflicting this pain on.

Owen