DNSSEC and ISPs faking DNS responses

John Levine johnl at iecc.com
Fri Nov 13 04:50:27 UTC 2015

In article <56455885.8090409 at vaxination.ca> you write:
>The Québec government is wanting to pass a law that will force ISPs to
>block and/or redirect certain sites it doesn't like.  (namely sites that
>offer on-line gambling that compete against its own Loto Québec).

Blocking is prettty easy, just don't return the result, or fake an
NXDOMAIN.  For a signed domain, a DNSSEC client will see a SERVERFAIL
instead, but they still won't get a result.

Redirecting is much harder -- as others have explained there is a
chain of signatures from the root to the desired record, and if the
chain isn't intact, it's SERVERFAIL again.  Inserting a replacement
record with a fake signature into the original chain is intended to be
impossible.  (If you figure out how, CSIS would really like to talk to
you.)  It is possible to configure an ISP's DNS caches to trust
specific signatures for specific parts of the tree, but that is kludgy
and fragile and is likely to break DNS for everyone.

And anyway, it's pointless.  What they're saying is to take the
gambling sites out of the phone book, but this is the Internet and
there are a million other phone books available, outside of Quebec,
such as Google's located in the US, that people can configure
their computers to use with a few mouse clicks.  Or you can run your
own cache on your home network like I do, just run NSD or BIND on a
linux laptop.

They could insist that ISPs block the actual web traffic to the sites,
by blocking IP ranges, but that is also a losing battle since it's
trivial to circumvent with widely available free VPN software.  If
they want to outlaw VPNs, they're outlawing telework, since VPNs is
how remote workers connect to their employers' systems, and the
software is identical.


More information about the NANOG mailing list