DNSSEC and ISPs faking DNS responses
alejandroacostaalamo at gmail.com
Fri Nov 13 05:03:10 UTC 2015
El 11/13/2015 a las 12:20 AM, John Levine escribió:
> In article <56455885.8090409 at vaxination.ca> you write:
>> The Québec government is wanting to pass a law that will force ISPs to
>> block and/or redirect certain sites it doesn't like. (namely sites that
>> offer on-line gambling that compete against its own Loto Québec).
> Blocking is prettty easy, just don't return the result, or fake an
> NXDOMAIN. For a signed domain, a DNSSEC client will see a SERVERFAIL
> instead, but they still won't get a result.
> Redirecting is much harder -- as others have explained there is a
> chain of signatures from the root to the desired record, and if the
> chain isn't intact, it's SERVERFAIL again. Inserting a replacement
> record with a fake signature into the original chain is intended to be
> impossible. (If you figure out how, CSIS would really like to talk to
> you.) It is possible to configure an ISP's DNS caches to trust
> specific signatures for specific parts of the tree, but that is kludgy
> and fragile and is likely to break DNS for everyone.
I'm not a DNSSEC expert but I wonder what would be the behavior if the
ISP adds a specific trust anchor for the domain they wish to block?
> And anyway, it's pointless. What they're saying is to take the
> gambling sites out of the phone book, but this is the Internet and
> there are a million other phone books available, outside of Quebec,
> such as Google's 220.127.116.11 located in the US, that people can configure
> their computers to use with a few mouse clicks. Or you can run your
> own cache on your home network like I do, just run NSD or BIND on a
> linux laptop.
> They could insist that ISPs block the actual web traffic to the sites,
> by blocking IP ranges, but that is also a losing battle since it's
> trivial to circumvent with widely available free VPN software. If
> they want to outlaw VPNs, they're outlawing telework, since VPNs is
> how remote workers connect to their employers' systems, and the
> software is identical.
More information about the NANOG