DNSSEC and ISPs faking DNS responses

Mark Andrews marka at isc.org
Fri Nov 13 05:30:29 UTC 2015

In message <5CA68A46-2F63-466A-B418-30DA71B2BAC5 at delong.com>, Owen DeLong write
> > On Nov 12, 2015, at 20:50 , John Levine <johnl at iecc.com> wrote:
> >
> > In article <56455885.8090409 at vaxination.ca> you write:
> >> The Québec government is wanting to pass a law that will force ISPs to
> >> block and/or redirect certain sites it doesn't like.  (namely sites
> >> that offer on-line gambling that compete against its own Loto Québec).
> >
> > Blocking is prettty easy, just don't return the result, or fake an
> > NXDOMAIN.  For a signed domain, a DNSSEC client will see a SERVERFAIL
> > instead, but they still won't get a result.
> >
> > Redirecting is much harder -- as others have explained there is a
> > chain of signatures from the root to the desired record, and if the
> > chain isn't intact, it's SERVERFAIL again.  Inserting a replacement
> > record with a fake signature into the original chain is intended to be
> > impossible.  (If you figure out how, CSIS would really like to talk to
> > you.)  It is possible to configure an ISP's DNS caches to trust
> > specific signatures for specific parts of the tree, but that is kludgy
> > and fragile and is likely to break DNS for everyone.
> If you know that the client is using ONLY your resolver(s), couldn’t you
> simply fake the entire chain and sign everything yourself?

Which is exactly how we test validation in nameservers.  If you
tell the validator to use a bogus trust anchor you get bogus trust.

> Or, alternatively, couldn’t you just fake the answers to all the “is this
> signed?” requests and say “Nope!” regardless of the state of the
> authoritative zone in question?

No.  You can detect that.

> Sure, if the client has any sort of independent visibility it can verify
> that
> you’re lying, but if it can only talk to your resolvers, doesn’t that
> pretty
> much mean it can’t tell that you’re lying to it?

No.  The root's trust anchor are published independently of whatever
your ISP does.  This isn't something you learn via DHCP.

> > And anyway, it's pointless.  What they're saying is to take the
> > gambling sites out of the phone book, but this is the Internet and
> > there are a million other phone books available, outside of Quebec,
> > such as Google's located in the US, that people can configure
> > their computers to use with a few mouse clicks.  Or you can run your
> > own cache on your home network like I do, just run NSD or BIND on a
> > linux laptop.
> I believe the traditional statement is “This type of regulation is
> considered
> damage and will be routed around.”
> >
> > They could insist that ISPs block the actual web traffic to the sites,
> > by blocking IP ranges, but that is also a losing battle since it's
> > trivial to circumvent with widely available free VPN software.  If
> > they want to outlaw VPNs, they're outlawing telework, since VPNs is
> > how remote workers connect to their employers' systems, and the
> > software is identical.
> It’s also fairly easy for the gambling sites to become somewhat IP Agile
> creating a game of Whack-a-mole for the regulators and the ISPs they
> are inflicting this pain on.
> Owen

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the NANOG mailing list