DNSSEC and ISPs faking DNS responses
marka at isc.org
Fri Nov 13 05:30:29 UTC 2015
In message <5CA68A46-2F63-466A-B418-30DA71B2BAC5 at delong.com>, Owen DeLong write
> > On Nov 12, 2015, at 20:50 , John Levine <johnl at iecc.com> wrote:
> > In article <56455885.8090409 at vaxination.ca> you write:
> >> The QuÃ©bec government is wanting to pass a law that will force ISPs to
> >> block and/or redirect certain sites it doesn't like. (namely sites
> >> that offer on-line gambling that compete against its own Loto QuÃ©bec).
> > Blocking is prettty easy, just don't return the result, or fake an
> > NXDOMAIN. For a signed domain, a DNSSEC client will see a SERVERFAIL
> > instead, but they still won't get a result.
> > Redirecting is much harder -- as others have explained there is a
> > chain of signatures from the root to the desired record, and if the
> > chain isn't intact, it's SERVERFAIL again. Inserting a replacement
> > record with a fake signature into the original chain is intended to be
> > impossible. (If you figure out how, CSIS would really like to talk to
> > you.) It is possible to configure an ISP's DNS caches to trust
> > specific signatures for specific parts of the tree, but that is kludgy
> > and fragile and is likely to break DNS for everyone.
> If you know that the client is using ONLY your resolver(s), couldnât you
> simply fake the entire chain and sign everything yourself?
Which is exactly how we test validation in nameservers. If you
tell the validator to use a bogus trust anchor you get bogus trust.
> Or, alternatively, couldnât you just fake the answers to all the âis this
> signed?â requests and say âNope!â regardless of the state of the
> authoritative zone in question?
No. You can detect that.
> Sure, if the client has any sort of independent visibility it can verify
> youâre lying, but if it can only talk to your resolvers, doesnât that
> much mean it canât tell that youâre lying to it?
No. The root's trust anchor are published independently of whatever
your ISP does. This isn't something you learn via DHCP.
> > And anyway, it's pointless. What they're saying is to take the
> > gambling sites out of the phone book, but this is the Internet and
> > there are a million other phone books available, outside of Quebec,
> > such as Google's 220.127.116.11 located in the US, that people can configure
> > their computers to use with a few mouse clicks. Or you can run your
> > own cache on your home network like I do, just run NSD or BIND on a
> > linux laptop.
> I believe the traditional statement is âThis type of regulation is
> damage and will be routed around.â
> > They could insist that ISPs block the actual web traffic to the sites,
> > by blocking IP ranges, but that is also a losing battle since it's
> > trivial to circumvent with widely available free VPN software. If
> > they want to outlaw VPNs, they're outlawing telework, since VPNs is
> > how remote workers connect to their employers' systems, and the
> > software is identical.
> Itâs also fairly easy for the gambling sites to become somewhat IP Agile
> creating a game of Whack-a-mole for the regulators and the ISPs they
> are inflicting this pain on.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the NANOG