DNSSEC and ISPs faking DNS responses
mlm at pixelgate.net
Fri Nov 13 18:24:27 UTC 2015
On Thu, 13 Nov 2015, John Levine wrote:
>At this point very few client resolvers check DNSSEC, so something
>that stripped off all the DNSSEC stuff and inserted lies where
>required would "work" for most clients. At least until they realized
>they couldn't get to PokerStars and switched their DNS to 126.96.36.199.
Except that the ISP can intercept those queries and respond as it likes.
Such is already done at all scales. Not that a government generally
cares what kind of burden is required once the law is passed, cf CALEA.
True, some users would be able to detect such tampering and many of
those could work around it. But most will have no way to do either.
Would the masses ever replace their stub with a full resolver?
Doubtful, unless their OS vendor does it for them. Would that be the
right thing to do for a few billion users of Windows and another couple
billion using Android most of whose ISPs are providing unfaked answers?
Would the various authoritiative operators be happy / agree? How does
one fit local zones into the picture?
Would the masses setup a VPN to a service provider in a jurisdiction not
subject to such foolishness so their resolver, whether stub or full,
would have a chance at unfaked answers? Again, I'm thinking most would
be entirely ignorant of the issue, and in any case would be hard pressed
to set anything up unless it was trivial, e.g., not just part of their
OS but also Wizard-like with most answers pre-supplied.
More information about the NANOG