This DNS over HTTP thing

• Previous message (by thread): This DNS over HTTP thing
• Next message (by thread): This DNS over HTTP thing
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Oct 7, 2019 at 11:44 AM Kevin McCormick <kmccormick at mdtc.net> wrote:
>
> If the DNS request comes from an IP in matching a CIDR network address in the ULS record, then the server would respond with an error message telling the application to use the configured local DNS server.

All if this is ultimately falsifiable by a malicious or rogue DNS operator.

My suggestion would be ultimately that DNS Clients implement DNSSEC
validation themself to avoid tampering by a malicious client on their network
for phishing purposes or a malicious recursive DNS Resolver server ---  Such
a DNS proxy service in a home router corrupted by malware that
modifies DNS resposes
for an attacker,  or  those rogue DNS servers of ISPs that typically sometimes
replace NXDOMAIN replies with A records attempting to collect typo queries
for advertising or that redirect A records to other hosts designed to intercept
and monitor or proxy traffic with advertisements inserted.

A secure administrative selection of local DNS server could be supported by
allowing a TXT record to be placed in the reverse DNS zone for the IP address
which is the IP address configured on the client's IP network
interface alongside
PTR records.

The client software would then be required to perform a DNSSEC
signature check to
ensure that the reverse DNS zone is signed and has the proper chain of signed
DS records ultimately coming from the IP6.ARPA  or IN-ADDR.ARPA zone.

*
Clients using RFC1918 IP addresses would not be able to support this;  Because,
there is no way of  establishing WHO is authorized to sign locally on
behalf of the "operator" of a RFC1918 or link-local IP address...

The latter seems more like a system administration problem however --

The DHCP software running on a client ought to have some way of
indicating whether the network being connected to is  Secure and
"Managed" by the same entity that owns and configures the client device:

I.E.  Same company manages the LAN and the entire path up to recursive
DNS servers are secure,    Or whether the PC is owned and managed by
different entities --  such as a  mobile PC user connected to someone
else's network,
or a Home user connected to their own ISP,  and the network is, therefore,
untrusted.

(Untrusted in the sense that DNS Servers are controlled by
a 3rd party who is not the owner or operator of the personal computer
or client device which is connecting for the supposed purpose of
accessing the public internet  --- therefore no legitimate authority
exists for having clients tolerate tampering with private traffic
between that device and another internet host, content in DNS or other
IP traffic content, and so on)

> Thoughts?
> Thank you,
> Kevin McCormick
--
-JH

• Previous message (by thread): This DNS over HTTP thing
• Next message (by thread): This DNS over HTTP thing
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]