On Tue, Apr 28, 2020 at 11:22 AM Paul Wouters <p...@nohats.ca> wrote:
> On Tue, 28 Apr 2020, Davey Song wrote: > > > OK. It make sense to try every name servers to defend the case if the > adversary only intercept one path. But the adversary also know the resolver > will > > retry other servers. So a smarter adversary may intercept in the > aggregated upstreaming path where all queries are sent. > > Then those adversaries that seem able to block any packets from reaching > you, can also block 8.8.8.8 and all known DoT and DoH servers by IP ? > And send you RST packets. > > But if the attacks have that much power, they can also just RST all your > TLS connections to webservers and just let let you have your DNS > packets. > > I think you need to be a little more exact on the attack you are > describing and what would be a sensible defense. > > Paul > +1 Davey - if there is a pervasive/omnipresent man-in-the-middle attacker, then no security protocol (DNSSEC, TLS, HTTPS or any other) can _prevent_ the attack. All they can do is to _detect_ that an attack is taking place (and probably abort). Shumon.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop