[dns-operations] Google Public DNS has enabled case randomization globally

2023-07-26 Thread Tianhao Chi via dns-operations 
--- Begin Message ---
Dear users and nameserver operators,

We are very excited to announce that case randomization of DNS query names
sent to authoritative nameservers has been enabled globally in Google
Public DNS! This means that almost all UDP queries (over 90% based on
recent measurements) sent from Google Public DNS to authoritative
nameservers are protected with case randomization. This significantly
reduces the risk of cache poisoning attacks.

This is part of our ongoing efforts to enhance security against cache
poisoning attacks, and as previously announced
,
we have been in the process of enabling case randomization

of DNS query names sent to authoritative nameservers by default since last
year. We discovered that this mechanism, originally proposed in a March
2008 draft “Use of Bit 0x20 in DNS Labels to Improve Transaction Identity
”, is
highly effective and widely supported. (For more information about our
broader efforts, please read our presentations at OARC 38
 and OARC 40
)

To mitigate query resolution failures due to non-compliant responses from a
minority of servers, we have implemented a number of mechanisms:
auto-detection of non-conformance, TCP retry for non-case-preserving
responses, and a small exception list of non-compliant servers.
Nevertheless, we strongly recommend that nameservers preserve the query
name case in their response.

In addition to observing some failures to preserve query name cases, we
have also observed some nameservers that respond to mixed-case queries with
NXDOMAIN or timeout. This violates the DNS character case requirements (RFC
1035 section 2.3.3
) and is more
difficult to detect or work around. We strongly recommend nameservers to
fix such issues.

If you believe you have discovered name resolution failures with Google
Public DNS due to case randomization, please file a bug in our issue tracker
. We
welcome any feedback at
https://developers.google.com/speed/public-dns/groups.

- Tianhao Chi

On behalf of Google Public DNS
--- End Message ---
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Google Public DNS plans to enable case randomization for cache poisoning protection

2023-01-17 Thread Tianhao Chi via dns-operations 
--- Begin Message ---
As we previously announced, Google Public DNS
<https://developers.google.com/speed/public-dns> is in the process of
enabling case randomization of DNS query names sent to authoritative
nameservers. We have successfully deployed it in some regions in North
America, Europe and Asia protecting the majority (90%) of DNS queries in
those regions not covered by DNS over TLS.

We are still deploying this feature incrementally, location by location.
This is slower than originally planned because of the carefulness and our
estimate of global enabling is around March to April 2023. Meanwhile, we
are monitoring nameserver compliance and actively maintaining an exception
list that disables case randomization for observed non-supporting
nameservers. While our exception list avoids issues with the majority of
the problem servers for now, it may not get immediate updates for newly
broken nameservers in the future. We strongly recommend that nameservers
preserve the query case in the response or support TCP (as we retry over
TCP if case randomization fails) as a fallback.

One subtle issue we’ve seen is that some servers exhibit sporadic
case-randomization non-compliance for the same query parameters. They may
appear to have a short-term response cache that can “replay” answers to
previous or concurrent (differently) case-randomized queries.
If you believe you have discovered name resolution failures with Google
Public DNS due to case randomization, please file a bug in our issue tracker
<https://developers.google.com/speed/public-dns/groups#issue_tracker>. Let
us know if there's any question via
https://developers.google.com/speed/public-dns/groups.

On Thu, Aug 11, 2022 at 4:47 PM Tianhao Chi via dns-operations <
dns-operati...@dns-oarc.net> wrote:

>
>
>
> -- Forwarded message --
> From: Tianhao Chi 
> To: dns-operations@lists.dns-oarc.net
> Cc:
> Bcc:
> Date: Thu, 11 Aug 2022 16:35:16 -0400
> Subject: Google Public DNS plans to enable case randomization for cache
> poisoning protection
>
> Dear users and nameserver operators,
>
> As part of our efforts to increase DNS cache poisoning protection for UDP
> queries, we are planning to enable case randomization of DNS query names
> sent to most authoritative nameservers (see our *security page
> description*
> <https://developers.google.com/speed/public-dns/docs/security#randomize_case> 
> of
> the feature and
> https://datatracker.ietf.org/doc/html/draft-vixie-dnsext-dns0x20-00). We
> have been performing case randomization of query names since 2009 to a
> small set of chosen nameservers. This set of servers handled a minority of
> our query volume, so a year ago we started work on enabling case
> randomization by default. As part of this, we’ve identified a small set of
> nameservers (< 1000 distinct IPs) that do not handle case randomization
> correctly and have exempted these from case randomization. We are confident
> that case randomization will work without introducing significant increases
> in DNS query volume or resolution failures.
>
> The case-randomized query name in the request will be expected to exactly
> match the name in the question section of the DNS server’s reply, including
> the case of each ASCII letter (A–Z and a–z). For example, if “ExaMplE.CoM”
> is the name sent in the request, the name in the question section of the
> response must also be “ExaMplE.CoM” rather than, e.g., “example.com.”
> Responses that fail to preserve the case of the query name may be dropped
> as potential cache poisoning attacks. Thus, nameservers that fail to
> preserve the query name in their response, or whose response to
> case-randomized requests is an unexpected error (SERVFAIL, NOTIMP, FORMERR,
> etc.) or a failure to respond, will negatively impact users' ability to
> resolve names in the domains they serve.
>
> Generally, when nameservers mishandle case-randomized queries, we
> recommend asking the nameserver operator to correct their behavior. While
> our exception list will work around the problem for now, it may not get
> immediate updates for newly broken name servers.
>
> We’ll have case randomization enabled in one or two regions starting on
> August 29th and enabled globally by the end of October. Meanwhile, we’ve
> already turned off case randomization to nameservers that we’ve identified
> as not handling it correctly.
>
> If you believe you have discovered name resolution failures with Google
> Public DNS due to case randomization, please file a bug in our *issue
> tracker*
> <https://developers.google.com/speed/public-dns/groups#issue_tracker> 
> referencing
> this announcement.
> Let us know if there's any question via
> https://developers.google.com/speed/public-dns/groups. We've also posted
> th

Re: [dns-operations] Google Public DNS plans to enable case randomization for cache poisoning protection

2022-08-12 Thread Tianhao Chi via dns-operations 
--- Begin Message ---
@Winfried,

We do retry over TCP if there's a case mismatch. However, we've found out
that many of the case-ignoring nameservers don't support TCP, resulting in
resolution failures.


On Fri, Aug 12, 2022 at 12:59 AM  wrote:

> Hi,
>
> > Responses that fail to preserve the case of
> > the query name may be dropped as
> >potential cache poisoning attacks
>
> Why not fallback to TCP in such cases?
>
> Winfried
> ___
> dns-operations mailing list
> dns-operations@lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
--- End Message ---
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Google Public DNS plans to enable case randomization for cache poisoning protection

2022-08-12 Thread Tianhao Chi via dns-operations 
--- Begin Message ---
@Winfried,

We do retry over TCP if there's a case mismatch. However, we've found out
that many of the case-ignoring nameservers don't support TCP, resulting in
resolution failures.


On Fri, Aug 12, 2022 at 12:59 AM  wrote:

> Hi,
>
> > Responses that fail to preserve the case of
> > the query name may be dropped as
> >potential cache poisoning attacks
>
> Why not fallback to TCP in such cases?
>
> Winfried
> ___
> dns-operations mailing list
> dns-operations@lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
--- End Message ---
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

[dns-operations] Google Public DNS plans to enable case randomization for cache poisoning protection

2022-08-11 Thread Tianhao Chi via dns-operations 
--- Begin Message ---
Dear users and nameserver operators,

As part of our efforts to increase DNS cache poisoning protection for UDP
queries, we are planning to enable case randomization of DNS query names
sent to most authoritative nameservers (see our *security page description*

of
the feature and
https://datatracker.ietf.org/doc/html/draft-vixie-dnsext-dns0x20-00). We
have been performing case randomization of query names since 2009 to a
small set of chosen nameservers. This set of servers handled a minority of
our query volume, so a year ago we started work on enabling case
randomization by default. As part of this, we’ve identified a small set of
nameservers (< 1000 distinct IPs) that do not handle case randomization
correctly and have exempted these from case randomization. We are confident
that case randomization will work without introducing significant increases
in DNS query volume or resolution failures.

The case-randomized query name in the request will be expected to exactly
match the name in the question section of the DNS server’s reply, including
the case of each ASCII letter (A–Z and a–z). For example, if “ExaMplE.CoM”
is the name sent in the request, the name in the question section of the
response must also be “ExaMplE.CoM” rather than, e.g., “example.com.”
Responses that fail to preserve the case of the query name may be dropped
as potential cache poisoning attacks. Thus, nameservers that fail to
preserve the query name in their response, or whose response to
case-randomized requests is an unexpected error (SERVFAIL, NOTIMP, FORMERR,
etc.) or a failure to respond, will negatively impact users' ability to
resolve names in the domains they serve.

Generally, when nameservers mishandle case-randomized queries, we recommend
asking the nameserver operator to correct their behavior. While our
exception list will work around the problem for now, it may not get
immediate updates for newly broken name servers.

We’ll have case randomization enabled in one or two regions starting on
August 29th and enabled globally by the end of October. Meanwhile, we’ve
already turned off case randomization to nameservers that we’ve identified
as not handling it correctly.

If you believe you have discovered name resolution failures with Google
Public DNS due to case randomization, please file a bug in our *issue
tracker*

referencing
this announcement.
Let us know if there's any question via
https://developers.google.com/speed/public-dns/groups. We've also posted
this in our discussion group:
https://groups.google.com/g/public-dns-discuss/c/aHSyiIlBfjo.
--- End Message ---
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations