Re: [dns-operations] Google Public DNS plans to enable case randomization for cache poisoning protection

[Tianhao Chi via dns-operations]

is in our discussion group:
> https://groups.google.com/g/public-dns-discuss/c/aHSyiIlBfjo.
>
>
>
> ------ Forwarded message ------
> From: Tianhao Chi via dns-operations 
> To: dns-operations@lists.dns-oarc.net
> Cc:
> Bcc:
> Date: Thu, 11 Aug 2022 16:35:16 -0400
> Subject: [dns-operations] Google Public DNS plans to enable case
> randomization for cache poisoning protection
> ___
> dns-operations mailing list
> dns-operations@lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
--- End Message ---
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Google Public DNS plans to enable case randomization for cache poisoning protection

[Tianhao Chi via dns-operations]

--- Begin Message ---
@Winfried,

We do retry over TCP if there's a case mismatch. However, we've found out
that many of the case-ignoring nameservers don't support TCP, resulting in
resolution failures.


On Fri, Aug 12, 2022 at 12:59 AM  wrote:

> Hi,
>
> > Responses that fail to preserve the case of
> > the query name may be dropped as
> >potential cache poisoning attacks
>
> Why not fallback to TCP in such cases?
>
> Winfried
> ___
> dns-operations mailing list
> dns-operations@lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
--- End Message ---
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Google Public DNS plans to enable case randomization for cache poisoning protection

[Tianhao Chi via dns-operations]

--- Begin Message ---
@Winfried,

We do retry over TCP if there's a case mismatch. However, we've found out
that many of the case-ignoring nameservers don't support TCP, resulting in
resolution failures.


On Fri, Aug 12, 2022 at 12:59 AM  wrote:

> Hi,
>
> > Responses that fail to preserve the case of
> > the query name may be dropped as
> >potential cache poisoning attacks
>
> Why not fallback to TCP in such cases?
>
> Winfried
> ___
> dns-operations mailing list
> dns-operations@lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
--- End Message ---
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Google Public DNS plans to enable case randomization for cache poisoning protection

[abang]

Hi,

> Responses that fail to preserve the case of
> the query name may be dropped as
>potential cache poisoning attacks

Why not fallback to TCP in such cases?

Winfried___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Google Public DNS plans to enable case randomization for cache poisoning protection

[Viktor Dukhovni]

On Thu, Aug 11, 2022 at 04:58:46PM -0600, Paul wrote:

> Should we revive the 0x20 draft?

Seems reasonable to me.

-- 
Viktor.
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Google Public DNS plans to enable case randomization for cache poisoning protection

[Paul via dns-operations]

--- Begin Message ---
 
 

 Should we revive the 0x20 draft?
 
 
 
 
 
 
 

 
 
>  
> On Aug 11, 2022 at 2:55 PM,   (mailto:dns-operati...@dns-oarc.net)>  wrote:
>  
>  
>  
>  ___ dns-operations mailing list 
> dns-operations@lists.dns-oarc.net 
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations 
>
>  
 
 
 --- End Message ---
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Google Public DNS plans to enable case randomization for cache poisoning protection

[Ondřej Surý]

What would really help here is (continuous) sharing the list of problematic 
domains. That would really help the DNS community, we could talk to the people 
running these services, and prepare the configuration with exception for 
popular open-source implementations.

Ondřej
--
Ondřej Surý  (He/Him)

> On 11. 8. 2022, at 23:35, Tianhao Chi  wrote:
> 
> As part of this, we’ve identified a small set of nameservers (< 1000 distinct 
> IPs) that do not handle case randomization correctly and have exempted these 
> from case randomization.


___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

[dns-operations] Google Public DNS plans to enable case randomization for cache poisoning protection

[Tianhao Chi via dns-operations]

--- Begin Message ---
Dear users and nameserver operators,

As part of our efforts to increase DNS cache poisoning protection for UDP
queries, we are planning to enable case randomization of DNS query names
sent to most authoritative nameservers (see our *security page description*

of
the feature and
https://datatracker.ietf.org/doc/html/draft-vixie-dnsext-dns0x20-00). We
have been performing case randomization of query names since 2009 to a
small set of chosen nameservers. This set of servers handled a minority of
our query volume, so a year ago we started work on enabling case
randomization by default. As part of this, we’ve identified a small set of
nameservers (< 1000 distinct IPs) that do not handle case randomization
correctly and have exempted these from case randomization. We are confident
that case randomization will work without introducing significant increases
in DNS query volume or resolution failures.

The case-randomized query name in the request will be expected to exactly
match the name in the question section of the DNS server’s reply, including
the case of each ASCII letter (A–Z and a–z). For example, if “ExaMplE.CoM”
is the name sent in the request, the name in the question section of the
response must also be “ExaMplE.CoM” rather than, e.g., “example.com.”
Responses that fail to preserve the case of the query name may be dropped
as potential cache poisoning attacks. Thus, nameservers that fail to
preserve the query name in their response, or whose response to
case-randomized requests is an unexpected error (SERVFAIL, NOTIMP, FORMERR,
etc.) or a failure to respond, will negatively impact users' ability to
resolve names in the domains they serve.

Generally, when nameservers mishandle case-randomized queries, we recommend
asking the nameserver operator to correct their behavior. While our
exception list will work around the problem for now, it may not get
immediate updates for newly broken name servers.

We’ll have case randomization enabled in one or two regions starting on
August 29th and enabled globally by the end of October. Meanwhile, we’ve
already turned off case randomization to nameservers that we’ve identified
as not handling it correctly.

If you believe you have discovered name resolution failures with Google
Public DNS due to case randomization, please file a bug in our *issue
tracker*

referencing
this announcement.
Let us know if there's any question via
https://developers.google.com/speed/public-dns/groups. We've also posted
this in our discussion group:
https://groups.google.com/g/public-dns-discuss/c/aHSyiIlBfjo.
--- End Message ---
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations