Re: [dns-operations] MaginotDNS: Attacking the boundary of DNS caching protection

2023-09-27 Thread Stephane Bortzmeyer 
On Wed, Sep 27, 2023 at 05:17:05PM +0200,
 Petr Špaček  wrote 
 a message of 48 lines which said:

> If you are interested in the gory details, BIND's description of the issue
> can be found here:
> https://gitlab.isc.org/isc-projects/bind9/-/issues/2950#note_241893
> https://gitlab.isc.org/isc-projects/bind9/-/issues/2950#note_244624

Thanks, these detailed discussions are much clearer than the paper,
which I find confusing (with its strange use of terms like "on-path").

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] MaginotDNS: Attacking the boundary of DNS caching protection

2023-09-27 Thread Petr Špaček 

On 27. 09. 23 9:38, Ralf Weber wrote:

Moin!

On 27 Sep 2023, at 3:58, Xiang Li wrote:


Hi Stephane,

This is Xiang, the author of this paper.

For the off-path attack, DoT can protect the CDNS from being poisoned.
For the on-path attack, since the forwarding query is sent to the
attacker's server, only DNSSEC can mitigate the MaginotDNS.


I don’t think this is true otherwise all resolver implementations would
have been affected and not just a few. If you are on path direct behind
the resolver of course all bets are off, but if you are on path just
between the resolver and the forwarder those resolvers that are more
cautious in what cache information they use for iterative queries are not
vulnerable.

I guess that is why Akamai Cacheserve, NLNet Labs Unbound and PowerDNS
Recursor are not mentioned in the paper because they were not vulnerable.


That's right.

If you are interested in the gory details, BIND's description of the 
issue can be found here:

https://gitlab.isc.org/isc-projects/bind9/-/issues/2950#note_241893
https://gitlab.isc.org/isc-projects/bind9/-/issues/2950#note_244624

Also the surrounding comments have more details including vulnerable 
config files and PCAPs.


--
Petr Špaček
Internet Systems Consortium


___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] MaginotDNS: Attacking the boundary of DNS caching protection

2023-09-27 Thread Xiang Li 
Evening!

I don’t think this is true otherwise all resolver implementations would
> have been affected and not just a few. If you are on path direct behind
> the resolver of course all bets are off, but if you are on path just
> between the resolver and the forwarder those resolvers that are more
> cautious in what cache information they use for iterative queries are not
> vulnerable.
>

DoT could work if the attacker is between the server and the resolver.
However, if the attacker controls the target server, DoT just fails.

I guess that is why Akamai Cacheserve, NLNet Labs Unbound and PowerDNS
> Recursor are not mentioned in the paper because they were not vulnerable.
>

Sorry. Those software is not affected because they implemented
the bailiwick checking well as we explained in our paper instead of what
you said
 that they used DoT. That's what we found by performing our analysis and
testing.
We also tested Akamai Cacheserver after Akamai researchers reached out to
us.
Both their immune implementations and DNSSEC protected them well.

I agree that DNSSEC can fully mitigate it and should be used. Any
> encrypted transport to a forwarder also would work, but IMHO it probably
> would be better to not use forwarding at all.
>

Yes. DNSSEC will work.

Best,
Xiang

On Wed, Sep 27, 2023 at 3:39 PM Ralf Weber  wrote:

> Moin!
>
> On 27 Sep 2023, at 3:58, Xiang Li wrote:
>
> > Hi Stephane,
> >
> > This is Xiang, the author of this paper.
> >
> > For the off-path attack, DoT can protect the CDNS from being poisoned.
> > For the on-path attack, since the forwarding query is sent to the
> > attacker's server, only DNSSEC can mitigate the MaginotDNS.
>
> I don’t think this is true otherwise all resolver implementations would
> have been affected and not just a few. If you are on path direct behind
> the resolver of course all bets are off, but if you are on path just
> between the resolver and the forwarder those resolvers that are more
> cautious in what cache information they use for iterative queries are not
> vulnerable.
>
> I guess that is why Akamai Cacheserve, NLNet Labs Unbound and PowerDNS
> Recursor are not mentioned in the paper because they were not vulnerable.
>
> I agree that DNSSEC can fully mitigate it and should be used. Any
> encrypted transport to a forwarder also would work, but IMHO it probably
> would be better to not use forwarding at all.
>
> So long
> -Ralf
> ——-
> Ralf Weber
>
>
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] MaginotDNS: Attacking the boundary of DNS caching protection

2023-09-27 Thread Ralf Weber 
Moin!

On 27 Sep 2023, at 3:58, Xiang Li wrote:

> Hi Stephane,
>
> This is Xiang, the author of this paper.
>
> For the off-path attack, DoT can protect the CDNS from being poisoned.
> For the on-path attack, since the forwarding query is sent to the
> attacker's server, only DNSSEC can mitigate the MaginotDNS.

I don’t think this is true otherwise all resolver implementations would
have been affected and not just a few. If you are on path direct behind
the resolver of course all bets are off, but if you are on path just
between the resolver and the forwarder those resolvers that are more
cautious in what cache information they use for iterative queries are not
vulnerable.

I guess that is why Akamai Cacheserve, NLNet Labs Unbound and PowerDNS
Recursor are not mentioned in the paper because they were not vulnerable.

I agree that DNSSEC can fully mitigate it and should be used. Any
encrypted transport to a forwarder also would work, but IMHO it probably
would be better to not use forwarding at all.

So long
-Ralf
——-
Ralf Weber

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] MaginotDNS: Attacking the boundary of DNS caching protection

2023-09-26 Thread Xiang Li 
Hi Stephane,

This is Xiang, the author of this paper.

For the off-path attack, DoT can protect the CDNS from being poisoned.
For the on-path attack, since the forwarding query is sent to the
attacker's server, only DNSSEC can mitigate the MaginotDNS.

Best,
Xiang

On Tue, Sep 26, 2023 at 11:42 PM Stephane Bortzmeyer 
wrote:

> I'm reading the paper behind "MaginotDNS: Attacking the boundary of
> DNS caching protection"
> <
> https://blog.apnic.net/2023/09/26/maginotdns-attacking-the-boundary-of-dns-caching-protection/
> >
> .
>
> Am I correct to think that forwarding from the CDNS to the upstream
> resolver with DoT (DNS over TLS) would be sufficient to disable the
> attack (even TCP or cookies would be enough if the attacker is
> off-path)?
>
> ___
> dns-operations mailing list
> dns-operations@lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

[dns-operations] MaginotDNS: Attacking the boundary of DNS caching protection

2023-09-26 Thread Stephane Bortzmeyer 
I'm reading the paper behind "MaginotDNS: Attacking the boundary of
DNS caching protection"

.

Am I correct to think that forwarding from the CDNS to the upstream
resolver with DoT (DNS over TLS) would be sufficient to disable the
attack (even TCP or cookies would be enough if the attacker is
off-path)?

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations