Re: [DNSOP] NSA says don't use public DNS or DoH servers
On 2021-01-18 4:27 p.m., John Levine wrote: They think DoH is swell, but not when it bypasses security controls and leaks info to random outside people Sage advice. In the OPSAWG where RFC8520 (MUD) currently lives, we are trying to codify advice to to IoT manufacturers about these things. please see recently adopted: draft-ietf-opsawg-mud-iot-dns-considerations-00 The -01 coming out next week with many clarifications. Most of the advice is of the form, "Doctor it hurts when I poke myself in the eye", but there is a real tussle between shipping devices that work even when the "luser" (or their monopoly ISP) has toasted their local recursive server, vs privacy vs RFC8520 ACLs. In fact, the reason I opened up the IMAP to dnsop (which I haven't time to read regularly, sorry), is because I wanted to ask to present at IETF110, with the hope of getting some additional review. (I understand this WG decided not to standardize the term "QuadX", and I would dearly like an equally terse replacement) ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] NSA says don't use public DNS or DoH servers
On Mon, Jan 18, 2021 at 04:27:20PM -0500, John Levine wrote a message of 18 lines which said: > They think DoH is swell, but not when it bypasses security controls > and leaks info to random outside people I will certainly do as the NSA says, since they are experts in privacy-related issues (and in random numbers since they call "random" the resolver that is configured in my browser) but, to add fuel to the fire, the people at JSOF who discovered the DNSpooq vulnerability just said the opposite: https://www.zdnet.com/article/dnspooq-lets-attackers-poison-dns-cache-records/ "A good workaround would be to use DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT)," Oberman said. "Another option would be to statically configure a trusted DNS server, like Cloudflare or Google DNS servers, so that DNS requests are not handled by the home router and go directly to the [remote] DNS server. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] NSA says don't use public DNS or DoH servers
On 1/22/21 3:10 AM, Tom Pusateri wrote: Would it be ok to allow DNSSEC signed responses from any server? If they’re signed and verified, does it matter how you got them? Another missing part is privacy, i.e. even if you get exactly the same answers, it doesn't imply you get similar (privacy) properties. By the way, the add WG is now trying hard to define what it means for two resolver services to be "equivalent" - at least for the purpose of being OK to switch among them without user's consent. --Vladimir ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] NSA says don't use public DNS or DoH servers
On Thu, Jan 21, 2021 at 09:10:25PM -0500, Tom Pusateri wrote: > > > On Jan 21, 2021, at 8:59 PM, Paul Vixie wrote: > > > > (new behaviour should require new signalling. let networks who want to > > permit DNS bypass either by "use 8.8.8.8" or "use DoH" or otherwise, > > signal this by adding a new canary domain, or a new DHCP option. > > absent new signalling, behaviour should not change.) > > Would it be ok to allow DNSSEC signed responses from any server? If they???re > signed and verified, does it matter how you got them? no. if my dns firewall is whiting out a DGA botnet's C, or any answer having an IP from a known-malicious ISP, or served by a known-bad name server name (or IP)... then i want them whited out, period, for all end systems on my network. DNS is part of my control plane and i'm not going to negotiate with app or device makers as to why that's so or what i mean. see also parental controls, corporate compliance controls, university compliance controls, or any of the other use cases to be found here: https://dnsrpz.info/ -- Paul Vixie ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] NSA says don't use public DNS or DoH servers
> On Jan 21, 2021, at 8:59 PM, Paul Vixie wrote: > > On Thu, Jan 21, 2021 at 03:36:41PM -0800, Wes Hardaker wrote: >> "John Levine" writes: >> >>> They think DoH is swell, but not when it bypasses security controls >>> and leaks info to random outside people >> >> At least 15% of network operators seem to agree. >> >> https://www.isi.edu/~hardaker/news/20191120-canary-domain-measuring.html > > i think the makers of canary-respecting DNS stub resolvers are still > figuring things out, and that if canary domains become prevalent, > especially among surveillance capitalist ISPs or surveillance > authoritarian states, the days of canary domains will change or end. > > for my own networks, i won't install a canary domain, because that's > a late-imposed change, unreliable, and a negative externality. any > stub resolver who uses any DNS service other than the one i hand out > in my DHCP assignments will be removed from the network. > > (new behaviour should require new signalling. let networks who want to > permit DNS bypass either by "use 8.8.8.8" or "use DoH" or otherwise, > signal this by adding a new canary domain, or a new DHCP option. > absent new signalling, behaviour should not change.) > > -- > Paul Vixie Would it be ok to allow DNSSEC signed responses from any server? If they’re signed and verified, does it matter how you got them? Thanks, Tom ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] NSA says don't use public DNS or DoH servers
On Thu, Jan 21, 2021 at 03:36:41PM -0800, Wes Hardaker wrote: > "John Levine" writes: > > > They think DoH is swell, but not when it bypasses security controls > > and leaks info to random outside people > > At least 15% of network operators seem to agree. > > https://www.isi.edu/~hardaker/news/20191120-canary-domain-measuring.html i think the makers of canary-respecting DNS stub resolvers are still figuring things out, and that if canary domains become prevalent, especially among surveillance capitalist ISPs or surveillance authoritarian states, the days of canary domains will change or end. for my own networks, i won't install a canary domain, because that's a late-imposed change, unreliable, and a negative externality. any stub resolver who uses any DNS service other than the one i hand out in my DHCP assignments will be removed from the network. (new behaviour should require new signalling. let networks who want to permit DNS bypass either by "use 8.8.8.8" or "use DoH" or otherwise, signal this by adding a new canary domain, or a new DHCP option. absent new signalling, behaviour should not change.) -- Paul Vixie ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] NSA says don't use public DNS or DoH servers
"John Levine" writes: > They think DoH is swell, but not when it bypasses security controls > and leaks info to random outside people At least 15% of network operators seem to agree. https://www.isi.edu/~hardaker/news/20191120-canary-domain-measuring.html -- Wes Hardaker USC/ISI ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] NSA says don't use public DNS or DoH servers
They think DoH is swell, but not when it bypasses security controls and leaks info to random outside people >From the summary: Using DoH with external resolvers can be good for home or mobile users and networks that do not use DNS security controls. For enterprise networks, however, NSA recommends using only designated enterprise DNS resolvers in order to properly leverage essential enterprise cybersecurity defenses, facilitate access to local network resources, and protect internal network information. https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2471956/nsa-recommends-how-enterprises-can-securely-adopt-encrypted-dns/ ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop