DNSSEC? DoH? Useless features?


(Michael Kicks) #1

DNS is going to be secured/transport crypted in the coming future.

What community thinks about this way to… reduce vulnerability footprint?


(André Wismer) #2

Hi

I’ve been seen as a DNS Guru for ages - starting with Novell NDS/eDir over MS AD and Bind.
DNS is actually quite simple, forward and reverse. It’s one of the older protocolls on TCP/IP, like for example SNMP (Simple Network management Protocoll), also ages old… SNMP, despite it’s name isn’t easy to comprehend, the DOD Background can be quite confusing to the younger generation who can’t remember the starts of the Internet as a DARPA (Defense Advanced Research Project…).
In those Days, Networks were “trusted”, so were System Admins - they were all in the end US State employees…
Nowadays that’s different. North Korea has DNS, so does Russia and China. But the Root Server “A” (I am the Internet!) is in the USA, at a non disclosed spot. Yet it all works instantly. A database with literally millions of Administrators, many not on speaking or communication Terms with any others - yet it works better and more reliably than almost any commercial Database!

The Information behind DNS is public knowledge, agreed! There are no “secret” records on a public DNS Server. The case for an Internal DNS Server is a different animal…
So why the fuss?

DNS - for redundancy purposes was one of the first protocolls in the TCP stack besides Mail / SMTP which had redundancy thoughts / ideas behind them. Primary and Secondary DNS Servers…
The primary DNS Server is the Master, defined by the SOA Record in DNS. The others are slaves - or in human concept, something like a parrot, they just have the same knowledge and can repeat what the Primary DNS has to say. They get their Information from the primary.

In the beginning, this was open communication. Then came closed group communication. Still not enough…

The problem is, if you can feed the slaves enough bullsh*t, they will give out this information. Say for NethServer.org, the slaves would point nethserver.org and www.nethserver.org to my.compromised.server.org. People would put in their data, try to log in and so on. Now, NethServer.org isn’t really a shop, there aren’t much “critical” data there. That isn’t always the case. It could be just as well my-big-bank.com or something else…

Then all you would need to do is “take down” the primary DNS using say a DDOS (Distributed Denial of Service), then the slaves will awnser any queries. But they will give out compromised information, looking like the real thing!

That’s one of the reasons DNS has to move forward…

I’ve tried to make a complex szenario understandable for non-experts. But this isn’t out of a storybook nowadays, it’s sad reality!

My 2 cents!
Andy


(Michael Kicks) #3

There are no “secret” i can agree, but the integrity and the trustfulness of the information is quite necessary today…

Into DNS Servers are now publicly readable some policies related to mail delivery, public keys, expire time. Now Internet is the backbone of the data for most civil world, not a happy party for few and tech-conscious people.

Therefore, DoH and DNSSEC are proposing to avoid data forgery and MITM attacks, at least among other things.
RFC about DNSSEC are already public (according to https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) and are running on the public internet (IpFire rely on DNSSec and looks for data validation), DoH is still experimental, according to wikipedia
https://en.wikipedia.org/wiki/DNS_over_HTTPS
but by my perspective there’s a “flaw” into DoH concept: is built by organization that designs internet browser, and only this kind of application.

I don’t think that Google and Mozillla Foundation are newbyes but… maybe they look for only the own needs, not a network related needs…