"Google, this is bogus as hell," Paul Vixie ranted on Internet Engineering Task Force mail list this week. The IETF mail list is where the people who create the internet's technologies converse.
The post was noticed because Paul Vixie is an Internet Hall of Fame engineer known for his pioneering work on the modern Domain Name Service (DNS).
And it is how Google was using DNS in its Chromecast Ultra streaming device that ticked him off.
[...] [Vixie] bought a Google Chromecast. But when he went to set it up, he found it doing something no device in his network is allowed to do: It wouldn't use his own, private DNS server. It would only use Google's public server.
Related: Paul Vixie: New TLDs a Money Grab, and a Mistake
VLC 3.0.0 Released, With Better Hardware Decoding and Support for HDR, 360-Degree Video, Chromecast
Paul Vixie on the Benefits of Running DNS Services Locally
(Score: 4, Informative) by Anonymous Coward on Sunday February 17 2019, @05:12PM (1 child)
So, you have also exactly 0 idea how DNSSEC works.... fucking hell... and they mod you insightful? Ok, let me explain.
DNSSEC signs *ZONES*. ie. DNS ZONES. You can MITM it all you want. And you can intercept and generate all replies you want. With DNSSEC I can 100% of the time MITM reply of a DNSSEC signed domain. What I cannot do is *change* that reply. But I can intercept and resolve these queries on my resolver and forward the signed domains (clearly, by the original signer of the zone) to the recipient. I can also drop packets and ignore them causing timeouts. But I cannot fake replies including I can't fake a negative reply.
If I query 8.8.8.8, it's an UDP or a TCP packet. It has *nothing* to do with DNSSEC. That's at a different level, not IP level.... :/
So, do you now understand how it actually works? DNSSEC brings *authenticity* of signed zones to the replies. It doesn't prevent eavesdropping, blocking, dropping, MITM dns servers. And for shit clients that rely on DNS servers for verification of signed domains, then DNSSEC is useless because I can just fake the AD bit in reply and a shit client would believe it without checking actual reply. HINT: The standard remote resolver's verification of signed zones is just a curtsy, not what should happen. Verification must happen on *client* side. But if you thing that's bad, for unsigned zones, it's a Wild West out there. Anyone can do whatever they want with the packets. Want to go to google.com? Here's a nice server in China waiting for you! (google.com is unsigned)
And if you want to prevent evesdropping between your client and the DNS resolver, then have to use something else in addition to DNS protocol. Like DNS-over-HTTPS, is an easy solution. I think PowerDNS recursor added support for that already.
PS. MITM is how internet routing works... each hop is a MITM by definition. But most are nice and just forward the packets along.
(Score: 3, Interesting) by darkfeline on Sunday February 17 2019, @10:04PM
Anonymous Coward saves the day. This is (one of the reasons) why DNS-over-HTTPS and DNS-over-TLS exists, TLS *does* prevent MITM, eavesdropping, etc.
Join the SDF Public Access UNIX System today!