Ignore DNSSEC if you like MITM attacks
17 points by ggpsv
17 points by ggpsv
Using a third party external validating resolver doesn’t make sense. Not just because that third party can easily spoof responses, but because traffic can easily be intercepted too. It’s like using plain-text HTTP to a “trusted” server which strips out HTTPS. The whole chain is as strong as its weakest link.
Not if you use DNS over TLS/HTTPS! As an additional bonus, your ISP won't be able to snoop on your DNS queries.
This is a bit orthogonal to the issue. Now you have to trust the DoT / DoH resolver, and unfortunately, you've been sold the bull that somehow they're (generally) more trustworthy than your ISP.
You have a contract with your ISP because you pay them. Do you have a contract with Cloudflare that protects you in any way? Do you care if they're letting the US government have unfettered access to all the DNS they resolve and all the web sites they MITM?
DNS-over-https also has the problem of being extremely difficult to audit. By normalizing it, we're also normalizing the idea that we, the end users, should accept that code that we run can do stuff that we can't see and we can't control.
These are things we should think about when we repeat the marketing bull that tells us to trust one corporate entity with something instead of another. We should trust our friends and ourselves over all corporate entities.
Now you have to trust the DoT / DoH resolver, and unfortunately, you've been sold the bull that somehow they're (generally) more trustworthy than your ISP.
They're publically accessible and generally more likely to be caught doing shady things. My local ISP can target me specifically and get away with it much more easily than the 1, 8, 9 DNS caches. And those big DNS providers would really like to not end up in the news for spoofing entries - they get lots of benefit from people using them.
I worry more about infrastructure that is weakly protected by external/internal attackers. I don't think my ISP (nor mobile, nor airport wifi, nor...) is likely to fare well here. I don't think a contract with my ISP offers anything meaningful here either.
So I do trust Quad9 more than my ISP here.
That said, my endpoints do DNSSEC validation, as OP suggests.
I would prefer not to rely on a 3rd party resolver though. https://dnsprivacy.org/ tracks this problem with DNS.
I'm looking forward to DNS DELEG deployment, at which point I can run a recursive resolver, and know which authoritative nameservers support DoT/DoH, and then use a Quad9 only for the remaining queries.
Until then, Oblivious DoH is a decent compromise, which I think is used by Apple and dnscrypt-proxy2.
What you write makes sense. My complaint is mostly with companies like Google, Cloudflare, Firefox spouting bullshit about how we should trust them more than we trust our ISPs. The point is that we should trust all of them as little as possible.
I run local recursive, DNSSEC resolvers on all of my networks, and I teach people how to run their own. Everyone should :)
I trust my DoH provider[1] more than the owners of the random wifis I connect to. This isn't just about my home ISP.
Now, I could run a resolver at home so I only expose my queries to my home ISP. I did use to do that, connecting to that resolver using Wireguard, but I've had some issues with this (mostly in that it makes internet outages at home a bit more painful). This also means that my ISP knows about all websites I visit, even when I'm on the other end of the country, which I feel is a bit weird.
[1] who isn't Cloudflare; they're a relatively small company that I have decent reasons to trust, and that I used to be a paid consumer of
You have a contract with your ISP because you pay them. Do you have a contract with Cloudflare that protects you in any way? Do you care if they're letting the US government have unfettered access to all the DNS they resolve and all the web sites they MITM?
I doubt most people think a contract with their ISP is worth the paper it's written on. Especially considering ISPs do tamper with DNS results and pages; as bad as Cloudflare may be, they haven't. (And my DoH provider is CIRA anyways.)
DNS-over-https also has the problem of being extremely difficult to audit. By normalizing it, we're also normalizing the idea that we, the end users, should accept that code that we run can do stuff that we can't see and we can't control.
Huh? How is that?
The GP is referring to the problem where each application bundles their own DoH/DoT client, by virtue of which its network access patterns become invisible/inauditable to the system administrator. It becomes impossible to see which endpoints the application is trying to resolve, or filter/block its queries in any way (e.g., for ad blocking or to exert control over antifeatures such as telemetry, phone-home or mandatory cloud functionality).
DNS-over-https is often done at the application level, meaning if an application, whether malicious or not, decides to use DNS-over-https to do lookups outside of the control of the OS or the network, it's really hard to know what's being done, and it's really hard to know how to block it.
Trojans are already doing this, as are browsers that're defaulting to DoH to on without asking. This is a boon for companies that make money from advertising, like Google. It's normalizing taking control away from end users and network admins and giving that control to megacorps like Google and Cloudflare.
The point is that it's a bad direction, yet so many people are blindly repeating the salespitch that somehow they're being protected from their ISPs, so it's somehow OK.
If you really care, you'd know that DoH is bullshit, and you'd run your own local recursive resolver, or you'd find your own DNS provider you trust, and you wouldn't just blindly trust some shitty for-profit corporation like Cloudflare that actively makes the Internet shittier and wants to centralize it around them.
As an additional bonus, your ISP won't be able to snoop on your DNS queries.
ISPs are generally way smaller organizations than those that over DNS over HTTPS. DoH in practice helps centralize who have access to your sensitive information. It makes the status quo worse.
I find the comparison to people not wanting to adopt HTTPS a poor one.
If you screw up your HTTPS cert, you can fix it and then it will work for everyone immediately.
If you screw up DNSSEC, you can end up with a domain that is broken for days, and all you can do is wait.
I wonder why none of Google's domains is using DNSSEC.
https://www.mattb.nz/w/2023/06/02/calling-time-on-dnssec/
(mattb was, in 2012-2016, the manager for the SRE team covering Google's authoritative DNS system. Not that he's speaking for anyone but himself here.)
Edit: been a while since I re-read this, he mentions Google:
For many zones, including significant zones like google.com (where I led the attempt to evaluate and deploy DNSSEC in the mid 2010s), it is simply infeasible to deploy the protocol at all, let alone in a reliable and dependable manner.