[CPWG] Google public DNS breaks DNS resolution
lutz at fitug.de
lutz at fitug.de
Tue Apr 30 11:22:54 UTC 2019
I recently came across this really mad idea by Google engineers:
https://developers.google.com/speed/public-dns/docs/security#nonce_prefixes
They try to protect against DNS spoofing by adding entropy in queries to
root/TLD name servers.
That's a braindead idea, because they can query all those servers using
DNSSEC, which invalidates the reasoning itself.
But the more important point is, that this solution is based on a misguided
understanding of DNS itself.
Let's take for instance "www.uit.int" as an example.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37704
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 1;; QUESTION
SECTION:
;www.uit.int. IN A
;; ANSWER SECTION:
www.uit.int. CNAME www.itu.int.
www.uit.int. RRSIG CNAME 7 3 86400 2019...
;; AUTHORITY SECTION:
itu.int. NS ns.itu.ch.
itu.int. NS ns2.itu.ch.
itu.int. NS ns3.itu.ch.
[DNSSEC stuff]
So we do get a resolution and a delegation.
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 48110
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
;; QUESTION SECTION:
;nonce-for-dummies.www.uit.int. IN A
;; AUTHORITY SECTION:
int. SOA sns.dns.icann.org. ...
[lot of DNSSEC NSEC3 non-existence proofs]
But the modified request does not reveal even a hint, that the original
query might be successful.
If necessary, I'm happy to discuss the basics of DNS directly to the
engineer, if somebody makes a contact.
This discussion will include "non empty non-terminals" and the difference
between DS and DNSKEY, both issues where Google public DNS fails.
More information about the CPWG
mailing list