back to article Is the DNS' security protocol a waste of everyone's time and money?

Internet security experts are arguing over whether a key protocol for protecting the internet's naming systems should be killed off. DNSSEC was developed in 1994 but it wasn't taken seriously until 2008 when a bug in the domain name system's software made it possible for someone to imitate any server – from websites or email …

  1. Sanctimonious Prick
    Flame

    Corrections

    Yeah. Seriously. Please provide a link that automatically (fuck, how hard is that?) allows users to provide corrections for a particular article, without going through so much ****ing rigmarol(or however that is spelt?)! Grr!

    1. Anonymous Coward
      Anonymous Coward

      Re: Corrections

      You click on the "Tips and corrections" mailto link, type your text in the message body, and hit send. Is that so difficult?

      PS: browsers have spellcheck add-ons nowadays to help if you find words like "rigmarole" challenging.

      1. Sanctimonious Prick
        Mushroom

        Re: Corrections

        Oh, OK. It doesn't seem to work like that for me.

        Usually I have to create a new e-mail, with the subject Re: SUBJECT, then a link to the article, then a quote of the incorrect sentence, with a corrected quote.

        Anyway...

      2. Michael Wojcik Silver badge

        Re: Corrections

        You click on the "Tips and corrections" mailto link

        The mailto scheme. How quaint! Perhaps the Reg editors would be interested in these new-fangled HTML forms we've been hearing so much about.

        Though we shouldn't be too fast to give up email, since it offers twice the hassle and half the performance.

  2. Anonymous Coward
    Anonymous Coward

    there's already the nice DNScrypt service

    which helpfully end-to-end encrypts all your OpenDNS requests, from your home network directly to the NSA server where it runs. Its fine if you don't mind sharing a lot.

    Unfortunately I had to drop even OpenDNS when I started receiving malware based in real-time on the websites that I was contemporaneously browsing on my iPad, so its back to unencrypted 8.8.8.8 and let them select my data, should they still feel the need to do so, out of the mountain of other Google DNS users.

    1. Ole Juul

      Re: there's already the nice DNScrypt service

      I avoid Google DNS since they log all your requests. If it isn't one vulnerability it's another. (sigh)

    2. Michael Wojcik Silver badge

      Re: there's already the nice DNScrypt service

      Ah, OpenDNS. With their broken wildcard responses to requests they don't recognize. (Yeah, sure, they have a "user configuration" mechanism to disable that. Pity it doesn't work reliably.)

      I'm no longer interested in using any DNS server that does anything other than respond correctly to requests. To hell with blacklisting, typo autocorrection, automatic search pages (hey, maybe I'm using something other than an HTML-capable HTTP user agent), and the rest of that value-subtracted crap.

  3. Mayhem

    DNS Sec isn't the problem

    Legitimate tieups between ISPs, commercial suppliers and the DNS providers is.

    For example, Virgin Media now masquerades as all Google services via their caching network, and both GoogleDNS and OpenDNS will point you at the cache servers instead of the real overseas addresses.

    Which is fine, until Virgin cocks up their caching (again) and you can't watch a simple youtube video because it stutters constantly.

    After chatting with one of their engineers, I now use Level3 as DNS provider, because at least they seem to be neutral and resolves addresses to their public IPs..They are also slightly more trustworthy than most other public free DNS providers.

    1. Jamie Jones Silver badge

      Re: DNS Sec isn't the problem

      Why not cut out the middleman completely and use your own recursive resolver?

      1. Mayhem

        Re: DNS Sec isn't the problem

        I am not an expert in networking, however as I understand it, unless I set my recursive DNS server to generate my own cache of queries by using the primary authoritative sources for every request, then at some point I have to trust the information coming to me via intermediaries is legitimate.

        And if I have to do that, then why bother replicating someone else's work unless I have to?

        After all, the major peering networks need to have this information, and they have lots of people employed to ensure that it is correct. At the end of the day the situation always comes down to the cost/benefits of who should you trust.

        What I object to in my example above is the unadvertised corruption of the DNS information being passed on to me by sources that are marketed as "trustworthy". My ISP diverting traffic to its own services is one thing - that is expected, and I can bypass it by specifying an external DNS source. Google DNS or OpenDNS diverting my traffic back to my ISP instead of to the public internet or to their own services is quite another. Especially since OpenDNS markets itself as a trusted independent supplier of DNS information, yet has clearly entered into commercial agreements with ISPs to support their traffic management.

        1. A Ghost
          WTF?

          Re: DNS Sec isn't the problem

          Thanks for the info. You just can't trust anyone these days. What with Comodo hijacking people's browsing sessions to serve their own ads and let through any certificate willy nilly without verifying it (PrivDog). And that slimey Mehli was advising someone who asked to remove Ghostery because it was owned by 'a company'. He didn't say 'why' that was a bad thing. But he 'implied' it. He said that Ghostery just didn't work properly and that PrivDog did everything and more. And the bloke thanked him for it. This seems like an abuse of trust to me. I'm a massive Comodo fan, I run their CIS (firewall, HIPS - Defense+) but I turn their AV off and just keep it for the odd on demand. So that's one thing.

          I checked my dns in network options coz I've often played about with different providers. I also use Level 3 most of the time (I have 4.2.2.5 and 4.2.2.3 imprinted on my brain and use it for a quick ping when I get network problems). I also have used Norton DNS which a lot of people over at wilderssecurity use as well. But I found mine pointed at OpenDNS. I visited the site. Man they are just so god damn right on. WHY WE TAKE CENSORSHIP SERIOUSLY! O'RLLYY!

          It gave me a nice warm fuzzy feeling of trust. I actually spent about 10 minutes reading through pdfs and whatnot as to why OpenDNS was the right choice, the wise choice, the only choice really if you had any nouse. And now I find out that after all that, they are pointing me back to the very place I was trying to get away from. I feel like the Prisoner with a big white bouncing ball about to land on my head. MUST run BACK. No escape.

          I double checked my system to make sure there was no instance of PrivDog on there. Different issue I know, but a carbon copy prime example of people who are trusted implicitly and explicitly with your data and make a big show and dance about just how trustworthy they are, when all along they've been quietly shafting you and probably having a good laugh about it too along the way.

          I'm a big believer in observing people and just watching how they interact with others, and that Melih bloke that runs comodo has always struck me as a snake oil salesman with a messiah complex. But I've reserved judgement, until now. Shows my instincts were right all along. What else is being done behind my back? Is there a database of files that are scanned on my machine that is available to buy by developers who think their software might be being pirated? Because I have the odd crack here and there for research purposes. Stop laughing at the back! Yes, I do. I pay for all the software I use. I spend silly amounts of money on it. In fact, I just got a nice boxed Native Instruments Komplete land on my doorstep 20 minutes ago. Hundreds of gigs of software. Nearly 400 quids worth of software. Yesterday I had a boxed copy of Kore 2 arrive. Why would I use cracks? I can't even use what I own coz life is too short. So there. Yes, for research purposes, I do now and again load up a crack.

          So seeing as how all the Anti Virus vendors flag keygens and whatnot as malware when they blatantly aren't, it just makes me think they are being paid to do that. Scare mongering. When threats of server side polymorphic malware are totally undetectable, except possibly now and again by a good heuristics scanning engine. They are selling that warm fuzzy feeling of doing the right thing and you will be protected, when all the time they are selling you down the river.

          I've got a lot of time and effort invested in comodo, so I won't be uninstalling any time soon. But I won't be using their Dragon browser any more (I shall delete it), and I certainly as hell won't be using their DNS service which they try to get you to use when you install it. At least I know what google's game is. And like the Tyrell corp. they are too big to take on. But it's just this rank hypocrisy and selling of a dream whilst indulging in subterfuge, that gets me. Next thing will probably be finding out there is no father xmas. There certainly ain't no sanity clause!

          https://www.youtube.com/watch?v=KS2khYJZKwA

        2. Jamie Jones Silver badge
          Thumb Up

          Re: DNS Sec isn't the problem

          " I am not an expert in networking, however as I understand it, unless I set my recursive DNS server to generate my own cache of queries by using the primary authoritative sources for every request, then at some point I have to trust the information coming to me via intermediaries is legitimate."

          That's correct, and that's what I meant - priming your server from the root servers rather than forwarding to other recursive nameservers.

          You don't then have to care what state your ISPs servers are in.

          Also, caching works at all levels of the lookup, so it's not as if you're constantly traversing from root.

          (e.g. after the first lookup of blah.co.uk, your local server will remember where to go next time it wants to resolve a .co.uk address.)

          [ If you are really anal, you could slave/download the root zone locally anyway! ]

          Speedwise? If your ISPs nameserver doesn't already have a cached entry, it has to do the same thing your server would do directly.

          Even if it is cached, a few extra milliseconds *once* per site won't be noticeable, and even that assumes your ISPs server isn't slightly delayed by all the other people using it.

          "After all, the major peering networks need to have this information, and they have lots of people employed to ensure that it is correct. At the end of the day the situation always comes down to the cost/benefits of who should you trust."

          I doubt ANY peering uses DNS!

          But anyway, for a techie who knows what they are doing (I.e. I wouldn't expect this of grandma), doing this saves time, as you are reducing the number of points of failure, and ensuring your results haven't been altered (of course, this is assuming we are just talking about server operators altering results rather than hacking)

          "What I object to in my example above is the unadvertised corruption of the DNS information being passed on to me by sources that are marketed as "trustworthy". My ISP diverting traffic to its own services is one thing - that is expected, and I can bypass it by specifying an external DNS source. Google DNS or OpenDNS diverting my traffic back to my ISP instead of to the public internet or to their own services is quite another. Especially since OpenDNS markets

          itself as a trusted independent supplier of DNS information, yet has clearly entered into commercial agreements with ISPs to support their traffic management."

          I agree with you in principle, but I fear you may have things a bit confused:

          Firstly, 'ISP diverting to it's own service' .... NOOOO! Why would that be OK? Not unless ordered to by a court.

          Secondly, 'Google or OpenDNS diverting...' should also be a no-no, but..... :

          Basically the resolver shouldn't alter the result at all, but return the same you would get if resolving directly.

          However, are you sure this is happening? What you describe is how CDN systems work - if the site concerned has a caching proxy within your ISP, then it's DNS itself will return the address of your local ISPs server - this has nothing to do with third-party manipulation.

          (Apologies if I'm not too clear.... It's hard to concentrate as I've finally got fed up of my constantly noisy neighbour, and decided to drown out her shit with very loud bass-heavy happy hardcore.... Passive-agressive? moi?)

          1. A Ghost
            Thumb Up

            Re: DNS Sec isn't the problem

            Thanks for the explanation. I wondered after writing my post if I actually understood any of this at all except on the most basic of meta levels. And then maybe thought there were big holes or confusions in my understanding of things. Obviously there are, as I don't really have much of a clue what any of you are really talking about. Even having it explained just shows up bigger gaps in my comprehension of things.

            I guess that's why some people get paid to do this for a living!

            I understand in principle what this is all about, and I understand why I got into it in the first place (internet not working properly for certain sites a few years ago*), but that's as far as it goes. Still, it all goes in the knowledge bank, hopefully as building blocks to understand new concepts later.

            I seem to remember some bod/boffin using an old 486 as a firewall/dns resolver for his main super computer rig (just a few years ago). I have a little more understanding of what he might have been doing there now. Seems like a fun thing to do. And not just idle tinkering (though nothing wrong with that too).

            *Distrowatch would not load with my default isp dns for some reason. Stick in 4.2.2.2. et voila!

          2. Mayhem

            Re: DNS Sec isn't the problem

            @Jamie

            That makes more sense. I didn't realise it was that easy to replicate the ISP service - most DNS server howtos only relates to lookups on internal servers, not internet ones. I might look into spinning up a DNS server over the weekend then - up until the last round of poor performance I hadn't really thought about it - DNS is one of those fundamental things you only consider when it breaks.

            As a better writeup on the situation than I can do from work, which put me on the path of figuring out why my youtube performance had gone down the toilet (again), have a read of

            https://jackpearce.com/virgin-media-why-are-you-manipulating-my-traffic/

            As best as can be determined, Virgin (and several other ISPs) are effectively proxying all Google services in the UK - most likely to reduce bandwidth costs for all parties concerned. Which is what I meant by ISPs diverting my traffic, and that I can understand - I'm technical enough to work around it, but the masses won't be. The problem is the CDNs are heavily congested, so the cure is worse than the disease for users.

            The big issue I have is that there appears to be some form of agreement between GoogleDNS, OpenDNS and the ISPs to subvert what is marketed as open and reliable information into the same CDN networks that I'm using them to avoid.

  4. Jamie Jones Silver badge

    www != internet

    " There are better DNS security proposals circulating already," he argued. "They tend to start at the browser and work their way back to the roots. Support those proposals, and keep DNSSEC code off your servers.""

    DNS is used for more than web sites.

    Also, whilst he makes some valid points (root chain-of-trust and out-of-date crypto), DNSSEC is not fundamentally broken.

    The legitimate people who have problems with it are generally trying to do something 'sneaky' that DNSSEC is designed to stop (as it's similar to what the bad player do.) However, people like Google have proved these problems can be resolved.

    I don't know.... Calls to 'abandon DNSSEC' remind me of the calls by those that don't understand IPv6 to abandon that too.

    And in an age where technological implementations are dictated by bean-counters, and not the techies, speed/success of deployment means bugger-all.... How many times have long resolved security issues raised their ugly head just because 'management' wouldn't budget the fixes?

    1. Michael Wojcik Silver badge

      Re: www != internet

      DNS is used for more than web sites.

      Yes, and Thomas Ptacek is perfectly aware of this. The gloss from DNS in the large to "browsers" is largely the fault of McCarthy's article. The quote in question comes from the end of Ptacek's post, after he'd gone from talking about DNSSEC in general to considerations for non-technical browser users and HTTP as a specific application.

      Calls to 'abandon DNSSEC' remind me of the calls by those that don't understand IPv6 to abandon that too.

      Whatever they remind you of, evaluating them on that basis is a fallacy. Perhaps you should address the arguments Ptacek actually makes in the blog post?

      And in an age where technological implementations are dictated by bean-counters, and not the techies

      When was it otherwise?

    2. Destroy All Monsters Silver badge

      Re: www != internet

      those that don't understand IPv6 to abandon that too

      It's not hard to understand and it's shita complexity bridge too far.

      Any further questions?

  5. Anonymous Coward
    Anonymous Coward

    Solution looking for a problem

    DNSSEC doesn't solve anything that adding a 128-bit random cookie to the DNS request and response wouldn't have solved. At best, DNSSEC just makes your Internet less reliable (by refusing to return names which haven't been signed properly)

    However, DNSSEC has been going forward because of this "vision" that it will become the universal PKI which will replace certificates and CAs. Essentially it changes from having lots of CAs that you can choose whether to trust or not, to a single CA run by ICANN that you have no choice over.

    1. Charles 9 Silver badge

      Re: Solution looking for a problem

      "DNSSEC doesn't solve anything that adding a 128-bit random cookie to the DNS request and response wouldn't have solved."

      Solve the problem of a rogue or hijacked server being able to see and appropriately respond to the cookie?

      Frankly, the whole problem boils down to a matter of trust, which is a HARD problem in computer security. Because, let's face it, given sufficient resources, Mallory can subvert ANY trust system. Yes, even the Web of Trust, by inserting shills.

  6. Daggerchild Silver badge

    cr.yp.to

    A good resource in this discussion is Dan Bernstein, of qmail/djbdns fame etc.

    Love him or hate him, he's very *very* good at deconstructing something notionally complex and clearly exposing its flaws, and it looks like he absolutely *reamed* DNSSEC to the point of boredom.

    http://cr.yp.to/djbdns/forgery.html

    http://cr.yp.to/talks/2009.08.10/slides.pdf

    1. Anonymous Coward
      Anonymous Coward

      Re: cr.yp.to

      Dan is exceptionally good at solving technical problems that he sees. In my experience, he's not so good at dealing with use cases that don't matter to him. Seems like he has a lot of traits from one particular end of "the spectrum" that we techie types either possess, or see in our workplace every day.

  7. cbuijs

    100% deployment of DNSSEC needed

    Problem with all of this is that it relies on a 100% deployment of DNSSEC before it makes all sense, which we are trying to get done for many years now and adoption rates are still low compared.

  8. JasperWallace
    Black Helicopters

    Read this to understand why we need dnssec today: http://www.sigcomm.org/sites/default/files/ccr/papers/2012/July/2317307-2317311.pdf

  9. Destroy All Monsters Silver badge
    Facepalm

    So in which direction will the internet community go? Toward DNSSEC or away from it? It's too early to tell

    After a decade?

    In other New-York Times / Washington-Post "news", will the US manage to make the Middle East safe for democracy? It is too early to tell.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021