Signing DNS Queries

From: David White 
Many of you guys know that DNS is something I'm interested in and continue
to do a lot of research and work in. I'm nowhere near an expert, but find
this aspect of the interwebs fascinating, and have done what I can to
understand it better and advocate for best DNS practices.

I'm doing some brainstorming right now, and think I've come up with a
theory that could possibly work in practice, but is probably a dumb idea.
What do ya'll think? Is this a stupid idea? (In theory, I think its good,
but in practice, I do think its dumb).

Here's a recent article on DNS Amplification attacks and how millions of
home routers around the world are being used for the attacks:

=============================================================== From: David White ------------------------------------------------------ .... or, is what I just described exactly what DNSSEC is (for you DNSSEC geeks out there - this is still 1 aspect of DNS I still don't fully understand)

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 No, it does nothing of the sort. The solution to the DNS amplification issue is the same thing as what we did when people started abusing SMTP, we shut off open relays. Shutting down open resolvers is the logical outcome. And if you think DNS amplification factors are huge, check out SNMP amplification factors.... Regards, dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - iQEcBAEBAgAGBQJSJ0zZAAoJEMP+wtEOVbcdIC8H/3MPADOs+mJFqsDXutXER6RW aIWfBhyumecN+U8AApeha9QnqkEJHCkui0rOoGfVVZSdqtFNvkZqwVFRHO/zu4uz 4B9tSAPdX47Na2wWqpAq+iQhFL2LTMnevr8wfhQvf0JPsS/f3spIARn0pRB2cp0T UNjleFUDEJlTv6MVTcd3s3Fi0jkybRyFSk8Ja13dOq5FnT0ckMyVGeZNttdvsoWm 53E48WufWfXF6OBKpzDizNpYjSkEMXmrUr1khpCmkfk5mDaHk6f/J9PKLZP2f+yv djk2yK00OxG82v1T607o+AoqWCbji5smPjkfDVG9+86EPVdh0qa2OCNtSLInI+k= =vb6o -----END PGP SIGNATURE-----

=============================================================== From: David White ------------------------------------------------------ Oh, I agree completely - open resolvers are a bad idea to begin with. But so many of them are out there (misconfigured), and major ISPs have them for their customers, that they aren't going away. On Sep 4, 2013 11:19 AM, "Dave Brockman" wrote:

=============================================================== From: John Aldrich ------------------------------------------------------ Quoting David White : I like the idea of a DNS resolver that is separate from my ISP. They like to use DNS to insert other people's ads in web pages I browse. Or so I'm told. I generally don't see ads, because I use an ad-blocker, but I still prefer to use Google Public DNS.

=============================================================== From: Lynn Dixon ------------------------------------------------------ I like the idea of a Distributed DNS better than a monolothic DNS. It's way to easy for DHS to seize domains since ICANN and others have no spine. DNS is no different, those who control the root name servers are a single point of failure in my book. If we used Distributed DNS, governments would need to control 51% of the network, which would be damn near impossible.

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The root servers are not controlled by any one entity.... I believe you are confusing TLD domains and servers and The Root DNS Servers (tm). Regards, dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - iQEcBAEBAgAGBQJSJ3ObAAoJEMP+wtEOVbcdOZ8IALGOkMoZKsk2G3jNNV7wwCUQ bbSP/TI3+ZYAq3ZbpgkSEOZzfRXEzbEorbkIgT5l9KxQUyZrnjp/vnbASvemQgSt BKQNuGASVMkHOJpVzKFEdKx6BfUrbQXJ7E8CvueubBtPUdGRhuEEbahZJEG1ovPg lEUBqYj3tKjcwA9pwLq/bC1kttBDPI7wp6VRQcy2z7NJ3IJBaT2zXh156Nuc39mC PHwgHqpriwfYap5ijXqlp61uBWjoMAbsFeNW5MpQEpuuE2A2ZuKr4RbW6pztOazQ Zc1malZlNChnB3kxpYcytXITkPO/lA32oljoTBYoBGT9LHlwFcthQK+gkVFCzCs= =WKBs -----END PGP SIGNATURE-----

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Open resolvers were not a bad idea to begin with. They were essential to the functioning of the Internet once it outgrew the InterNIC "hosts" file. Open SMTP relay also played a crucial part in growing the Internet. We geeks are effing awesome at developing technical solutions to overcome technical problems. We are not very good at anticipating just how *evil* people are. A very large percentage of what you are referencing is uber-cheap CPE router/modem that enables a DNS resolver on the WAN interface! ISPs should *ONLY* allow their network(s) to recursively query their name servers. That is not the definition of an open resolver. There is already movement[1] to identify and close open resolvers. Quite a bit of traction has already been made, but we have a long, long way to go. Regards, dtb 1. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - iQEcBAEBAgAGBQJSJ3caAAoJEMP+wtEOVbcdOTAIAJotPDt+2uqwAS9dz6EG5de5 2SbBurGeygyCZakOBokecqoZ/sHqyXKBWUxhTjF6jk2fd4yPulaqkUcNNKEiRaIw LL0CnATesmPPLqG1nyghlJYRA2axdkpUbIM4W8AxHpZX0YUC8ndgI/4PHdtXOpqm SDLTqnjwlEviZ7/wNSGHm6tvPlje54SObUjDMRSDuLdU4DpjZ+127bWbm5OvAEOE 0PwxHr7ry7Y3dIzKklPPL0B3fDwK9iXnJPgn+X1XDelsGlRPh4lBoe6I5QmrD+Uj INkCVrwOWBHW3a2EEUKxEEPd1OkMzZfehK8hO9Wg8xvhOEgFPPvXv12m52qVYOg= =QjtP -----END PGP SIGNATURE-----

=============================================================== From: David White ------------------------------------------------------ True, most, if not all reputable ISPs are already configured to deny DNS requests from IP addresses that are outside their network. The problem is that many times, DNS amplification attacks are using spoofed IP addresses. So the attacker spoofs an IP address, the request hits the resolver, the resolver responds back to the *real* IP address (home router), and that home router then sends another response out. So my idea is, essentially, to add another layer to the "restrict resolvers to their network only" requirement and add a 2nd degree of verification - i.e. ensuring that the client making the request to the resolver is who he says he is.

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Then those ISPs should properly ACL their border routers and BGP peers... Only a handful of transport network providers truly need "permit ip any any" at their borders, and being transport ISPs, they aren't normally supplying user type services such as DNS, SMTP, etc. I agree with you there are problems, but the DNS amplification attacks you are discussing are symptoms of a much larger issue. Where is the home router going to send the response in the above scenario? I don't think you understand how this amplification attack actually works.... If the "restrict resolvers to their network only" part was done correctly *at the network layer* (Border Router), the other layer is not necessary. And you are suggesting an identifier beyond an IP address tied to a DNS request. Just think of the "probable cause" that would supply to the wrong hands. Regards, dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - iQEcBAEBAgAGBQJSJ6jgAAoJEMP+wtEOVbcd1z0H/20QnRUY+rJ7REsmK8adp68l DWWcUooqcetPBZMQPhHC2aKHgSool4B0y4AMK17L4dCRjETcU4xX5VdRPQjuVG3f dxCdgzKz9lDeRssq/szQjJ+0UKGOPy0ZrERs42Vcc65P7iVvvq9v05ZC9guO1U1g 2Gqo7ZDMkOerSrteP51Fe6QTgdKIdcy4k0lJdiyNjg+I6IJfu0Udok6nfO3IHzNx eAahPaNtob+q25S8YlwcovUNHjYHu6C1e6SvQDKa2ogY9+0ThPmTkI5CSZAsjw8f 4M6akASzpTtf07mfh8yIvMkFlnbF7OYQ+CM8vytBYCcMAXTEf2pF/1drdLZvkkk= =lczg -----END PGP SIGNATURE-----