1 / 10

“DNS Proxy Bypass by Recursive DNS Discovery and LOCAL.ARPA” draft-ietf-dns-recursive-discovery

“DNS Proxy Bypass by Recursive DNS Discovery and LOCAL.ARPA” draft-ietf-dns-recursive-discovery. Ray Bellis IETF76 DNSOP WG Hiroshima, 11 th November 2009. The Fundamental Problem…. Please try again – the DNS proxy on 192.168.1.1 doesn’t work properly (see RFC5625).

wells
Download Presentation

“DNS Proxy Bypass by Recursive DNS Discovery and LOCAL.ARPA” draft-ietf-dns-recursive-discovery

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. “DNS Proxy Bypass by Recursive DNSDiscovery and LOCAL.ARPA”draft-ietf-dns-recursive-discovery Ray Bellis IETF76 DNSOP WG Hiroshima, 11th November 2009

  2. The Fundamental Problem… Please try again – the DNS proxy on 192.168.1.1 doesn’t work properly (see RFC5625) DNS Servers (6) = 192.168.1.1 DHCP DISCOVER DHCP OFFER ISP FAIL DNS settings learnt via DHCP or PPP/IPCP DNS

  3. The Chicken and Egg Problem… Still not right – you don’t know the real DNS servers because the LAN came up before the WAN. Didn’t you fix that proxy yet? DNS Servers (6) = 192.168.1.1 DHCP DISCOVER DHCP OFFER ISP FAIL DNS settings learnt via DHCP or PPP/IPCP DNS

  4. The Configuration Problem… Uh-oh - someone forgot to implement TR124 requirement LAN.DNS.2. End-user supplied DNS settings SHOULD be in the DHCP OFFER. BTW – your proxy still doesn’t work properly! DNS Servers (6) = 192.168.1.1 DHCP DISCOVER DHCP OFFER ISP FAIL End-user configures DNS settings DNS

  5. The Proposed Solution… • Let the DHCP stuff happen • Use the DNS proxy initially … • to ask the recursive DNS server for a list of real DNS servers • Then use those instead! IN A? domain.local.arpa. ISP IN A 192.0.2.1 DNS

  6. The Proposed Solution… • Let the DHCP stuff happen • Use the DNS proxy initially … • to ask the recursive DNS server for a list of real DNS servers • Then use those instead! IN A? domain.local.arpa. ISP IN A 192.0.2.1 DNS

  7. A little more detail • Why we’re proposing this: • Because DNS proxies don’t work! • to get DNSSEC through • to get TCP queries through • The draft reserves local.arpa. • for use “within a network’s administrative boundaries” • and domain.local.arpa for this application • Version -02 will have NXDOMAIN redirect detection • probably via nxdomain.local.arpa. • if nxdomain.local.arpa == domain.local.arpa then ignore the results, your ISP is trapping NXDOMAIN

  8. Things we’ve thrown out already • Anycast • If you’re going to use an Anycast address to discover DNS, you might as well use that address for all DNS! • “.local” • Too much baggage

  9. Things we’re still figuring out! • Does the bootstrap query need additional protection, and if so, how? • DNSSEC no good, proxies break it! • A random nonce prefix? • Something else? • Interaction with DNSSEC-signed .arpa • If IANA has an NSEC[3] record that says local.arpa doesn’t exist, then the locally-supplied copy is bogus

  10. Any Questions?

More Related