Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <87zhb4px73.fsf@mid.deneb.enyo.de>
Date: Tue, 21 Apr 2020 19:26:08 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: Rich Felker <dalias@...c.org>
Cc: musl@...ts.openwall.com
Subject: Re: TCP support in the stub resolver

* Rich Felker:

>> I'm excited that Fedora plans to add a local caching resolver by
>> default.  It will help with a lot of these issues.
>
> That's great news! Will it be DNSSEC-enforcing by default?

No.  It is currently not even DNSSEC-aware, in the sense that you
can't get any DNSSEC data from it.  That's the sad part.

>> > BTW, am I mistaken or can TCP fastopen make it so you can get a DNS
>> > reply with no additional round-trips? (query in the payload with
>> > fastopen, response sent immediately after SYN-ACK before receiving ACK
>> > from client, and nobody has to wait for connection to be closed) Of
>> > course there are problems with fastopen that lead to it often being
>> > disabled so it's not a full substitute for UDP.
>> 
>> There's no handshake to enable it, so it would have to be an
>> /etc/resolv.conf setting.  It's also not clear how you would perform
>> auto-detection that works across arbitrary middleboxen.  I don't think
>> it's useful for an in-process stub resolver.
>
> The kernel automatically does it,

Surely not, it causes too many interoperability issues for that.  It's
also difficult to fit it into the BSD sockets API.  As far as I can
see, you have to use sendmsg or sendto with MSG_FASTOPEN instead of a
connect call to establish the connection.

(When the kernel says that it's enabled by default, it means that you
can use MSG_FASTOPEN with sysctl tweaks.)

>> The other problem with EDNS is that for sizes on the large end
>> (certainly above the MTU), it depends on fragmentation.  Fragmentation
>> is completely insecure because in DNS packets, all the randomness is
>> in one fragment, so packet spoofing only needs to guess the fragment
>> ID (and the recipient IP stack will provide the UDP port for free).
>> Some of us have been working on eliminating fragmented DNS responses
>> for that reason, which unfortunately reduces the reach of EDNS
>> somewhat.
>
> Well DNS is completely insecure anyway unless you're validating DNSSEC
> locally.

It's not, it works quite well actually in the absence of on-path
attackers.

Even DNSSEC still needs that level of security because a resolver
often has to use unsigned data to figure out where to send the next
query.  If DNS were completely insecure, DNSSEC would still break
because it's prone to denial-of-service attacks on the unsigned
routing data.

> Yes the fragmentation issue makes it a lot easier to blindly
> spoof (as opposed to needing ability to intercept/MITM).

And that difference does matter.

>> Above 4096 bytes, pretty much all recursive resolvers will send TC
>> responses even if the client offers a larger buffer size.  This means
>> for correctness, you cannot do away with TCP support.
>
> In that case doing EDNS at all seems a lot less useful. Fragmentation
> is always a possibility above min MTU (essentially same limit as
> original UDP DNS) and the large responses are almost surely things you
> do want to avoid forgery on, which leads me back around to thinking
> that if you want them you really really need to be running a local
> DNSSEC validating nameserver and then can just use-vc...

Why use use-vc at all?  Some software *will* break because it assumes
that certain libc calls do not keep open some random file descriptor.

>> Some implementations have used a longer sequence of transports: DNS
>> over UDP, EDNS over UDP, and finally TCP.  That avoids EDNS
>> pseudo-negotiation until it is actually needed.  I'm not aware of any
>> stub resolvers doing that, though.
>
> Yeah, each fallback is just going to increase total latency though,
> very badly if they're all remote.
>
> Actually, the current musl approach adapted to this would be to just
> do them all concurrently: DNS/UDP, EDNS/UDP, and DNS/TCP, and accept
> the first answer that's not truncated or broken server
> (servfail/formerr/notimp), basically same as we do now but with more
> choices. But that's getting heavier on unwanted network traffic...

Aggressive parallel queries tend to break middleboxes.  Even A/AAAA is
problematic.  Good interoperability and good performance are difficult
to obtain, particularly from short-lived processes.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.