There is nothing that stops someone from writing malware that uses a custom-built JavaScript DNS server (or takes advantage of DNS capabilities built into node.js) today. The difference is that even a custom built DNS server still relies on port 53 for DNS queries, which means that existing DNS security safeguards (if they exist in a network) are still able to detect it. A piece of malware that uses DNS over TLS is going to operate outside of those existing bounds and be more difficult to detect and is not something that exists today (yes, a malware developer could tunnel DNS traffic over a JavaScript TLS connection, but that would be cumbersome and unreliable. I am not disagreeing with you, my point is that I can see a lot of bad things that can be done with this capability and I don't really see a lot of benefit. allan
On 7/12/2016 at 6:48 PM, "Ted Lemon" wrote:What's to stop someone from writing that malware today? Keeping the net safe by reducing the expressiveness of what is carried over HTTP is already a lost cause, and would have been a slender reed to rely on for security in any case. On Tue, Jul 12, 2016 at 4:33 PM, Allan Liska wrote: On 7/12/2016 at 4:10 PM, "Shane Kerr" wrote:John, At 2016-07-11 23:50:05 -0000 "John Levine" wrote: > I'd also want to change some of the motivation text. To me, by far > the most likely scenario here is javascript applications that want to > do DNS queries, e.g. for SRV, but can't because javascript doesn't let > you do that. Now the server that provided the javascript blob can > also be the DNS proxy. The javascript can't query random other DNS > proxies due to cross-site scripting rules. As I think that I mentioned before, the current draft of DNS-over-HTTP is poorly suited for JavaScript. Building and parsing DNS binary messages in JavaScript seems like a really hard way to get at the few tidbits of information that you actually want. OTOH, I am (obviously) not a web developer, so perhaps I overestimate the difficulty in working with DNS binary-format. Maybe it's a relatively compact set of JavaScript functions that can be used? Maybe I just found a project for the IETF Hackathon? Hm... :) My first thought (and maybe this says more about me than the project) is that this seems like the perfect way to make a fully self-contained piece of malware. Ransom32 already proved that you can create ransomware developed entirely in JavaScript, imagine if you combined a JavaScript DNS library with a JavaScript TLS library (https://github.com/digitalbazaar/forge) you could create a piece of malware that is significantly harder to detect because all of the network indicators would be encrypted or not in places that security tools normally look. Now, it would also be somewhat easy to detect because there are very few legitimate reasons for someone to be emailing you 25+ Meg .js file. I am not saying something shouldn't be done simply because bad guys might abuse it, otherwise we should have gotten rid of email a long time ago. What I am asking is are there more legitimate uses for DNS over JavaScript than there are illegitimate? I don't know the answer, but I don't know if the "cool" factor outweighs the potential security risk. allan _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
