Re: [dns-operations] resolvers considered harmful

If a poisoning attack does not require access to a resolver, surely the same attack will not require access to the end host? Comes down to the age old argument of one big machine (easier to secure but provides a bigger target) to billions of little machines (almost impossible to be all secure

Re: [dns-operations] resolvers considered harmful

Joe Greco wrote: > > Assuming that the CPE is a NAT (effectively firewalling clients from > poisoning attacks) and/or that the individual clients have well- > designed, impervious resolvers is likely to be a fail. I was under the impression that a common failure of NATs is that they sometimes def

Re: [dns-operations] resolvers considered harmful

Yes - very common - certainly on older equipment. On 23/10/14 10:23, Tony Finch wrote: defeat source port randomization ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jo

Re: [dns-operations] resolvers considered harmful

On Wed, 22 Oct 2014, Mark Allman wrote: That is not what we are proposing. We are not suggesting resolvers be *moved*, but rather *removed*. That is, clients simply do name lookup on their own. "simply" on their own moves the entire query load of all endpoints (billions) onto the authoritati

Re: [dns-operations] resolvers considered harmful

On 10/23/2014 03:07 AM, Mark Allman wrote: > > On the other hand, an endpoint can look up a name without listening for > any request from the network. We suggest this be an entirely local > operation. Think of it like this: just because I want to load the > cnn.com web page I don't have to run h

Re: [dns-operations] resolvers considered harmful

On Oct 23, 2014, at 8:12 PM, Paul Wouters wrote: Have you talked to operators world wide on what the query load on their caching resolvers is? It seems to me that if the goal is to flatten & decentralize name resolution & other directory services, then the only way to accomplish it is to go who

Re: [dns-operations] resolvers considered harmful

Speaking as someone who supports all end systems to be their own validating recursive resolver. On Oct 23, 2014, at 6:10 AM, Paul Wouters wrote: > "simply" on their own moves the entire query load of all endpoints > (billions) onto the authoritative nameservers only. Do you really > propose a b

Re: [dns-operations] dns-operations Digest, Vol 105, Issue 26

> > > Date: Wed, 22 Oct 2014 15:38:14 -0400 > From: Andrew Sullivan > To: dns-operati...@dns-oarc.net > Subject: Re: [dns-operations] resolvers considered harmful > Message-ID: <20141022193814.gi37...@mx1.yitter.info> > Content-Type: text/plain; charset=us-ascii > > On Wed, Oct 22, 2014 at 11:19:4

Re: [dns-operations] resolvers considered harmful

> Let me try to take care of both of these related points together: > > Joe Greco : > > Then we merely move on to the issue of cache poisoning individual > > clients. > > > > Assuming that the CPE is a NAT (effectively firewalling clients from > > poisoning attacks) and/or that the individual cli

Re: [dns-operations] resolvers considered harmful

> "simply" on their own moves the entire query load of all endpoints > (billions) onto the authoritative nameservers only. Do you really > propose a billion clients should perform lookups against my 3 poor > nameservers for nohats.ca.? Well - All billions of clients are not interested in

Re: [dns-operations] resolvers considered harmful

On Oct 22, 2014, at 23:03 , Mark Allman wrote: > > > The paper quantifies this cost for .com. We find that something like 1% > of the records change each week. So, while increasing the TTL from the > current two days to one week certainly sacrifices some possible > flexibility, in practical

Re: [dns-operations] resolvers considered harmful

On Thu, Oct 23, 2014 at 11:43:31AM -0400, Matthew Pounsett wrote: > It’s externalizing costs, not a trade-off. Yeah, this was really the point I was trying to make. For the overall _system_ it is a trade off. For any given actor, however, it is a shift of costs. Also, as I already noted, mo

Re: [dns-operations] resolvers considered harmful

On Thu, 23 Oct 2014, Mark Allman wrote: - I don't know what your load is, but do you have any idea how much your load will increase if shared resolvers did not shield you from some of it? We quantify this a little in our paper (for .com). We should use numbers to talk about these thi

Re: [dns-operations] resolvers considered harmful

On Oct 23, 2014, at 11:59 , Andrew Sullivan wrote: > Also, as I already noted, modelling this in a delegation-centric zone > uses the wrong model. Moreover, the data sets are from a notably tiny > shared-iterative-resolver community. It seems to me that > understanding the endpoint:iterative r

Re: [dns-operations] resolvers considered harmful

On Wed, Oct 22, 2014 at 12:47:39PM -0400, Mark Allman wrote a message of 64 lines which said: > Short paper / crazy idea for your amusement ... The biggest problem I have with this paper is of terminology. I thought at the beginning that the idea was to get rid of resolvers, then it appeared

Re: [dns-operations] resolvers considered harmful

On Wed, Oct 22, 2014 at 11:03:11PM -0400, Mark Allman wrote a message of 110 lines which said: > The paper quantifies this cost for .com. We find that something > like 1% of the records change each week. So, while increasing the > TTL from the current two days to one week certainly sacrifice

Re: [dns-operations] resolvers considered harmful

On Thu, Oct 23, 2014 at 10:25 AM, Paul Hoffman wrote: > Speaking as someone who supports all end systems to be their own > validating recursive resolver. > I used to think that, but writing a paper for the middlebox workshop has forced be to radically change my thinking. I have just converted it

Re: [dns-operations] resolvers considered harmful

Hi, On Oct 23, 2014, at 6:29 AM, Jelte Jansen wrote: > I don't think there's an essential difference between a resolver at the > edge and a shared resolver in any other way than the 'shared' part. Yep, although that obviously has impact implications (fewer potential victims of a successful atta

Re: [dns-operations] resolvers considered harmful

I am not certain that the data would be any easier to pry from the fingers of their owners than from shared resolver operators, but couldn't one arrive at a guess for an upper bound on the number of name resolutions performed by clients by looking at the number of http "hits" and email messages

Re: [dns-operations] resolvers considered harmful

On Oct 23, 2014, at 12:28 , Stephane Bortzmeyer wrote: > On Wed, Oct 22, 2014 at 12:47:39PM -0400, > Mark Allman wrote > a message of 64 lines which said: > >> Short paper / crazy idea for your amusement ... > > The biggest problem I have with this paper is of terminology. I > thought at the

Re: [dns-operations] resolvers considered harmful

On Thu, Oct 23, 2014 at 09:49:53AM -0700, Rick Jones wrote: > clients by looking at the number of http "hits" and email messages sent? Certainly, you do get some picture from the number of resources pulled via http. My knowledge about some of that for certain kinds of properties is part of the re

Re: [dns-operations] resolvers considered harmful

On Thu, Oct 23, 2014 at 07:25:46AM -0700, Paul Hoffman wrote: > Speaking as someone who supports all end systems to be their own validating > recursive resolver. "Validating" I get. Why recursive? -- Andrew Sullivan a...@anvilwalrusden.com ___ dns-o

Re: [dns-operations] resolvers considered harmful

i encourage anyone who thinks full resolvers can run inside end hosts which currently run stub resolvers, to try it. BIND9 runs fine on windows and macos laptops. so, without even touching the real growth area of the edge (which is mobile devices like smart phones), you can get a sense of how rare

Re: [dns-operations] resolvers considered harmful

Hi, On Oct 23, 2014, at 10:36 AM, Paul Vixie wrote: > until you have done this and have results to report, you'd be wise not > to make any claims about this possibility. I've done so, on an off over the years (including mirroring the root zone), and found that it mostly just works. In the past,

Re: [dns-operations] resolvers considered harmful

On Oct 23, 2014, at 10:29 AM, Andrew Sullivan wrote: > > On Thu, Oct 23, 2014 at 07:25:46AM -0700, Paul Hoffman wrote: >> Speaking as someone who supports all end systems to be their own validating >> recursive resolver. > > "Validating" I get. Why recursive? That's a fair question. I'm much

Re: [dns-operations] resolvers considered harmful

On Thu, Oct 23, 2014 at 2:00 PM, Paul Hoffman wrote: > On Oct 23, 2014, at 10:29 AM, Andrew Sullivan > wrote: > > > > On Thu, Oct 23, 2014 at 07:25:46AM -0700, Paul Hoffman wrote: > >> Speaking as someone who supports all end systems to be their own > validating recursive resolver. > > > > "Vali

Re: [dns-operations] resolvers considered harmful

On Thu, Oct 23, 2014 at 1:36 PM, Paul Vixie wrote: > i encourage anyone who thinks full resolvers can run inside end hosts > which currently run stub resolvers, to try it. > > BIND9 runs fine on windows and macos laptops. so, without even touching > the real growth area of the edge (which is mobi

Re: [dns-operations] resolvers considered harmful

> Phillip Hallam-Baker > Thursday, October 23, 2014 11:25 AM > > > ... > Bottom line is that if you try to use port 53 for client-recursive you > will find yourself under MITM attack much of the time. And its not > even all malicious. A lot of ISPs are MITM the DNS

Re: [dns-operations] resolvers considered harmful

* Paul Vixie: > BIND9 runs fine on windows and macos laptops. so, without even touching > the real growth area of the edge (which is mobile devices like smart > phones), you can get a sense of how rarely you'll be able to perform dns > lookups, if you just switch to 127.0.0.1 as your name server (

Re: [dns-operations] resolvers considered harmful

On 10/23/14, 11:59 AM, "Andrew Sullivan" wrote: >On Thu, Oct 23, 2014 at 11:43:31AM -0400, Matthew Pounsett wrote: > >> It¹s externalizing costs, not a trade-off. > >Yeah, this was really the point I was trying to make. For the overall >_system_ it is a trade off. For any given actor, however

Re: [dns-operations] resolvers considered harmful

> The biggest problem I have with this paper is of terminology. No- I don't want every app to build in a resolver. Madness! Think of it as a change under-the-hood to gethostbyname(). Same interface to the applications. But, underneath it doesn't go query whatever is in /etc/resolv.conf, but

Re: [dns-operations] resolvers considered harmful

> cache hit rate is about 80%-90% for those caching you think can be > removed. Note that this cache hit rate is heavilly skewed because of > the facebook "one time" uncachable hostnames they were using at the > time. If you also include the fact that these caches were feeding > other caches, you

Re: [dns-operations] resolvers considered harmful

> There is no relationship between the data and the conclusion. Having a > short TTL is not because you make changes often, it's because, when > you decide to make a change, you want it to be effective rapidly. The > actual number of changes does not matter, what matter are the > expectations of u

Re: [dns-operations] resolvers considered harmful

> > - As noted in the paper 93% of the zones see no increase in our > >trace-driven simulations. That is, they are accessed by at most one > >end host per TTL and therefore see no benefit from the shared cache > >and hence will see the same load regardless of whether it is an end > >

Re: [dns-operations] resolvers considered harmful

On 10/23/14, 1:36 PM, "Paul Vixie" wrote: >BIND9 runs fine on windows and macos laptops. so, without even touching >the real growth area of the edge (which is mobile devices like smart >phones) Too add to your thought, Paul, also stuff like smart TVs, thermostats, security cameras, appliance mod

Re: [dns-operations] resolvers considered harmful

On Thu, Oct 23, 2014 at 03:29:41PM -0400, Mark Allman wrote: > > - The TLDs are a little weird in that they are trying to control for > their load and yet serving someone else's names. This characterization of things makes me a little uneasy at the possible mismatch between your model of

Re: [dns-operations] resolvers considered harmful

On Thu, Oct 23, 2014 at 11:00:31AM -0700, Paul Hoffman wrote: > > That's a fair question. I'm much more interested in validating than > recursive. I don't believe that enough upstream resolvers will > reliably get the end system answers that can be validated, so the > validating end system will ha

Re: [dns-operations] resolvers considered harmful

On Thu, Oct 23, 2014 at 2:31 PM, Paul Vixie wrote: > > > Phillip Hallam-Baker > Thursday, October 23, 2014 11:25 AM > > > ... > Bottom line is that if you try to use port 53 for client-recursive you > will find yourself under MITM attack much of the time. And its not even all > malicious. A l

Re: [dns-operations] resolvers considered harmful

Interesting paper – thanks for giving the list a heads up. My comments: 1 – I think the claim “First, removing resolvers simplifies the overall system” is a matter of opinion. I may even argue the opposite, that the prevalence of large scale resolvers simplifies the overall system (but as an ope

Re: [dns-operations] resolvers considered harmful

On Oct 23, 2014, at 15:18 , Mark Allman wrote: >> How does this compare to resolvers with one or two (or four) orders of >> magnitude more clients behind them? > > Presumably pretty well. I only know of old results here, but Jung's > IMW 2001 paper suggests that the cache hit rate levels off

Re: [dns-operations] resolvers considered harmful

> On Oct 23, 2014, at 18:23, Matthew Pounsett wrote: > > The cache hit rate may level off, but the query rate to the caching recursive > doesn’t. Sorry, that should have said the cache *miss* rate. It's an asymptote maxing out at the TTL, dependent on the population behind the cache. > T

Re: [dns-operations] resolvers considered harmful

In message , "Livingood, Jaso n" writes: > On 10/23/14, 1:36 PM, "Paul Vixie" wrote: > > >BIND9 runs fine on windows and macos laptops. so, without even touching > >the real growth area of the edge (which is mobile devices like smart > >phones) > > Too add to your thought, Paul, also stuff like

Re: [dns-operations] resolvers considered harmful

Talk about a DNS amplification attack - a seven page paper getting 60+ messages. I didn’t do the math, but I bet more was written about the paper than in the paper. With all this list traffic, I feel compelled to join in. If you have work to do, you might want to skip the rest of the message. Mo

Re: [dns-operations] resolvers considered harmful

I am probably a contrarian, but having lived the time of not having DNS, into the time of having a simple DNS, to the time of a complex DNS I can't understand, I yearn for a simpler DNS. The web obviously works. It works without "resolvers" as the assumed norm. Caches and Proxies exist but the bas