Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 21 Apr 2020 19:26:08 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: Rich Felker <dalias@...c.org>
Cc: musl@...ts.openwall.com
Subject: Re: TCP support in the stub resolver

* Rich Felker:

>> I'm excited that Fedora plans to add a local caching resolver by
>> default.  It will help with a lot of these issues.
>
> That's great news! Will it be DNSSEC-enforcing by default?

No.  It is currently not even DNSSEC-aware, in the sense that you
can't get any DNSSEC data from it.  That's the sad part.

>> > BTW, am I mistaken or can TCP fastopen make it so you can get a DNS
>> > reply with no additional round-trips? (query in the payload with
>> > fastopen, response sent immediately after SYN-ACK before receiving ACK
>> > from client, and nobody has to wait for connection to be closed) Of
>> > course there are problems with fastopen that lead to it often being
>> > disabled so it's not a full substitute for UDP.
>> 
>> There's no handshake to enable it, so it would have to be an
>> /etc/resolv.conf setting.  It's also not clear how you would perform
>> auto-detection that works across arbitrary middleboxen.  I don't think
>> it's useful for an in-process stub resolver.
>
> The kernel automatically does it,

Surely not, it causes too many interoperability issues for that.  It's
also difficult to fit it into the BSD sockets API.  As far as I can
see, you have to use sendmsg or sendto with MSG_FASTOPEN instead of a
connect call to establish the connection.

(When the kernel says that it's enabled by default, it means that you
can use MSG_FASTOPEN with sysctl tweaks.)

>> The other problem with EDNS is that for sizes on the large end
>> (certainly above the MTU), it depends on fragmentation.  Fragmentation
>> is completely insecure because in DNS packets, all the randomness is
>> in one fragment, so packet spoofing only needs to guess the fragment
>> ID (and the recipient IP stack will provide the UDP port for free).
>> Some of us have been working on eliminating fragmented DNS responses
>> for that reason, which unfortunately reduces the reach of EDNS
>> somewhat.
>
> Well DNS is completely insecure anyway unless you're validating DNSSEC
> locally.

It's not, it works quite well actually in the absence of on-path
attackers.

Even DNSSEC still needs that level of security because a resolver
often has to use unsigned data to figure out where to send the next
query.  If DNS were completely insecure, DNSSEC would still break
because it's prone to denial-of-service attacks on the unsigned
routing data.

> Yes the fragmentation issue makes it a lot easier to blindly
> spoof (as opposed to needing ability to intercept/MITM).

And that difference does matter.

>> Above 4096 bytes, pretty much all recursive resolvers will send TC
>> responses even if the client offers a larger buffer size.  This means
>> for correctness, you cannot do away with TCP support.
>
> In that case doing EDNS at all seems a lot less useful. Fragmentation
> is always a possibility above min MTU (essentially same limit as
> original UDP DNS) and the large responses are almost surely things you
> do want to avoid forgery on, which leads me back around to thinking
> that if you want them you really really need to be running a local
> DNSSEC validating nameserver and then can just use-vc...

Why use use-vc at all?  Some software *will* break because it assumes
that certain libc calls do not keep open some random file descriptor.

>> Some implementations have used a longer sequence of transports: DNS
>> over UDP, EDNS over UDP, and finally TCP.  That avoids EDNS
>> pseudo-negotiation until it is actually needed.  I'm not aware of any
>> stub resolvers doing that, though.
>
> Yeah, each fallback is just going to increase total latency though,
> very badly if they're all remote.
>
> Actually, the current musl approach adapted to this would be to just
> do them all concurrently: DNS/UDP, EDNS/UDP, and DNS/TCP, and accept
> the first answer that's not truncated or broken server
> (servfail/formerr/notimp), basically same as we do now but with more
> choices. But that's getting heavier on unwanted network traffic...

Aggressive parallel queries tend to break middleboxes.  Even A/AAAA is
problematic.  Good interoperability and good performance are difficult
to obtain, particularly from short-lived processes.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.