DNSSEC and ISPs faking DNS responses

The Québec government is wanting to pass a law that will force ISPs to
block and/or redirect certain sites it doesn't like. (namely sites that
offer on-line gambling that compete against its own Loto Québec).

In order to make a good submission to government, once has to boil it
donw to simple enough arguments that clueless politicians can
understand. And for me to do that, I want to make sure I understand this
correctly.

I have tried to research DNSSEC and while I understand how a proper DNS
server can validate the chain from the
- root server
- TLD server
- authoritative DNS server for that domain

I remain in dark with regartds to clients, namely clients who cannot
trust the DNS server supplied as part of DHCP/IPCP/PPPoE responses.

Say a consumer wants to connect to lottery.com, which, from the world
outside the ISP, would result in a signed, verifiable response.

Can't the ISP's DNS server just pretend it is authoritative for
lottery.com and return to client a non-DNSSEC response that points to a
fake IP address ?

If the client gets an unsigned response for lottery.com from its ISP's
DNS server, how can it know it is a fake response, how can it know that
lottery.com should have generated a signed DNSSEC response ?

It seems to me that unless each client goes to the tld servers (they
already have root signatures), get signature of the tld server and
signed response of where "lotery.com" can be found, they have no way to
know whether lottery.com should be signed or not, and whether the answer
they got from their ISP is good or not.

Is that a proper understanding ?

So far, I have seen good explanations of what happens between DNS
servers and the servers that are authoritative for domain, TLD and root.
But I have seen nothing about clients who only have a resolver that
talks to a DNS server.

And while I am at it: when a client gets a legit response from ISP's DNS
server with RRSIG records, how does the client obtain the public key
against which to run the record to ensure its calculated signature
matches that provided in RRSIG ?

or do DNS servers return the full chain of records so that a request for
lottery.com returns not only record for lottery.com but also .com,s
reply on where lottery.com is and root's reply of where .com is ?

Hopefully, I am only missing a small bit that would explain everything
that happens at the client side. But as long as I am told that the
client only talks to the ISP's DNS server, I am at a loss.

Any help appreciated. (I just watched an hour long youtube on subject
which didn't deal with client much).

This will only create an new private (non-public) DNS service in China or
Romania for Canadians to use. Imagine that someone in China starts a
business to help people get around censorship in countries other than
China.

You nailed it - "clueless politicians".

Bob Evans
CTO

The Québec government is wanting to pass a law that will force ISPs to
block and/or redirect certain sites it doesn't like. (namely sites that
offer on-line gambling that compete against its own Loto Québec).

In order to make a good submission to government, once has to boil it
donw to simple enough arguments that clueless politicians can
understand. And for me to do that, I want to make sure I understand this
correctly.

I have tried to research DNSSEC and while I understand how a proper DNS
server can validate the chain from the
- root server
- TLD server
- authoritative DNS server for that domain

I remain in dark with regartds to clients, namely clients who cannot
trust the DNS server supplied as part of DHCP/IPCP/PPPoE responses.

Say a consumer wants to connect to lottery.com, which, from the world
outside the ISP, would result in a signed, verifiable response.

Can't the ISP's DNS server just pretend it is authoritative for
lottery.com and return to client a non-DNSSEC response that points to a
fake IP address ?

No. If the client is validating the response it will fail validation.

If the client gets an unsigned response for lottery.com from its ISP's
DNS server, how can it know it is a fake response, how can it know that
lottery.com should have generated a signed DNSSEC response ?

Because it asks the ISP for DS lottery.com and that response tells
the client if it should be getting a signed response or not and
which DNSKEYs to trust.

It seems to me that unless each client goes to the tld servers (they
already have root signatures), get signature of the tld server and
signed response of where "lotery.com" can be found, they have no way to
know whether lottery.com should be signed or not, and whether the answer
they got from their ISP is good or not.

Is that a proper understanding ?

DNSSEC was designed to allow a client to get answers from a recursive
server it does not trust and verify that the answer has not been
tampered with. There are not many clients that do this yet but that
was the design goal and yes it was achieved.

So far, I have seen good explanations of what happens between DNS
servers and the servers that are authoritative for domain, TLD and root.
But I have seen nothing about clients who only have a resolver that
talks to a DNS server.

They make the same queries and verify the answers the same way.

For lottery.com they would ask for the DNSKEY records for lottery.com,
the DS records for lottery.com, the DNSKEY records for com, the DS
records for com and the DNSKEY records for the root. It doesn't
matter if these come from a cache or directly from the authoritative
servers. The crypto to verify the answers is the same.

And while I am at it: when a client gets a legit response from ISP's DNS
server with RRSIG records, how does the client obtain the public key
against which to run the record to ensure its calculated signature
matches that provided in RRSIG ?

It asks for the DNSKEY records and RRSIGs. Verifies them against the DS
records whick it asks for. Repeat all the way to the root.

In article <56455885.8090409@vaxination.ca> you write:

The Québec government is wanting to pass a law that will force ISPs to
block and/or redirect certain sites it doesn't like. (namely sites that
offer on-line gambling that compete against its own Loto Québec).

Blocking is prettty easy, just don't return the result, or fake an
NXDOMAIN. For a signed domain, a DNSSEC client will see a SERVERFAIL
instead, but they still won't get a result.

Redirecting is much harder -- as others have explained there is a
chain of signatures from the root to the desired record, and if the
chain isn't intact, it's SERVERFAIL again. Inserting a replacement
record with a fake signature into the original chain is intended to be
impossible. (If you figure out how, CSIS would really like to talk to
you.) It is possible to configure an ISP's DNS caches to trust
specific signatures for specific parts of the tree, but that is kludgy
and fragile and is likely to break DNS for everyone.

And anyway, it's pointless. What they're saying is to take the
gambling sites out of the phone book, but this is the Internet and
there are a million other phone books available, outside of Quebec,
such as Google's 8.8.8.8 located in the US, that people can configure
their computers to use with a few mouse clicks. Or you can run your
own cache on your home network like I do, just run NSD or BIND on a
linux laptop.

They could insist that ISPs block the actual web traffic to the sites,
by blocking IP ranges, but that is also a losing battle since it's
trivial to circumvent with widely available free VPN software. If
they want to outlaw VPNs, they're outlawing telework, since VPNs is
how remote workers connect to their employers' systems, and the
software is identical.

R's,
John

Hello,

In article <56455885.8090409@vaxination.ca> you write:

The Québec government is wanting to pass a law that will force ISPs to
block and/or redirect certain sites it doesn't like. (namely sites that
offer on-line gambling that compete against its own Loto Québec).

Blocking is prettty easy, just don't return the result, or fake an
NXDOMAIN. For a signed domain, a DNSSEC client will see a SERVERFAIL
instead, but they still won't get a result.

Redirecting is much harder -- as others have explained there is a
chain of signatures from the root to the desired record, and if the
chain isn't intact, it's SERVERFAIL again. Inserting a replacement
record with a fake signature into the original chain is intended to be
impossible. (If you figure out how, CSIS would really like to talk to
you.) It is possible to configure an ISP's DNS caches to trust
specific signatures for specific parts of the tree, but that is kludgy
and fragile and is likely to break DNS for everyone.

I'm not a DNSSEC expert but I wonder what would be the behavior if the
ISP adds a specific trust anchor for the domain they wish to block?

And anyway, it's pointless. What they're saying is to take the
gambling sites out of the phone book, but this is the Internet and
there are a million other phone books available, outside of Quebec,
such as Google's 8.8.8.8 located in the US, that people can configure
their computers to use with a few mouse clicks. Or you can run your
own cache on your home network like I do, just run NSD or BIND on a
linux laptop.

They could insist that ISPs block the actual web traffic to the sites,
by blocking IP ranges, but that is also a losing battle since it's
trivial to circumvent with widely available free VPN software. If
they want to outlaw VPNs, they're outlawing telework, since VPNs is
how remote workers connect to their employers' systems, and the
software is identical.

R's,
John

Thanks,

Alejandro,

In article <56455885.8090409@vaxination.ca> you write:

The Québec government is wanting to pass a law that will force ISPs to
block and/or redirect certain sites it doesn't like. (namely sites that
offer on-line gambling that compete against its own Loto Québec).

Blocking is prettty easy, just don't return the result, or fake an
NXDOMAIN. For a signed domain, a DNSSEC client will see a SERVERFAIL
instead, but they still won't get a result.

Redirecting is much harder -- as others have explained there is a
chain of signatures from the root to the desired record, and if the
chain isn't intact, it's SERVERFAIL again. Inserting a replacement
record with a fake signature into the original chain is intended to be
impossible. (If you figure out how, CSIS would really like to talk to
you.) It is possible to configure an ISP's DNS caches to trust
specific signatures for specific parts of the tree, but that is kludgy
and fragile and is likely to break DNS for everyone.

If you know that the client is using ONLY your resolver(s), couldn’t you
simply fake the entire chain and sign everything yourself?

Or, alternatively, couldn’t you just fake the answers to all the “is this
signed?” requests and say “Nope!” regardless of the state of the authoritative
zone in question?

Sure, if the client has any sort of independent visibility it can verify that
you’re lying, but if it can only talk to your resolvers, doesn’t that pretty
much mean it can’t tell that you’re lying to it?

And anyway, it's pointless. What they're saying is to take the
gambling sites out of the phone book, but this is the Internet and
there are a million other phone books available, outside of Quebec,
such as Google's 8.8.8.8 located in the US, that people can configure
their computers to use with a few mouse clicks. Or you can run your
own cache on your home network like I do, just run NSD or BIND on a
linux laptop.

I believe the traditional statement is “This type of regulation is considered
damage and will be routed around.”

They could insist that ISPs block the actual web traffic to the sites,
by blocking IP ranges, but that is also a losing battle since it's
trivial to circumvent with widely available free VPN software. If
they want to outlaw VPNs, they're outlawing telework, since VPNs is
how remote workers connect to their employers' systems, and the
software is identical.

It’s also fairly easy for the gambling sites to become somewhat IP Agile
creating a game of Whack-a-mole for the regulators and the ISPs they
are inflicting this pain on.

Owen

Redirecting is much harder -- ...

If you know that the client is using ONLY your resolver(s), couldn’t you
simply fake the entire chain and sign everything yourself?

I suppose, although doing that at scale in a large provider like Videotron
(1.5M subscribers) would be quite a challenge.

Or, alternatively, couldn’t you just fake the answers to all the “is this
signed?” requests and say “Nope!” regardless of the state of the authoritative
zone in question?

No, those responses are signed too.

Sure, if the client has any sort of independent visibility it can verify that
you’re lying, but if it can only talk to your resolvers, doesn’t that pretty
much mean it can’t tell that you’re lying to it?

At this point very few client resolvers check DNSSEC, so something
that stripped off all the DNSSEC stuff and inserted lies where
required would "work" for most clients. At least until they realized
they couldn't get to PokerStars and switched their DNS to 8.8.8.8.

R's,
John

In message <5CA68A46-2F63-466A-B418-30DA71B2BAC5@delong.com>, Owen DeLong write
s:

>
> In article <56455885.8090409@vaxination.ca> you write:
>> The Québec government is wanting to pass a law that will force ISPs to
>> block and/or redirect certain sites it doesn't like. (namely sites
>> that offer on-line gambling that compete against its own Loto Québec).
>
> Blocking is prettty easy, just don't return the result, or fake an
> NXDOMAIN. For a signed domain, a DNSSEC client will see a SERVERFAIL
> instead, but they still won't get a result.
>
> Redirecting is much harder -- as others have explained there is a
> chain of signatures from the root to the desired record, and if the
> chain isn't intact, it's SERVERFAIL again. Inserting a replacement
> record with a fake signature into the original chain is intended to be
> impossible. (If you figure out how, CSIS would really like to talk to
> you.) It is possible to configure an ISP's DNS caches to trust
> specific signatures for specific parts of the tree, but that is kludgy
> and fragile and is likely to break DNS for everyone.

If you know that the client is using ONLY your resolver(s), couldn’t you
simply fake the entire chain and sign everything yourself?

Which is exactly how we test validation in nameservers. If you
tell the validator to use a bogus trust anchor you get bogus trust.

Or, alternatively, couldn’t you just fake the answers to all the “is this
signed?” requests and say “Nope!” regardless of the state of the
authoritative zone in question?

No. You can detect that.

Sure, if the client has any sort of independent visibility it can verify
that
you’re lying, but if it can only talk to your resolvers, doesn’t that
pretty
much mean it can’t tell that you’re lying to it?

No. The root's trust anchor are published independently of whatever
your ISP does. This isn't something you learn via DHCP.

Is it correct to state that clients, instead of issuing a single request
to the ISP's DNS server and let it do the recursion, will request (if
not cached already) records from the root, the tld and the domain's
authoritative server to get the DNSSEC records for each in order to be
able to "walk" the path and verify each signature ?

So this would result in significant increase in number of transactions
between clients and ISP DNS servers, correct ?

If the above is correct, then it provides me with the missing link to my
understanbding.

BTW, the proposed law, being done by lawyers, will have the list of
sites to be banned distributed to ISPs via REGISTERED MAIL. (there are
two means to have "legal" documents served, registered mail and by
bailiffs in Québec). (there are to be financial penalties to ISPs who
do not comply, so govt needs proof of delivery).

I'll have to research how other countries tried to implement similar
schemes (I believe the UK has with some of the popular torrent sites.

I know the Australian attempt to filter porn failed miserably.

Jean-Francois Mezei <jfmezei_nanog@vaxination.ca> writes:

The Québec government is wanting to pass a law that will force ISPs to
block and/or redirect certain sites it doesn't like.

BTDT. See
https://torrentfreak.com/pirate-sites-must-pay-legal-costs-of-own-blockade-court-rules-150902/

(yes, we could discuss the point of all this - but that is a political
discussion, and there are better fora for those. Let's keep this
techical here, please)

Now, we mostly don't do DNSSEC validation yet, and luckily none of the
blocked domains have any DS records either. So DNSSEC is not yet a real
problem in this regard. But there is no reason to think this luck will
last forever. Given the "success", we can only assume there will be
more court orders. And we do want to enable DNSSEC validation
everywhere at some point.

So what do we do? We currently point the blocked domains to addresses of
a web server with a short explanation. But what if the domains were
signed? We could let validating servers return SERVFAIL. But I'd
really prefer avoiding that for the simple reason that there is no way
to distinguish that SERVFAIL from one caused by e.g. a domain owner
configuration error. So I'm wondering if DLV might help us here? I
imagine it will allow us to return a signed response to the client,
with the AD flag, even if we have taken control of the domain. Or won't
that work at all if the parent has a DS record?

If the DLV strategy works, then the main advantage would be that a
validating client could distiguish between a domain owner error and a
deliberate "error" added by us as a resolver operator. The DLV signed
response will still fail client calidation. And we would of course
publish the DLV key, so that anyone wishing to verify the source of the
failing signatures could do that (assuming that some clients may accept
us as a MITM, but still want to prevent others from the same attack).

What do you all think? Is this feasible? Any better solutions?

OK, I should probably lab this instead of discussing it...

Bjørn (working for Telenor, but definitely not having any role in PR or
legal matters)

Hi,

BTW, the proposed law, being done by lawyers, will have the list of

you say law.... but this idea of blocking all competitors to the states
lotto sounds very unlawful and anti-competitive - yes, I can
understand states or countries blocking ALL gambling , thats a simple
'we dont allow it here' , but to say 'yes, you can access just ours'
well, in EU I dont think that would ever fly.

I know the Australian attempt to filter porn failed miserably.

well, one could say people might be more determined to access porn than
gambling sites so this gambling block might be more successful.

either way, what you'll get are a host of DNS services based in other
countries - some using VPN technology etc so blocking port 53 to
other servers isnt going to work on that score either. it wont work.

alan

We also have some torrent sites blocked in France, for exemple:
alarig@HP-Z210:~$ dig +noall +comments +answer t411.me @193.252.19.3
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38309
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1460
;; ANSWER SECTION:
t411.me. 16418 IN A 127.0.0.1

alarig@HP-Z210:~$ dig +noall +comments +answer t411.me
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41652
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; ANSWER SECTION:
t411.me. 70 IN A 104.18.37.180
t411.me. 70 IN A 104.18.36.180

But, if you look at the flags, there’s no ad, so no DNSSEC (my resolver
has DNSSEC enabled)

BTW, the proposed law, being done by lawyers, will have the list of

you say law.... but this idea of blocking all competitors to the states
lotto sounds very unlawful and anti-competitive

This is Qu�bec, where the rules are not the same as in the UK. The
provincial lottery is the only legal gambling in the province, give
or take the large amount of online gambling hosted on the Mohawk
reservation that's partly in Qu�bec and partly in New York.

either way, what you'll get are a host of DNS services based in other
countries - some using VPN technology etc so blocking port 53 to
other servers isnt going to work on that score either. it wont work.

Of course not.

R's,
John

Redirecting is much harder -- ...

If you know that the client is using ONLY your resolver(s), couldn’t you
simply fake the entire chain and sign everything yourself?

I suppose, although doing that at scale in a large provider like Videotron
(1.5M subscribers) would be quite a challenge.

Or, alternatively, couldn’t you just fake the answers to all the “is this
signed?” requests and say “Nope!” regardless of the state of the authoritative
zone in question?

No, those responses are signed too.

Only if you pass through the claim that the parent domain is signed.

Again, if you’re the only resolver the clients are using, you can claim that
nothing from the root down is signed without ever providing any cryptographic
anything.

Seems to me that wouldn’t be significantly harder than running a resolver
at the same scale.

Sure, if the client has any sort of independent visibility it can verify that
you’re lying, but if it can only talk to your resolvers, doesn’t that pretty
much mean it can’t tell that you’re lying to it?

At this point very few client resolvers check DNSSEC, so something
that stripped off all the DNSSEC stuff and inserted lies where
required would "work" for most clients. At least until they realized
they couldn't get to PokerStars and switched their DNS to 8.8.8.8.

If the ISPs don’t start blocking well known public resolvers or even just
blocking port 53 in general (which has been known to happen).

Owen

At this point very few client resolvers check DNSSEC, so something
that stripped off all the DNSSEC stuff and inserted lies where
required would "work" for most clients. At least until they realized
they couldn't get to PokerStars and switched their DNS to 8.8.8.8.

If the ISPs don’t start blocking well known public resolvers or even just
blocking port 53 in general (which has been known to happen).

I doubt the ISPs in Québec would have much sympathy for this proposed law. It makes their life harder and provides them no benefit. Should it pass (remember, it's just proposed), I expect they'd just adjust their DNS caches to block responses for the list of domains that the government mails them and claim they're in full compliance.

R's,
John

Actually, how are other places implementing these lists? I would have thought to use RPZ,
but as far as I know if the blocked DNS domain is using DNSSEC it wouldn't work.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300
F: 610-429-3222

Except that the ISP can intercept those queries and respond as it likes.
Such is already done at all scales. Not that a government generally
cares what kind of burden is required once the law is passed, cf CALEA.

True, some users would be able to detect such tampering and many of
those could work around it. But most will have no way to do either.

Would the masses ever replace their stub with a full resolver?
Doubtful, unless their OS vendor does it for them. Would that be the
right thing to do for a few billion users of Windows and another couple
billion using Android most of whose ISPs are providing unfaked answers?
Would the various authoritiative operators be happy / agree? How does
one fit local zones into the picture?

Would the masses setup a VPN to a service provider in a jurisdiction not
subject to such foolishness so their resolver, whether stub or full,
would have a chance at unfaked answers? Again, I'm thinking most would
be entirely ignorant of the issue, and in any case would be hard pressed
to set anything up unless it was trivial, e.g., not just part of their
OS but also Wizard-like with most answers pre-supplied.

/mark

Would the masses setup a VPN to a service provider in a jurisdiction not
subject to such foolishness so their resolver, whether stub or full,
would have a chance at unfaked answers? Again, I'm thinking most would
be entirely ignorant of the issue, and in any case would be hard pressed
to set anything up unless it was trivial, e.g., not just part of their
OS but also Wizard-like with most answers pre-supplied.

I was at a most interesting session in New Zealand a few months ago,
about video streaming in NZ. People want to watch Netflix and Hulu,
and are willing to pay for it, but NZ is such a small market that the
big providers can't be bothered to license the content for NZ, and by
the time local providers make arrangements it's a month later. So
everyone buys a Netflix subsription and uses VPNs to pretend to be in
the US.

Take a look at Vyprvpn, which is pretty much point and install, or
even Tunnelblick which is about four clicks to set up with VPN info
from any provider. Civilians definitely use these.

R's,
John

a message of 34 lines which said:

I'll have to research how other countries tried to implement similar
schemes

https://www.afnic.fr/en/about-afnic/news/general-news/6584/show/the-afnic-scientific-council-shares-its-report-on-dns-based-internet-filtering.html

a message of 20 lines which said:

well, in EU I dont think that would ever fly.

It is done in France, for a long time
<https://en.wikipedia.org/wiki/ARJEL#Missions>.