you're not interesting, was Re: another brick in the wall[ed garden]

Mark_Andrews1 · May 14, 2009, 11:58pm

>Dear Sprint EVDO people,
>
>Your man-in-the-middle hijacking of UDP/53 DNS queries against
>nameservers that I choose to query from my laptop on Sprint EVDO is
>not appreciated. Even less appreciated is your complete blocking of
>TCP/53 DNS queries.

If I were an ISP, and I knew that approximately 99.9% of customer
queries to random name servers was malware doing fake site phishing or
misconfigured PCs that will work OK and avoid a support call if they
answer the DNS query, with 0.1% being old weenies like us, I'd do what
Sprint's doing, too.

And what's the next protocol that is going to be stomped on?

If you're aware of a mechanical way for them to tell the difference,
we're all ears.

  Well you can't answer a TSIG message without knowing the
  shared secret so you might as well just let it go through
  and avoid some percentage of support calls. Intercepting
  TSIG messages is guaranteed to generate a support call.

  Similarly intercepting "rd=0" is also guaranteed to generate
  a support call. You almost certainly have a interative
  resolver making the query which will not handle the "aa=0"
  responses.

Similarly there is no sane reason to block DNS/TCP other than
they can do it.

Mark

Tomas_L_Byrnes · May 15, 2009, 12:24am

Disclaimer: I have a dog in this fight, since ThreatSTOP is dependent on
DNS/TCP.

From: Mark Andrews [mailto:Mark_Andrews@isc.org]
Sent: Thursday, May 14, 2009 4:59 PM
To: John Levine
Cc: nanog@nanog.org; rs@seastrom.com
Subject: Re: you're not interesting,was Re: another brick in the

wall[ed

garden]

>Dear Sprint EVDO people,
>
>Your man-in-the-middle hijacking of UDP/53 DNS queries against
>nameservers that I choose to query from my laptop on Sprint EVDO is
>not appreciated. Even less appreciated is your complete blocking of
>TCP/53 DNS queries.

If I were an ISP, and I knew that approximately 99.9% of customer
queries to random name servers was malware doing fake site phishing

or

misconfigured PCs that will work OK and avoid a support call if they
answer the DNS query, with 0.1% being old weenies like us, I'd do

what

Sprint's doing, too.

And what's the next protocol that is going to be stomped on?

If you're aware of a mechanical way for them to tell the difference,
we're all ears.

Well you can't answer a TSIG message without knowing the
shared secret so you might as well just let it go through
and avoid some percentage of support calls. Intercepting
TSIG messages is guaranteed to generate a support call.

Similarly intercepting "rd=0" is also guaranteed to generate
a support call. You almost certainly have a interative
resolver making the query which will not handle the "aa=0"
responses.

Similarly there is no sane reason to block DNS/TCP other than
they can do it.

[TLB:] I can think of an argument they might make: that it is/could be
used by bots as a fallback. However, redirecting DNS/UDP fits the model
of "providing a better service for the average user";
blocking/redirecting TCP is more likely to break things a savvy user
needs.

Maybe someone with clue at Sprint can be persuaded that doing their own
"OpenDNS" for UDP is probably a good thing for most uses, but doing it
for TCP is a bad thing for those users who need TCP.

Andre_Gironda · May 15, 2009, 12:25am

I was going to say, "will the ISP also remove the DNS MITM the day
that 99.9% of malware moves its command-and-control to the HTTP or
other layer?". I figured why bother - but your point drives it home
even further.

dre

Mans_Nilsson · May 15, 2009, 9:28am

And what's the next protocol that is going to be stomped on?

Anything except http; at which point everything will move to http, and
the firewalls are again useless.

Martin_Hannigan9 · May 15, 2009, 9:28am

Anything traversing the edge. They are all revenue targets.

Best,

Martin

John_L · May 15, 2009, 9:10am

And what's the next protocol that is going to be stomped on?

Anything except http; at which point everything will move to http, and
the firewalls are again useless.

Um, if you think that http on consumer networks is transparent, I have some really bad news for you.

Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor
"More Wiener schnitzel, please", said Tom, revealingly.

Mans_Nilsson · May 15, 2009, 1:52pm

And what's the next protocol that is going to be stomped on?

Anything except http; at which point everything will move to http, and
the firewalls are again useless.

Um, if you think that http on consumer networks is transparent, I have
some really bad news for you.

If you change my sentence thusly:

s/http/ what can be communicated over http/1;s/http/said channel/2;

..it all makes sense again, even "better" than before.

Owen_DeLong · May 15, 2009, 5:34pm

Subject: Re: you're not interesting, was Re: another brick in the wall[ed garden] Date: Fri, May 15, 2009 at 09:58:32AM +1000 Quoting Mark Andrews (Mark_Andrews@isc.org):

And what's the next protocol that is going to be stomped on?

Anything except http; at which point everything will move to http, and
the firewalls are again useless.

This is, indeed, already happening. In fact, I'm running an SMTP server
with TLS on port 80 to get around SPRINT's existing braindamage.

(or at least the braindamage they had at one point).

Owen