nanog mailing list archives
Re: This DNS over HTTP thing
From: David Conrad <drc () virtualized org>
Date: Mon, 7 Oct 2019 11:56:21 -0700
On Oct 7, 2019, at 10:45 AM, Jim <mysidia () gmail com> wrote:
My suggestion would be ultimately that DNS Clients implement DNSSEC
validation themself to avoid tampering by a malicious client on their network for phishing purposes or a malicious recursive DNS Resolver server
Yep. That is (IMHO) the right (only) answer to actually fix the ‘lying’ problem instead of making it “someone else’s problem", although that turns lies into DoS when all you get back from your resolver is unvalidatable answers. To solve this problem, browser vendors really should implement validation in their stub resolvers. This would have the benefit that if validation fails, a useful error message could be presented to the user (e.g., “the website name you looked up has been tampered with!”). Instead, they have chosen to rely on their “trusted recursive resolvers” to not lie to them and use agreements rather than code. This, of course, doesn’t stop the snooping/metadata collection problem. Regards, -drc
Attachment:
signature.asc
Description: Message signed with OpenPGP
Current thread:
- Re: This DNS over HTTP thing, (continued)
- Re: This DNS over HTTP thing Ca By (Oct 01)
- Re: This DNS over HTTP thing Grimes, Greg (Oct 01)
- Re: This DNS over HTTP thing Jay R. Ashworth (Oct 01)
- Re: This DNS over HTTP thing Sabri Berisha (Oct 02)
- RE: This DNS over HTTP thing Keith Medcalf (Oct 02)
- FW: This DNS over HTTP thing Keith Medcalf (Oct 03)
- Re: FW: This DNS over HTTP thing bzs (Oct 03)
- RE: This DNS over HTTP thing Kevin McCormick (Oct 07)
- Re: This DNS over HTTP thing Jim (Oct 07)
- RE: This DNS over HTTP thing Kevin McCormick (Oct 07)
- Re: This DNS over HTTP thing David Conrad (Oct 07)
- Re: This DNS over HTTP thing Jim (Oct 07)