DNS proxy
Brad Knowles
brad at stop.mail-abuse.org
Wed Oct 5 18:06:19 UTC 2005
At 8:41 AM -0400 2005-10-05, Ray Wallace wrote:
> In the normal course of business (in theory), the local DNS server at the
> base level will get a query for something.tld. It will then query one of the
> root-level servers to find out who is authoritative for that tld and will
> recurse until it finds an IP address for the original query. What will be
> the impact if the DoD was to inject a DNS proxy server between the local
> servers and the root-level servers?
Speaking as the former DISA.MIL technical POC, I think that this
is a bad idea. Security through obscurity almost never works, and
many times it obscures things to those people inside who would be
responsible for helping to maintain it.
The NIPRnet has many points of entry to the wider Internet, and
sites like Akamai, f.root-servers.net, etc... make use of routing
tricks to cause your packets to be sent to the nearest site which
advertises availability to a given AS number, and then may give you
back a different answer in the DNS based on where the query came
from. You break this functionality if you do a China-style
single-point-of-failure DNS-based forwarder.
Moreover, many of the sites around the world associated with the
US military get their service from non-military providers. I can't
tell you how many times I had problems with a particular group within
NATO getting their access to .mil sites cut off because they were
getting their service through Belgacom Skynet (the largest ISP in
Belgium), and the old legacy network IP address range was not always
available to them. The damn stupid firewall administrators had no
record of the new networks that had been assigned to Skynet, and
through which packets for this group within NATO would be routed.
And don't get me started on the bloody finger-pointing as to
whether the fault was the Army guys at ARL, the Navy guys, 7th Comm
Group within the USAF in the basement of the Pentagon, or whatever.
The day that the US military actually gets its act together and
speaks with one voice with regards to the way IP communications
should be properly handled, ... well, let's just say that some frozen
pigs are going to be flying out of a certain sub-basement that
supposedly doesn't exist underneath the building with four sides and
a spare.
> This would help obfuscate some of the
> queries that traverse the public Internet helping to improve our OPSEC.
No, it won't. Been there, done that.
> It
> would also allow us to add domains to this "proxy" server that route to
> 127.0.0.1. Null routing domains that are known to proliferate spam, spyware,
> other malware, or are just deemed "undesirable" would help prevent the
> spread of spyware and other maladies and increase in available bandwidth for
> mission related traffic. Would this work? What are you expert opinions on
> the pros/cons of doing something like this?
It doesn't work for China, trying to keep all those damn
dissidents from getting the word out about things like "democracy".
It's not going to work for you, either.
If someone gets infected with a virus, then it will try to access
other virus-related content by IP address and not domain name, and
then you'd be screwed.
Let's assume that you go ahead with this project anyway. Since
there are so many military sites that get their network service
provision from non-military sources, and there are so many entry
points into the NIPRnet, you'd have to all DNS queries from the
entire world to be proxied through your servers.
Problem is, that would mean you would also be wide open to a
variety of other forms of DNS server abuse, including fake hosting of
spam sites on your servers, cache poisoning, etc....
Try fixing this problem where it really needs to be fixed, as
opposed to trying to apply a DNS band-aid to everything.
--
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
More information about the bind-users
mailing list