DNS proxy

Brad Knowles brad at stop.mail-abuse.org
Wed Oct 5 18:06:19 UTC 2005 

At 8:41 AM -0400 2005-10-05, Ray Wallace wrote:

>  In the normal course of business (in theory), the local DNS server at the
>  base level will get a query for something.tld. It will then query one of the
>  root-level servers to find out who is authoritative for that tld and will
>  recurse until it finds an IP address for the original query. What will be
>  the impact if the DoD was to inject a DNS proxy server between the local
>  servers and the root-level servers?

	Speaking as the former DISA.MIL technical POC, I think that this 
is a bad idea.  Security through obscurity almost never works, and 
many times it obscures things to those people inside who would be 
responsible for helping to maintain it.

	The NIPRnet has many points of entry to the wider Internet, and 
sites like Akamai, f.root-servers.net, etc... make use of routing 
tricks to cause your packets to be sent to the nearest site which 
advertises availability to a given AS number, and then may give you 
back a different answer in the DNS based on where the query came 
from.  You break this functionality if you do a China-style 
single-point-of-failure DNS-based forwarder.

	Moreover, many of the sites around the world associated with the 
US military get their service from non-military providers.  I can't 
tell you how many times I had problems with a particular group within 
NATO getting their access to .mil sites cut off because they were 
getting their service through Belgacom Skynet (the largest ISP in 
Belgium), and the old legacy network IP address range was not always 
available to them.  The damn stupid firewall administrators had no 
record of the new networks that had been assigned to Skynet, and 
through which packets for this group within NATO would be routed.

	And don't get me started on the bloody finger-pointing as to 
whether the fault was the Army guys at ARL, the Navy guys, 7th Comm 
Group within the USAF in the basement of the Pentagon, or whatever.


	The day that the US military actually gets its act together and 
speaks with one voice with regards to the way IP communications 
should be properly handled, ... well, let's just say that some frozen 
pigs are going to be flying out of a certain sub-basement that 
supposedly doesn't exist underneath the building with four sides and 
a spare.

>                                      This would help obfuscate some of the
>  queries that traverse the public Internet helping to improve our OPSEC.

	No, it won't.  Been there, done that.

>                                                                          It
>  would also allow us to add domains to this "proxy" server that route to
>  127.0.0.1. Null routing domains that are known to proliferate spam, spyware,
>  other malware, or are just deemed "undesirable" would help prevent the
>  spread of spyware and other maladies and increase in available bandwidth for
>  mission related traffic. Would this work? What are you expert opinions on
>  the pros/cons of doing something like this?

	It doesn't work for China, trying to keep all those damn 
dissidents from getting the word out about things like "democracy". 
It's not going to work for you, either.

	If someone gets infected with a virus, then it will try to access 
other virus-related content by IP address and not domain name, and 
then you'd be screwed.


	Let's assume that you go ahead with this project anyway.  Since 
there are so many military sites that get their network service 
provision from non-military sources, and there are so many entry 
points into the NIPRnet, you'd have to all DNS queries from the 
entire world to be proxied through your servers.

	Problem is, that would mean you would also be wide open to a 
variety of other forms of DNS server abuse, including fake hosting of 
spam sites on your servers, cache poisoning, etc....


	Try fixing this problem where it really needs to be fixed, as 
opposed to trying to apply a DNS band-aid to everything.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.

More information about the bind-users mailing list