[Cryptography] Apple's iCloud+ "VPN"

[Ray Dillinger]

On 6/24/21 10:26 PM, Jeremy Stanley wrote:
> On 2021-06-24 15:14:39 -0700 (-0700), Christian Huitema wrote:

>> Can users evade that by running their own DNS resolvers? Maybe,
>> but they have better be smart about it because ISPs could also
>> block port 53, the same way they blocked home SMTP servers on port
>> 25.


> if all you need to augment your name
> resolution is a handful of entries, that's pretty trivial for people
> to distribute. Update mechanisms could easily be baked into tools
> built on top of popular P2P file sharing networks to get around
> governments shutting down some specific site hosting the index.


     I will share a tale of woe that I seldom tell because it is
embarrassing.  However it is relevant.

     Here's the short version:  Configuring DNS servers to misdirect or
block access to some hosts is damage to the correct operation of the
network. The Internet was intended to be and ought to be a robust system
that routes around damage.  We should change the way our name resolvers
handle secondary, tertiary, etc, DNS servers in order to make it less
likely that such a configuration causes people to be blocked from sites
they need to access. 

     Now that you've read the short version, you can skip the rest
unless you want to actually hear a tale of woe that's embarrassing and,
tbh, still makes me angry.

     When Sonic.net outsourced DNS resolution to an outfit that blocked
requests to sites on its 'shit list' I didn't know that they had. I
spent (wasted, at great expense) hours trying to figure out what was
wrong before I picked up the phone and discovered that all I had to do
was NOT USE THE DAMN RESOLVERS THAT WERE LYING TO ME.

     God damn it, all I had to do was pick up the phone.  If I had known
that - and who to call - to start with...

     I couldn't even tell at first where I was being blocked because the
'you are trying to access malware!' page had zero correct identification
on it.  I thought at first that it was a browser issue; that the actual
page I wanted had been retrieved but some new browser "feature" or
plugin had decided not to display it.  But I disabused myself of that
notion by going first through several other browsers and then
configuring a local proxy to view the HTML source of the page actually
retrieved, as text.  That took an hour; by then I was already screwed.

     That happened because the subcontractor was handling DNS for a
dozen ISPs and didn't want to show anyone identifying information for an
ISP that wasn't the one they were using.  But because of session
variables they could helpfully tell people what browsers they were
using, as if we didn't already know, so the block screen had *that*
(false) identification on it.  And it cost me that first crucial hour. 
Once I realized that the 'block' page was actually what was coming in
over the network, I tracerouted and netcatted that thing to my own ISP's
DNS and could not believe it.  By this time it was all over and there
was nothing I could do to recover.  I was mad enough to chew bullets and
spit nails.

    It was the first time I had encountered DNS blockage outside the
context of a malicious attack, I had no idea why my ISP whom I trusted
would betray me in this way, and was in a complete crazy tailspin by the
time I just ran out of any possible alternate explanation and picked up
the phone.

     A rare buying opportunity had come up and an unscrupulous trader
had immediately called in a false malware report to get that resolver to
block DNS to the trading market.  And it worked.  By the time I figured
out what the hell was wrong with DNS, the opportunity was long gone. 
Denial of service had rarely been so profitable to the malefactor.  I
was kept out of the trade, along with thousands of others.  I checked
two weeks later and discovered I had missed a 200% profit, and got mad
all over again.

     I get what happened now; I get that they were trying to protect
people from malware and didn't have any malicious intent.  I get that
they thought subcontracting DNS would be harmless.  I get that they were
trying to prevent a bunch of Windows users from getting botnetted.  I
even get that, while I wasn't looking, DNS blockage had become "normal"
at most ISPs and I'd been living in a bubble.  But I got really really
unbelievably angry about that because it cost me personally a lot of
money.  Enough to pay my ISP bills for hundreds of years, come to that.

******

     And all through this experience, my machine, which had four DNS
resolvers configured, NEVER got past the blockage on the first two.  And
the more I've considered it, the more I realize I ought to blame quite a
lot of my misfortune on the people who programmed the name resolver in
my kernel.  Or I ought to just patch it myself and submit a pull request.

     From the standpoint of network load balancing and robustness, this
is not the correct way to do things.  We should be distributing our DNS
requests between all the sources we have configured.  Even if there are
forty of them.  That should be the regular, routine mode of operation.
To minimize requests to down servers, we should try to avoid querying
any that have failed in the last 5 minutes, or any that have failed 5
times in the last two hours. We should even support a resolver mode that
queries multiple DNS servers for the same URL and then identifies and
avoids resolvers yielding inconsistent results.

     This is true even without even considering privacy aspirations; as
long as even one of the DNS entries in someone's routing configuration
is running correctly, the network SHOULD NOT FAIL.  Partly because
people should not be losing large sums of money just because attackers
call in a fake malware report.  But also because people should not face
mysterious hard-to-recover failures when their primary and secondary
resolvers go down at the same time because a flood fills some provider's
basement server room.  But people should be protected from network
damage as far as possible, IMO, even when some prig convinces the local
town council to block "Internet Pornography Server LLC" or whatever. 
It's still damage.

            Bear