[Cryptography] Apple's iCloud+ "VPN"

Bill Woodcock woody at pch.net
Sat Jun 26 06:48:49 EDT 2021 


> On Jun 25, 2021, at 9:05 PM, Ray Dillinger <bear at sonic.net> wrote:
>      This is true even without even considering privacy aspirations; as
> long as even one of the DNS entries in someone's routing configuration
> is running correctly, the network SHOULD NOT FAIL.  Partly because
> people should not be losing large sums of money just because attackers
> call in a fake malware report.  But also because people should not face
> mysterious hard-to-recover failures when their primary and secondary
> resolvers go down at the same time

Putting aside all of the rest of your arguments, some of which I very much agree with, and others of which I disagree with to one degree or other, I think you should be advocating, as I am, for implementation of Extended DNS Errors.  A huge part of the problem, from my point of view, is that users are denied knowledge of _why_ the DNS has not answered their query.

The way this usually plays out: A user configures multiple recursive resolvers operated by different parties. They think this will give them better reliability or resilience or something.  At some level, they’re not wrong, in too many cases.  Someone attacks their bank or whatever, hijacking the server’s domain, and the user does a DNS lookup in order to connect to what they assume will be their bank.  Their recursive resolver looks up the bank’s address, performs DNSSEC validation, discovers that the domain no longer validates, returns a fail to the user.  The user’s stub resolver says “gosh, I’ll try the next one, then.”  It moves on to the next recursive resolver, which happily resolves the MITM address, gives it to the user, the user is compromised and their bank account is emptied.  But they weren’t inconvenienced in their DNS resolution.

Would they have made that decision if they were actually informed of what was going on?  Well, some idiots would have clicked right through, no matter what you tell them, but a lot would have listened to their bank’s advice and their recursive resolver’s advice, and waited for their bank to re-secure their domain.

The structural problem with all this, and the reason why commercial recursive resolvers go so light on blocking, is because in the absence of any actual feedback, the fewer malicious domains they block, the more times stub resolvers will fail over to them and stick, giving them more users sending them queries to monetize.

So, passing Extended DNS Errors through to users, all the way through to the UI, is critical, to avoid the kind of problem you encountered.

                                -Bill

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210626/9cba2911/attachment.sig>

More information about the cryptography mailing list