A lock with many keys: Spoofing DNSSEC-signed domains in 8.8.8.8 (opens in new tab)

(sidnlabs.nl)

133 pointssintax4y ago30 comments

30 comments

23 comments · 4 top-level

jzer0cool4y ago· 13 in thread

What free or (non-free) DNS services is everyone using?

Cloudflare's malware blocking service is my go-to. 1.1.1.2, supporting DoH and DoT. I prefer them over Quad9 because Google blog post listed several malware domains and Quad9 only caught half, while Cloudflare caught them all. https://www.reddit.com/r/Quad9/comments/t9b9v1/quad9_not_cat...

benbristow4y ago

1.1.1.1 is good but it has a bit of an annoying issue where it won't resolve archive.is/archive.today names.

It's been discussed before

https://news.ycombinator.com/item?id=19828317

I use that site quite often so it makes it a bit of a no-go.

2 more replies

dorianmariefr4y ago

I think you meant 1.1.1.1 even though https://1.1.1.2/ redirects to 1.1.1.1

2 more replies

teddyh4y ago

Run your own resolver, on your local machine. It’s the only way.

Only if you have a local network of machines can you consider making one of these machines the resolver for the local network. A typical example of this might be your router. This machine should then not forward the DNS requests to some centralized resolver, it should resolve DNS queries itself.

1vuio0pswjnm74y ago

"Run your own resolver, on your local machine. It's the only way."

It is not the only way. I use scan.io as one source of DNS data. No need for resolvers. The needed data can be saved to a zone file for a local authoritative server or a map file for a forward proxy. The later option requires no DNS at all.

1 more reply

cubesnooper4y ago

But that would leak all of my DNS queries in cleartext.

I use cloudflared to do DNS lookups via Cloudflare’s Tor onion. It’s weak to vulnerabilities like this one, but it disassociates my DNS lookups from myself, and TLS certificates mitigate the risk of hitting spoofed sites.

1 more reply

tentacleuno4y ago

AdGuard[0]. Ad-blocking included :) It's on 94.140.14.14, 94.140.15.15 (know them by heart now) if you want to try it. I've never had a problem with them.

There's also a comprehensive list and comparison of various DNS providers at PrivacyGuides[1].

[0]: https://adguard-dns.com/ [1]: https://privacyguides.org/providers/dns/

errantmind4y ago

Two general approaches:

1. A pi-hole on my local network for most devices. I configured my router to forcibly capture all (unencrypted) DNS queries and forward them to my pi-hole, which then forwards them upstream to Cloudflare's DNS (over TLS).

2. I wrote a simple DNS forwarder (over TLS) that uses a 'shotgun' approach to ensure timely query responses, among other performance-sensitive features. I use this on all my Linux machines. It runs as a service and never fails, mean latency is much lower than other forwarders I've tried, including systemd-resolved, unbound, etc.

citizenpaul4y ago

Any chance you woukd be willing to share this shotgun dns program with HN or at least some details.sounds interesting.

xorcist4y ago

  apt-get install unbound

FireInsight4y ago

Used to use Pihole but pi disk corrupted and didn't bother to set up again. Nowadays Quad9 9.9.9.9 and local ad/tracker blocking.

mdavids4y ago

At home I have my own (Unbound) resolver, when on the road I use NextDNS.

tipoftheiceberg4y ago

NextDNS , highly recommended.

rvz4y ago· 4 in thread

> For reporting this bug, we received $5,000 from Google's bug bounty programme.

Excuse me?

That's quite an urgent and serious bug and I'm afraid that is too low, especially from a $1TN dollar company with billions of users.

hannob4y ago

It's really not.

Not many things rely on DNSSEC. Things that do rely on DNSSEC usually tend to have their own verifying resolver. (Because the idea of "we need signed DNS records, but we'll let google check that and maybe not even encrypt our connection to google" is not a very good one.)

Avamander4y ago

The very few who actually enforce DNSSEC, so that it would actually matter, probably don't trust Google.

tptacek4y ago

Google overbid this bounty by something like $4,999. The root DNSSEC keys could land on Pastebin tomorrow and almost nobody in the entire industry would need to be paged, because virtually no one relies on DNSSEC --- even the people who performatively enable it aren't actually relying on it.

This sounds like hyperbole, but it's not. That's how much of a mess DNSSEC is. Try to reason through what kind of entity would need to get paged over a DNSSEC breach, and tabletop it. It's hard for me to think of anybody who would need to care; even the people who "use" DNSSEC could wait until their next maintenance window to respond.

rosndo4y ago

There’s no such thing as a serious DNSSEC bypass.

teddyh4y ago· 1 in thread

TLDR: Google Public DNS would, until 23 February, not check that the ZSK (signing key used to sign DNSSEC DNS responses) was in turn signed by the KSK. Google would accept any signed response, by any ZSK. Even worse, they would cache this response, and present it to end users as being non-DNSSEC signed.

Upon further testing, only Google was found to have had this problem.

jeffbee4y ago

Condensation of these wordy vulnerability disclosures is a true service to the public.

dutchmartin4y ago· 1 in thread

Very cool to see a SIDN labs post here. SIDN operates the .nl extension and puts the money earned into these kinds of research projects that benefit everyone.

stingraycharles4y ago

And they’re also a major sponsor of NLNetLabs since forever, which funds the Unbound DNS server, among other things.

j / k navigate · click thread line to collapse

30 comments

23 comments · 4 top-level

jzer0cool4y ago· 13 in thread

What free or (non-free) DNS services is everyone using?

ftobin4y ago

benbristow4y ago

1.1.1.1 is good but it has a bit of an annoying issue where it won't resolve archive.is/archive.today names.

It's been discussed before

https://news.ycombinator.com/item?id=19828317

I use that site quite often so it makes it a bit of a no-go.

2 more replies

dorianmariefr4y ago

I think you meant 1.1.1.1 even though https://1.1.1.2/ redirects to 1.1.1.1

2 more replies

teddyh4y ago

Run your own resolver, on your local machine. It’s the only way.

1vuio0pswjnm74y ago

"Run your own resolver, on your local machine. It's the only way."

1 more reply

cubesnooper4y ago

But that would leak all of my DNS queries in cleartext.

1 more reply

tentacleuno4y ago

AdGuard[0]. Ad-blocking included :) It's on 94.140.14.14, 94.140.15.15 (know them by heart now) if you want to try it. I've never had a problem with them.

There's also a comprehensive list and comparison of various DNS providers at PrivacyGuides[1].

[0]: https://adguard-dns.com/ [1]: https://privacyguides.org/providers/dns/

errantmind4y ago

Two general approaches:

citizenpaul4y ago

Any chance you woukd be willing to share this shotgun dns program with HN or at least some details.sounds interesting.

xorcist4y ago

  apt-get install unbound

FireInsight4y ago

Used to use Pihole but pi disk corrupted and didn't bother to set up again. Nowadays Quad9 9.9.9.9 and local ad/tracker blocking.

mdavids4y ago

At home I have my own (Unbound) resolver, when on the road I use NextDNS.

tipoftheiceberg4y ago

NextDNS , highly recommended.

rvz4y ago· 4 in thread

> For reporting this bug, we received $5,000 from Google's bug bounty programme.

Excuse me?

That's quite an urgent and serious bug and I'm afraid that is too low, especially from a $1TN dollar company with billions of users.

hannob4y ago

It's really not.

Avamander4y ago

The very few who actually enforce DNSSEC, so that it would actually matter, probably don't trust Google.

tptacek4y ago

rosndo4y ago

There’s no such thing as a serious DNSSEC bypass.

teddyh4y ago· 1 in thread

Upon further testing, only Google was found to have had this problem.

jeffbee4y ago

Condensation of these wordy vulnerability disclosures is a true service to the public.

dutchmartin4y ago· 1 in thread

Very cool to see a SIDN labs post here. SIDN operates the .nl extension and puts the money earned into these kinds of research projects that benefit everyone.

stingraycharles4y ago

And they’re also a major sponsor of NLNetLabs since forever, which funds the Unbound DNS server, among other things.

j / k navigate · click thread line to collapse