Hacker News new | ask | show | jobs
by tssva 2843 days ago
Article starts by stating that DNS doesn't provide a means to guarantee integrity of the returned DNS data.

Then mentions DNSSEC as a protocol which exists to provide such guarantee and promptly dismisses it along with DNSCURVE and DNSCRYPT as protocols which have been so infrequently deployed as to be non-existent.

Further on states that DNS over TLS and DNS over HTTPS don't solve the integrity problem but that is ok because DNSSEC will provide that.

My head is spinning.
2 comments
tptacek 2843 days ago
There's two ways to ensure the authenticity of data delivered over the Internet. You can authenticate the content or you can authenticate the channel.

Overwhelmingly, practical security schemes on the Internet rely on channel security. We rely on TLS to ensure the integrity of the DOM on websites; we don't cryptographically sign the pages themselves.

All things being equal, you'd like to be doing both things. You'd like to have cryptographically signed web page DOMs, for instance (among other things, it would make web crypto a lot more useful).

But all things aren't equal: content authentication is difficult to manage in practice, and every security protocol we adopt has a cost.

Long story short: if you can protect the channels used by DNS lookups, you can get by without protecting the content. That's roughly the idea behind DoH and DoTLS.

The reality though is that all you really need is "DNS over TCP" (which, of course, we've had since basically the beginning). Practical forgery attacks against TCP DNS are difficult enough as to not be worth the trouble.

link
seabee 2843 days ago
Practical forgery attacks against an arbitrary client are hard, but configuring a public WiFi AP to intercept your favourite repeating-digit DNS server is trivial. Lots of people use public WiFi!

In such a scenario a VPN is a more secure answer than DNS-over-TLS, but this isn’t a realistic answer for the average user. It has to be something that is free and easy to enable.

link
bluejekyll 2843 days ago
You're correct DNSSEC and DNS-over-TLS/DoH (DNS-over-HTTPS) both provide different, and necessary, aspects of securing records in DNS.

DNSSEC == authentication of records. DNS-over-TLS/DoH == privacy, and authenticity of the server/client.

Both are independently useful and enforce different things for us. The biggest issue with DNSSEC is that since it's not been widely adopted, what should you do with records that either are not signed, or are incorrectly signed? Most software doesn't really have a great way of raising DNS issues to the application in a way that users or something else could provide a security exception.

link