Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNS Proxy Bypass by Recursive DNS Discovery and LOCAL.ARPA draft-ietf-dns-recursive-discovery Ray Bellis IETF76 DNSOP WG Hiroshima, 11 th November 2009.

Published byAlexander McLeod Modified over 10 years ago

Similar presentations

Presentation on theme: "DNS Proxy Bypass by Recursive DNS Discovery and LOCAL.ARPA draft-ietf-dns-recursive-discovery Ray Bellis IETF76 DNSOP WG Hiroshima, 11 th November 2009."— Presentation transcript:

1 DNS Proxy Bypass by Recursive DNS Discovery and LOCAL.ARPA draft-ietf-dns-recursive-discovery Ray Bellis IETF76 DNSOP WG Hiroshima, 11 th November 2009

2 The Fundamental Problem… ISP DNS DNS settings learnt via DHCP or PPP/IPCP DHCP DISCOVER DHCP OFFER DNS Servers (6) = 192.168.1.1 FAIL Please try again – the DNS proxy on 192.168.1.1 doesnt work properly (see RFC5625)

3 The Chicken and Egg Problem… ISP DNS DNS settings learnt via DHCP or PPP/IPCP DHCP DISCOVER DHCP OFFER DNS Servers (6) = 192.168.1.1 FAIL Still not right – you dont know the real DNS servers because the LAN came up before the WAN. Didnt you fix that proxy yet?

4 The Configuration Problem… ISP DNS End-user configures DNS settings DHCP DISCOVER DHCP OFFER DNS Servers (6) = 192.168.1.1 FAIL Uh-oh - someone forgot to implement TR124 requirement LAN.DNS.2. End-user supplied DNS settings SHOULD be in the DHCP OFFER. BTW – your proxy still doesnt work properly!

5 The Proposed Solution… ISP DNS Let the DHCP stuff happen Use the DNS proxy initially … to ask the recursive DNS server for a list of real DNS servers Then use those instead! IN A? domain.local.arpa. IN A 192.0.2.1

6 The Proposed Solution… ISP DNS Let the DHCP stuff happen Use the DNS proxy initially … to ask the recursive DNS server for a list of real DNS servers Then use those instead! IN A? domain.local.arpa. IN A 192.0.2.1

7 A little more detail Why were proposing this: –Because DNS proxies dont work! to get DNSSEC through to get TCP queries through The draft reserves local.arpa. –for use within a networks administrative boundaries –and domain.local.arpa for this application Version -02 will have NXDOMAIN redirect detection –probably via nxdomain.local.arpa. –if nxdomain.local.arpa == domain.local.arpa then ignore the results, your ISP is trapping NXDOMAIN

8 Things weve thrown out already Anycast –If youre going to use an Anycast address to discover DNS, you might as well use that address for all DNS!.local –Too much baggage

9 Things were still figuring out! Does the bootstrap query need additional protection, and if so, how? –DNSSEC no good, proxies break it! –A random nonce prefix? –Something else? Interaction with DNSSEC-signed.arpa –If IANA has an NSEC[3] record that says local.arpa doesnt exist, then the locally-supplied copy is bogus

10 Any Questions?

Download ppt "DNS Proxy Bypass by Recursive DNS Discovery and LOCAL.ARPA draft-ietf-dns-recursive-discovery Ray Bellis IETF76 DNSOP WG Hiroshima, 11 th November 2009."

Similar presentations

1 © 2001, Cisco Systems, Inc. All rights reserved. © 2004, Cisco Systems, Inc. All rights reserved. Location Conveyance in SIP draft-ietf-sipping-location-requirements-02.

1 © 2001, Cisco Systems, Inc. All rights reserved. © 2004, Cisco Systems, Inc. All rights reserved. Location Conveyance in SIP draft-ietf-sipping-location-requirements-02.
STUN Open Issues Jonathan Rosenberg dynamicsoft. Changes since -00 Answered UNSAF considerations –Still awaiting response from Leslie on whether they.

STUN Open Issues Jonathan Rosenberg dynamicsoft. Changes since -00 Answered UNSAF considerations –Still awaiting response from Leslie on whether they.
DNSSEC Support in SOHO CPE OARC Workshop Ottawa 24 th September 2008.

DNSSEC Support in SOHO CPE OARC Workshop Ottawa 24 th September 2008.
IETF 71: NETLMM Working Group – Proxy Mobile IPv6 1 Proxy Mobile IPv6 111 draft-ietf-netlmm-proxymip6-11.txt IETF 71: NETLMM Working Group – Proxy Mobile.

IETF 71: NETLMM Working Group – Proxy Mobile IPv6 1 Proxy Mobile IPv6 111 draft-ietf-netlmm-proxymip6-11.txt IETF 71: NETLMM Working Group – Proxy Mobile.
DNS46 for the IPv4/IPv6 Stateless Translator

DNS46 for the IPv4/IPv6 Stateless Translator
Renumbering Networks: RFC 4192 Fred Baker. How RFC 4192 came to be I heard one too many times on operational lists it is impossible to renumber a network.

Renumbering Networks: RFC 4192 Fred Baker. How RFC 4192 came to be I heard one too many times on operational lists it is impossible to renumber a network.
Requirements for IPv6 Customer Edge Routers draft-ietf-v6ops-ipv6-cpe-router-02 IETF 76, Hiroshima November 8-13, 2009 v6ops Working Group Hemant Singh.

Requirements for IPv6 Customer Edge Routers draft-ietf-v6ops-ipv6-cpe-router-02 IETF 76, Hiroshima November 8-13, 2009 v6ops Working Group Hemant Singh.
Applications Test Results in MIF environment draft-zheng-mif-apps-test-02.txt IETF 81 Quebec City.

Applications Test Results in MIF environment draft-zheng-mif-apps-test-02.txt IETF 81 Quebec City.
ES-4000 Mail Server Appliance. Example Definition Combine RS-3000 and ES-4000 to setup mail server with Mail Security feature. RS-3000 – WAN IP: 60.250.158.64.

ES-4000 Mail Server Appliance. Example Definition Combine RS-3000 and ES-4000 to setup mail server with Mail Security feature. RS-3000 – WAN IP:
IPv4 Run Out and Transitioning to IPv6 Marco Hogewoning Trainer, RIPE NCC.

IPv4 Run Out and Transitioning to IPv6 Marco Hogewoning Trainer, RIPE NCC.
Www.opendaylight.org Secure Network Bootstrapping Infrastructure May 15, 2014.

Secure Network Bootstrapping Infrastructure May 15, 2014.
IPv6 DNS issues draft-ietf-dnsop-ipv6-dns-issues-00.txt

IPv6 DNS issues draft-ietf-dnsop-ipv6-dns-issues-00.txt
Ken Calvert* University of Kentucky *Speaking for myself only.

Ken Calvert* University of Kentucky *Speaking for myself only.
An Engineering Approach to Computer Networking

An Engineering Approach to Computer Networking
The Microsoft Solution. Brussels police department, how may I assist you?”

The Microsoft Solution. "Brussels police department, how may I assist you?”
1IETF56 DNSOP WG The Autoconfiguration of Recursive DNS Server and the Optimization of DNS Name Resolution in Hierarchical Mobile IPv6 Jae-Hoon Jeong,

1IETF56 DNSOP WG The Autoconfiguration of Recursive DNS Server and the Optimization of DNS Name Resolution in Hierarchical Mobile IPv6 Jae-Hoon Jeong,
Foundations of Network and Computer Security J J ohn Black Lecture #25 Nov 23 rd 2004 CSCI 6268/TLEN 5831, Fall 2004.

Foundations of Network and Computer Security J J ohn Black Lecture #25 Nov 23 rd 2004 CSCI 6268/TLEN 5831, Fall 2004.
1IETF59 DNSOP WG IPv6 DNS Discovery Issues Jaehoon Paul Jeong ETRI 1st March 2004 59th IETF – Seoul,

1IETF59 DNSOP WG IPv6 DNS Discovery Issues Jaehoon Paul Jeong ETRI 1st March th IETF – Seoul,
Foundations of Network and Computer Security J J ohn Black Lecture #36 Dec 12 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #36 Dec 12 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Similar presentations

Ads by Google