Re: F23 System Wide Change: Default Local DNS Resolver

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2015-06-15 at 14:57 +0200, Petr Spacek wrote:
> On 12.6.2015 18:53, Dan Williams wrote:
> > On Fri, 2015-06-12 at 17:10 +0200, Petr Spacek wrote:
> >>> On Tue, 2015-06-09 at 12:30 -0400, Matthew Miller wrote:
> >>>> On Tue, Jun 09, 2015 at 11:34:39AM -0400, Paul Wouters wrote:
> >>>>> decision needs to then be made by the system. I believe that's been
> >>>>> mostly due to lack of time for the various parties to sit down and
> >>>>> plan and then program this further.
> >>>>
> >>>> We should try to make that happen.
> >>
> >> Okay, let's start once again from scratch.
> >>
> >> All of this was already discussed and we even had a huge meeting around
> >> DevConf and FLOCK 2014 about this, so following text will be just a short
> >> refresher:
> > 
> > Yeah, we did.  From my recollection, most of that focused on the unbound
> > parts and how NM could add the dns=unbound stuff (which Pavel
> > contributed) but less on the NM connectivity checking, becuase Fedora
> > hadn't turned that on by default yet.  I'm all fine with dns=unbound,
> > that's not the issue.  The issue is more around what happens with NM's
> > connectivity checking, since that's used by quite a few clients,
> > including GNOME Shell.
> > 
> >> The ultimate goal
> >> =================
> >> Make various man-in-the-middle attacks *automatically* detectable - without
> >> any user interaction. Especially we want to get rid of dialogs like "Site
> >> www.gmail.com is using certificate issued for xxx.porn and certificate's
> >> validity ended 10 years ago. Do you want to continue? [YES] [YES] [YES]".
> >>
> >>
> >> Tools
> >> =====
> >> To achieve this goal we need to do DNSSEC validation on every client machine
> >> (ignoring Docker for a moment, see below) and allow applications to use DNS as
> >> trusted source of sensitive data (certificate fingerprints, SSH fingerprints,
> >> etc.).
> >>
> >> DNSSEC allows all parties to publish their fingerprints in DNS and gives us a
> >> secure way to get the data and to detect that someone prevents us from getting
> >> the data.
> >>
> >>
> >> Longer description
> >> ==================
> >> http://developerblog.redhat.com/2015/04/14/writing-an-application-that-supports-dnssec-in-rhel-and-fedora/
> >>
> >>
> >> First step: DNSSEC validation
> >> =============================
> >> Contemporary networks are full of broken DNS proxies so we need to jump
> >> through various hoops to get non-faked DNSSEC data for DNSSEC validation.
> >>
> >> The goal of this step is to get *cryptographical* proof that the data we
> >> received are the same as DNS zone owner published.
> >>
> >> This includes two sub-problems:
> >> a) Hot-spots:
> >> Captive portal detection needs to allow user to disable all the security so he
> >> can log-in but this needs to be done in a secure and reliable way so an
> >> attacker cannot misuse this.
> >>
> >> b) Broken networks:
> >> Some networks are so broken that even without captive portal they are not able
> >> to deliver DNSSEC data to the clients.
> >>
> >> In that case will try tunnel to other DNS servers on the Internet (Fedora
> >> Infra or public DNS root) and use them. Naturally, local/internal domains need
> >> to be available.
> > 
> > While I don't actually care, this might well be a sticking point for
> > many people since their DNS information is going to an untrusted (to
> > them) DNS server.  Yeah, I tend to trust Fedora, but not everyone will.
> > Can the tunnel be turned off, or the broken servers whitelisted, or is
> > the answer here to just "dnf remove dnssec-trigger"?
> > 
> >> All these sub-problems (including VPN handling an so on) are solved by
> >> dnssec-trigger with tweaks by Tomas Hozza and Pavel Simerda.
> >>
> >>
> >> HERE we need to coordinate with other parties who might want to write into the
> >> /etc/resolv.conf file. These include (but might not be limited to):
> >>     NetworkManager
> >>     initscripts
> >>     dhclient
> >>     libreswan ?
> >>     resolved
> >>     connman
> > 
> > pppd, vpnc, openvpn, etc. should get added to the list since they all
> > have scripts that can potentially write to /etc/resolv.conf.
> > 
> >> Option is either to implement all the checks and workarounds in all the
> >> projects over and over or to implement all the logic in one place -
> >> dnssec-trigger might be such place.
> >>
> >> Anyone who is going to write to resolv.conf needs to check for captive
> >> portals, find a DNSSEC-enabled DNS server, and deal with VPN-provided DNS
> >> servers and domains.
> >>
> >> *Questions:*
> >> Guys, what are your plans for handling the situations mentioned above?
> >>
> >> Can we integrate on one place (e.g. by calling into dnssec-trigger) instead
> >> overwriting /etc/resolv.conf independently?
> > 
> > This is the real issue.  It sounds like What you're proposing is to make
> > dnssec-trigger into the "DNS broker".  The previous solutions
> > (resolvconf, NetworkManager, etc) have all failed for various reasons.
> > Touching/changing something so fundamental to the system, as you've
> > probably discovered, can be hard...
> > 
> > systemd-resolved might have a chance here, since it's small and pretty
> > simple, but they don't have an external API and don't seem interested in
> > creating one any time soon which severely limits it's usefulness.
> > 
> > If this is indeed what you're proposing, then lets have a discussion
> > about dnssec-trigger+unbound in that context, I do have some thoughts to
> > contribute here.
> 
> You understand it correctly, speak up! :-)

Ok :)  Basically, IMHO there's a need for a "DNS manager" that handles
all this stuff.  Obviously that used to be glibc, but that (a) doesn't
do DNSSEC, (b) doesn't do local caching, and (c) can't do split DNS
because of the resolv.conf format.  As I see it, we need something that
is:

1) Small, single-purpose, and lightweight
2) Aggregates DNS information from multiple sources (mDNS, nsswitch?,
NetworkManager, scripts, networkd, VPNs-not-handled-by-NM, etc)
3) Handles the DNSSEC intelligence, even if it doesn't actually do
resolution at all
4) communicates with one or more actual resolvers, including unbound,
dnsmasq, etc
5) has flexible API (eg including unix socket and D-Bus API) that allows
for split DNS

Various solutions have been proposed in the past, like NetworkManager or
resolvconf/openresolv, but those have all failed for various reasons,
partly due to the whole "choice" thing.  NM failed because not everyone
used it, and resolvconf/openresolv failed because it is too simple and
inflexible.

Given the history in this field, I don't think One DNS To Rule Them All
is going to work, either on the resolver side or the manager side, but
that shouldn't stop us from trying to create a better solution that many
people will benefit from.

It seems like systemd-resolved wants to fill this gap, but given the
politics around systemd and the lack of cooperation/solicitation of
ideas, I'm don't think it'll work in the short-term.

---

The drawbacks I see to dnssec-trigger here are:

1) cross platform, which typically (but not always, of course) means the
code isn't as simple and lightweight

2) provides only HTTPS IPC, perhaps because it works on all platforms.
But a Linux-only solution would typically use a unix socket or D-Bus and
be secured by Unix or D-Bus permissions instead of using certificates.

3) not quite as specific a project as I think people would accept; yes
this is a political problem, but when talking about something as
fundamental as DNS I think we need to address this issue head-on

---

> Generally the problem is that resolv.conf is quite limited and cannot express
> lot of things, like trust levels and per-domain forwarding (using different
> servers for queries related to different domains).

Yes, that's the biggest problem I have with it right now.

> One possibility how to solve this is to port applications to use different
> library/API for name resolution but we have learn that this is not feasible
> (recall the "everything to NSS" effort).

Yeah.

> Another alternative is to let it be as it is, which is easiest for now but it
> does not allow us to handle VPNs in the proper way and has worse
> security/privacy implications.

Not a great alternative.

> The last option I can see is to modify applications which which *modify*
> /etc/resolv.conf to use some API to pass the information to a central place
> (be it dnssec-trigger or something else) and solve this by machinery added on
> top of Unbound or other DNSSEC-validating resolver. It is quite a bit of work
> but still, this should be *much* easier than modifying all *client*
> applications to use different API and is almost 100 % backwards compatible.

Agreed, and that's what NM would push information to.  Obviously some
applications are still going to try writing to resolv.conf, but I think
that number is trivial since we can modify most of the applications
shipped in Fedora.

Dan

> I'm very open to other ideas how we can solve this problem in an elegant, easy
> way.
> 
> Petr Spacek  @  Red Hat
> 
> >> Second problem: API for applications
> >> ====================================
> >> (this second step is not part of the F23 feature but it is worth discussing)
> >> Applications and crypto libraries need "an" interface to get DNS data which
> >> are either 100 % correct or declared as not trusted. False positive (trusted)
> >> answers are simply unacceptable because that would allow serious attacks.
> >>
> >> Imagine that OpenSSH client is verifying server's fingerprint against the
> >> value obtained from DNS *instead of asking the user*. If the client accepted a
> >> fake response with faked server's fingerprint then everything is doomed.
> >>
> >>
> >> The proposal https://sourceware.org/ml/libc-alpha/2014-11/msg00426.html on
> >> glibc mailing list is to extend getaddr API with flag which says 'secure
> >> answers only'. This will return an answer only if DNSSEC validation for given
> >> answer was successful and the answer was properly signed.
> >>
> >> The assumption here is that something like dnssec-trigger properly configures
> >> local resolver (using the information from DHCP + applying all the necessary
> >> workarounds) to do DNSSEC validation locally so we are 100 % sure that the
> >> fake answer can be detected.
> >>
> >> The open question is how to pass the information about security status to all
> >> the parties. The mechanism needs to be simple so other resolver libraries like
> >> e.g. python-dns can follow the same rules and use the same logic as Glibc.
> >>
> >> Possible states:
> >> a) We are in hot-spot sign-on mode or validating resolver is unavailable for
> >> some reason (early boot, resource constraints, Docker container [finally!],
> >> and so on):
> >>
> >> In this case *nothing* can be trusted. Resolver might return faked answers and
> >> we have no means to check if declared trustworthiness is correct or not.
> >> Again, we need to be 100 % sure from the cryptographical point of view.
> >> => Application MUST NOT receive any answer marked as "secure"/"trusted" if we
> >> are in this mode.
> >>
> >>
> >> b) Validating resolver is up, running, properly configured, and the path to
> >> the resolver is trusted - it might be running on localhost or we are in Docker
> >> container and we trust the host and so on.
> >>
> >> In this case we trust to the result of validation indicated by AD bit.
> >> Application will receive the answer marked as trusted if the resolver tells us
> >> to do so by AD bit in the DNS reply.
> >>
> >> Please read the post on Glibc mailing list for more details.
> >>
> >> Any suggestions how to do that are more than welcome!


-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux