The Security Considerations section for this document is much too
narrow. It ignores one of the main reasons that many organizations
purposely choose to provide recursive lookup to the public, namely
for their own roaming users. Without an open, known-good nameserver
at a fixed address, roaming users need to trust whatever is given to
them by their ISP at the moment, and it is reasonable for
organizations to consider this too large of a risk. Unless the
organization has a way to tunnel DNS queries back to a non-recursive
nameserver (such as through IPsec), having a recursive nameserver
available increases the security of their roaming users.
There are two major reasons for an organization to not want roaming
users to trust locally-assigned DNS servers.
- An attacker might have compromised the DHCP server to which the
user conntect to point to a compromised DNS server. Although such an
attacker can also cause the DHCP server to point to a compromised
next-hop router, it is easier and less detectable for most attackers
to compromise a DNS server than a router. There are plenty of
examples where compromised DNS servers lead to spoofing and MITM
attacks.
- Some ISPs use DNS servers that purposely do not follow the same
good practices that the organization uses. In particular, some ISPs
have used bogus TLDs and name-lookup services to generate revenue.
The Security Considerations section needs to deal with these issues,
even if they do not change the advice given in section 4.
--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf