Hello Fermando and the maillist, I just found that I forgot to address one question in my previous mail. Here is the addition. On Sat, Aug 11, 2018 at 6:00 PM Fernando Gont <fgont@xxxxxxxxxxxxxxx> wrote: > * Page 15 (Security Considerations): > > DoH essentialy switches from a connection-less transport (UDP) to a > connection-oriented one (TCP). This means that now the server should take care > of all state-exhaustion attacks against TCP (e.g., take a look at: > https://www.gont.com.ar/papers/tn-03-09-security-assessment-TCP.pdf). Defending > against such attacks maybe non-trivial. This should at least be mentioned in > the security considerations. On contrast, by switching from UDP to TCP, the server is now able to defend attacks more *easily*. 1) TCP requires 3-way handshake before establishing the connection. This prevented simple DoS attack with spoofed source address since the attacker will not receive the 2nd packet. 2) In the past, the server started to allocate resources upon receiving the first SYN packet, making it vulnerable to SYN Flood attack. Now we use SYN Cookies [RFC 4987], so the server does not allocate resources until the 3-way handshake has finished, to mitigate the attack as long as the server's Internet pipe is not full. 3) UDP is vulnerable to UDP Amplification attack, that is to send a very small request, requiring kilobytes of response. Combined with spoofed source address (1), the attacker can make request and response packets bouncing between 2 servers, producing a 2^n amount of junk traffic, preventing the server from operating. Typical amplification victims include DNS and NTP, and they are all UDP . 4) Nowadays, the majority of DDoS attack is to send TB/s or PB/s of arbitrary garbage to fill the server's 100Mbps Internet pipe to make your server offline. Generally you need a powerful hardware firewall to wash out the garbage, and as many as BGP peers with other ISPs so legitimate users can reach your server directly in a clean pipe. For this type of attack, UDP and TCP have no difference. 5) We already have many articles talking about TCP/IP security [RFC 4953, 4987, 5961, 6528, etc]. I disagree that we need to talk about everything from TCP to IP to Ethernet in this DoH document. On Sun, Aug 12, 2018 at 8:59 AM Star Brilliant <m13253@xxxxxxxxxxx> wrote: > > Hello Femando and the mail list, > > Thanks for your review! > > I would like to answer some of the questions based on what the contributors had discussed before. > > Paul Hoffman is the core author, so if I made a mistake, please consider his answer as the authoritative. > > > On Sat, Aug 11, 2018 at 6:00 PM Fernando Gont <fgont@xxxxxxxxxxxxxxx> wrote: > > > > * Page 5: > > > Using the GET method is friendlier to many HTTP cache > > > implementations. > > > > Could the queries really be cached for the POST case? > > Yes, they can. > > >From RFC 7231: "In general, safe methods that do not depend on a current or authoritative response are defined as cacheable; this specification defines GET, HEAD, and POST as cacheable, although the overwhelming majority of cache implementations only support GET and HEAD." > > But GET is friendlier than POST, because of the fact most ISP's transparent proxy or cloud WAF systems do not cache POST. > > > > * Page 15: > > > It is the choice of a client to either > > > perform full DNSSEC validation of answers or to trust the DoH server > > > to do DNSSEC validation and inspect the AD (Authentic Data) bit in > > > the returned message to determine whether an answer was authentic or > > > not. > > > > Relying on the DoH server for DNSsec validation does not seem like a good idea. > > You want DNSsec to be end-to-end. > > We discussed about this paragraph before. The problem depends on how you deploy DoH services. > > 1) For most people's needs, the users grab a list of DoH servers from the Internet and configure their systems to use the DoH servers. These public servers are untrustworthy. So the users need to validate DNSSEC at their end. > > 2) A web-based application using DoH with a pre-configured server maintained by the application author. Then the server has the same trust level as the JavaScript code that validates the records. If anyone does not trust the server, they should not use the web app. In addition, by checking the records on the server, we can save some bandwidth for mobile users. > > 3) A dedicated enterprise cloud environment with hundreds of machines, serving trillions of requests per day. The administrator would want to offload the DNSSEC check to the gateway to reduce service latency, improve cache hit-rate, reduce intra-AS bandwidth cost, and to increase service quality. > > 4) A resource-constrained device (some Arduino or ESP8266 or other IoT-like things). You will want to delegate the check to your PC as long as the PC can be trusted. > > Conclusion: People use DoH in different ways. Sometimes it is better to "give the user more choices, but make the default choice secure". > Therefore, we have the text "It is the choice of a client to either trust or distrust". > > > > > * Page 15 (Security Considerations): > > > > DoH essentialy switches from a connection-less transport (UDP) to a > > connection-oriented one (TCP). This means that now the server should take care > > of all state-exhaustion attacks against TCP (e.g., take a look at: > > https://www.gont.com.ar/papers/tn-03-09-security-assessment-TCP.pdf). Defending > > against such attacks maybe non-trivial. This should at least be mentioned in > > the security considerations. > > > > * Page 16:> > > > HTTP [RFC7230] is a stateless application-level protocol and > > > therefore DoH implementations do not provide stateful ordering > > > guarantees between different requests. > > > > Are you meaning that requests that are pipelined could be responded in > > different order? Something else? > > The DNS wire protocol is not always a single query-and-response model. Some functions (e.g. zone transfer) require multiple messages to be sent and received. As already stated in the text elsewhere, DoH does not support this kind of functions (at least not in this version). > > > > > * Page 16: > > > A DoH server is allowed to answer queries with any valid DNS > > > response. For example, a valid DNS response might have the TC > > > (truncation) bit set in the DNS header to indicate that the server > > > was not able to retrieve a full answer for the query but is providing > > > the best answer it could get. A DoH server can reply to queries with > > > an HTTP error for queries that it cannot fulfill. > > > > Why should this happen? Why not encode this information in the encoded DNS > > response (in wire format)' > > If you are asking about "an HTTP error", here is the explain: > > 1) Some errors indicates a problem happening on HTTP layer, not DNS layer.. > For example, 302 Redirection, 404 Not Found, 401 Unauthorized > > 2) Sometimes it is technically impossible to reply with an encoded DNS response. > For example, the web server crashed, throwing a default 500-504 error page > > DoH is a double-layered protocol. It is intuitive that each layer may break, resulting with an error that represents that layer. (Additionally, since DoH runs on TCP/IP, a DoH server can even reply with an icmp-port-unreachable error.) Layered error is the nature of Internet protocols. > > If you are asking about the TC bit, this happens in many situations. One cause is broken TCP on the authoritative server, which happens quite frequently with anycast servers.