search

tfpauly / draft-pauly-adaptive-dns-privacy

Adaptive DNS Privacy
Other
8 stars 9 forks source link

[Privacy] Malicious oDoH target can learn the client's IP address through an active attack #136

Closed skepticfx closed 2 years ago

skepticfx commented 4 years ago

Not entirely sure how this fits in the threat model, but I thought it is worth documenting this scenario so implementations can pay attention.

Attack

An oDoH target can abuse the round-robin mechanism in the client's transport implementations(TCP, UDP transports, etc.)

A DNS response for a query type=A can contain multiple answers,

$ dig website.com +short
172.67.27.106
104.22.67.195
104.22.66.195

As a malicious oDoH target, it gets to decide the number of answer records and the value in those answers. In the example above, the DNS query(Q=website.com) has 3 IP addresses in the response. Instead, the oDoH target can respond with (A+1) IP addresses, where the oDoH target controls the new answer(say X).

In an active attack, this would look like - 

$ dig website.com +short
X=<ip-address-controlled-by-oDoH-target>
172.67.27.106
104.22.67.195
104.22.66.195

Depending on the client's implementation of the DNS round-robin, the client would first Dial(X) before the other set of answers in A. The server at the IP address(X) serving this request would timeout but note the client's IP address. The oDoH target can now learn the client's IP address and the corresponding DNS query.

Mitigations

Since this is an active attack, it is possible to use external monitoring to ensure the oDoH target behaves as expected.

Lekensteyn commented 4 years ago

Similar considerations from DoH apply to ODoH. In particular, from https://tools.ietf.org/html/rfc8484#section-9

The HTTPS connection provides transport security for the interaction between the DoH server and client, but it does not provide the response integrity of DNS data provided by DNSSEC.

In case of ODoH, it provides privacy to the client, but response integrity should be out-of-scope.

skepticfx commented 4 years ago

I think the DoH security promise makes sense. From the DoH(https://tools.ietf.org/html/rfc8484) abstract,

This document defines a protocol for sending DNS queries and getting DNS responses over HTTPS. Each DNS query-response pair is mapped into an HTTP exchange.

Reading the ODoH(https://www.ietf.org/id/draft-pauly-dprive-oblivious-doh-02.html) abstract,

This document describes an extension to DNS Over HTTPS (DoH) that allows hiding client IP addresses via proxying encrypted DNS transactions. This improves privacy of DNS operations by not allowing any one server entity to be aware of both the client IP address and the content of DNS queries and answers.

I feel it is at-least worth noting down how the lack of DNSSEC or integrity verification diminishes the privacy promises ODoH provides.

chris-wood commented 2 years ago

This is already covered in the security considerations. Closing.