No Sniff, Sherlock
September 24, 2019 9:51 AM   Subscribe

What could Holmes (or anyone else) learn from strolling past a house while sniffing DNS queries? Quite a lot, actually. That's why encrypting DNS is important, and why some people aren't keen on it. This short-short story about Watson and Holmes is a nice little introduction to why it matters.
posted by zenzenobia (27 comments total) 19 users marked this as a favorite
 
It's gonna be great when malware creators get a hold of DOH and exploit it for data exfiltration.
posted by nikaspark at 9:58 AM on September 24, 2019


I'm fascinated that there are companies like Paul Vixie's Farsight Security that are recording every single DNS query made on the Internet, for bulk analysis. They brag that "Farsight observes over 200,000 DNS resolutions per second." If DNS were properly secure, they'd be able to observe 0 DNS resolutions. That's the future we want.

It's not even that I don't trust Farsight. They've said appropriate things about only analyzing data in bulk to protect individuals, and they seem to be using the data for good. But if they can sniff that data so can ISPs, and the advertisers they sell the data to. Not to mention the US government. It gives away far too much. I don't love the idea of DNS-over-HTTP itself but it's the best practical option we seem to have. (Once again I lament the death of IPSEC).

A fascinating example of DNS surveillance in action: this 2018 story about Trump and a Russian bank, the mystery of why servers in the Trump Organization were spending so much time talking to Alfa Bank. See all the comments from "Max", it's clear in retrospect their source must be DNS queries.
posted by Nelson at 10:00 AM on September 24, 2019 [6 favorites]


It's gonna be great when malware creators get a hold of DOH and exploit it for data exfiltration.

Well, you do know it's relatively simple to run a full TCP stack over dns, right?
posted by DreamerFi at 10:22 AM on September 24, 2019 [3 favorites]


Once again I lament the death of IPSEC

Every network engineer who ever suffered supporting large scale IPSEC infrastructures (6,000+ GRE tunnels) does not lament the death of it...

DMVPN is pretty cool, but really I'd like something more like GET VPN over a dynamic MPLS-Based internet...would be interesting to see if BGP and MPLS could somehow merge into another protocol stack that provides the dynamic label switching and pathing of MPLS with the scalability of BGP....Cause then you could just use Group Encrypted Transport as a dynamic layer and everything in the frame would be encrypted and all we'd see are label-switched paths...

There's a lot I'm not thinking about here so maybe the idea is totally ridiculous and not even worth considering...At a principle level think routing over TCP and using DNS as the glue to hold that data flow together was brilliant in 1995 but I think somewhere in the IETF we really we need to be totally reconsidering how the internet routing and data flow mapping is done. DNS over HTTPS seems like a good stopgap to getting to better privacy and I fully support it, but I also recognize that when threat actors get a hold of this protocol then threat hunting organizations are going to lose a valuable security research tool.

It's a tradeoff of course, I wish we just had will and the time to look at some of the fundamental assumptions of the base layers of the internet and reconsider them as a whole instead of re-creating the hacky patch work that created this mess in the first place.

An now that I think about what it would take to take a holistic approach has me considering that maybe the IETF itself is just engineering disease writ large...
posted by nikaspark at 10:32 AM on September 24, 2019 [3 favorites]


The story is cute but she left the explanation as an exercise for the reader which is annoying. Can someone give a layperson explanation of why, for example, we know it's a whirlpool fridge and not an internet-enabled dryer or something?
posted by Wretch729 at 10:41 AM on September 24, 2019 [1 favorite]


@wretch: tools like shodan.io give you a pretty large database of devices and endpoints that exist on the internet. So basically you can do a bunch of recon on that DNS endpoint using a tool called nmap (and a lot of other tools as well) or you could just write a script that calls the shodan.io API which returns back a lot of useful information for you.

The threat here is that I can just sniff your DNS queries and see if there's a web server that has specific vulnerabilities that I can then go after, or maybe the application data that I can't see is something like a digital concert ticket, but I can infer that from the endpoint which is say, inside an Amazon S3 bucket, and maybe that S3 bucket isn't properly secured, and in a case like that maybe I can now figure out how to say, download everyone's concert ticket to a Rolling Stones show.

DNS reveals a server endpoint, from there you can basically go in and query and recon that endpoint and see if there's anything valuable there. And you can do all this totally out-of-band without being detected.
posted by nikaspark at 10:48 AM on September 24, 2019 [2 favorites]


It's gonna be great when malware creators get a hold of DOH and exploit it for data exfiltration.

I don't know much about the technologies involved but if it's DNS-over-https can't they do that using plain old https already?
posted by each day we work at 11:32 AM on September 24, 2019 [1 favorite]


It's gonna be great when malware creators get a hold of DOH and exploit it for data exfiltration.
What's the thread model where this allows something which isn't possible using HTTPS / TLS already? Malware vendors and many others have already been shipped code which hard-codes expected certificates, server addresses, use of public resolvers, etc. I'm assuming the thought is something like DOH allows you to resolve hostnames without the local network being able to notice but it's not like there isn't plenty of prior art for other ways around it, with everyone serious about security pushing towards restricting traffic to a vetted list of approved services.
posted by adamsc at 11:58 AM on September 24, 2019 [2 favorites]


The story is cute but she left the explanation as an exercise for the reader which is annoying. Can someone give a layperson explanation of why, for example, we know it's a whirlpool fridge and not an internet-enabled dryer or something?
Can you even have a Sherlock Holmes story without Holmes grossly overreaching to make an inference which he then proceeds to treat as undisputed fact?
posted by Nerd of the North at 12:05 PM on September 24, 2019 [8 favorites]


It’s gonna be great when malware creators get a hold of DOH and exploit it for data exfiltration.
It’s already happened. Here’s an analysis of malware found in April that uses DNS over HTTPS to obscure what it’s doing.

I get that blue teams are losing a common and effective defensive tool, and I’m sorry for them. I get that these downsides are not just theoretical. But the downsides to all of us of having all our DNS queries unencrypted are also not theoretical, and I don’t think it would be a good tradeoff to punish all of us because of these bad actors. Like adamsc says, the more sophisticated malware authors were already avoiding running cleartext DNS queries anyway.
posted by brett at 12:08 PM on September 24, 2019 [3 favorites]


What I don't get is even if you have secure DNS, the resolved IP address is used in your unencrypted IP headers. The network has to be able to route the traffic, after all. It's easy to do a reverse DNS lookup on those IP addresses and get the same information.

For instance, the article lists "94.130.66.93 mokum.place" (which I selected at random). But I can do a reverse DNS lookup on "94.130.66.93" and get... "mokum.place".

Sure, there are cases where several domains share the same IP, but you still get granular information about the endpoints.

Using a VPN would be a way to avoid this, if you can find a trustworthy one that is.

I'm probably missing something. Can someone explain?
posted by sjswitzer at 12:25 PM on September 24, 2019 [3 favorites]


yeah, it's the never-ending struggle in security between privacy and surveillance.

Really "security" needs to move more into business development as the internet becomes more commercialized, because IMO what we need is comprehensive end to end privacy with businesses developing marketplaces where the value of the business is less lucrative than the expense required to break the privacy model.
posted by nikaspark at 12:28 PM on September 24, 2019


You can't win with DNS. Encrypting DNS queries helps but ultimately you have to trust the actual endpoint, which is honestly not that easy to do. Google DNS? Google knows everything you're looking up. Which seems bad, but is probably better than your ISP's DNS where they're very definitely selling your aggregated DNS query data. And serving ads for queries that don't resolve.

Sure, there are cases where several domains share the same IP, but you still get granular information about the endpoints.

It's easier and like you say, reverse lookup doesn't work for stuff that's hosted on AWS or google cloud or whatever. Which is a lot of things.
posted by GuyZero at 12:35 PM on September 24, 2019


Reverse lookups may or may not work, but a big cache of forward lookups will always work to let you reverse addresses. But I think the fact that many domain names are on a single IP address does really matter, and preserves some privacy. Also while endpoint addresses are indeed unencrypted those are not routinely sent to third party servers (like DNS is) for resolution. The routing infrastructure can still track you, but not random DNS servers.

Anyway no one's claiming to solve traffic analysis, at least not yet. Tor is the only working technology for that and the overhead is so enormous I'm being generous calling that "working".
posted by Nelson at 12:53 PM on September 24, 2019


Is it just me, or is the ISP argument against DoH hollow? If they're tasked with blocking, say, kiddie porn, DoH doesn't prevent this.

DoH lets someone type kiddie.porn.com and receive the IP address 12.34.56.78, but theoretically the ISP can (and should) be blocking that IP address.

A given server/IP address can have any number of domain names that direct to it; the ISPs are supposed to block the content and that means blocking the servers, not blocking the domain names!
posted by explosion at 1:23 PM on September 24, 2019


They didn't explain how Holmes cracked the WPA security of that house's wifi, in order to see the queries at all.
I mean, it's not hard to crack WPA, but it's not exactly something you can do while wardriving, as far as I know.
posted by Galaxor Nebulon at 1:38 PM on September 24, 2019 [4 favorites]


I mean, you can crack wpa while wardriving, but I didn't think you could count on it succeeding.
posted by Galaxor Nebulon at 1:45 PM on September 24, 2019


Sure, there are cases where several domains share the same IP, but you still get granular information about the endpoints.
This has substantially changed over the years as more sites use CDNs and cloud services: for example, Cloudflare claims 20M sites and 10% of the Fortune 1000 and their design means it’s much less likely to see dedicated IPs than you might have seen years ago. Amazon has a similarly large customer range. (TLS SNI leaks host headers to the network operator but that requires more infrastructure to catch and forces you to know whether AWS IP x was valid for site y at that time or a clever malware user was spoofing it, requiring more work.)
posted by adamsc at 2:31 PM on September 24, 2019 [1 favorite]


GuyZero's correct that trusting your DNS provider is essential, but encryption helps. I mean, right now I use a DNS provider other than my ISP, but I really have to trust them *and* my ISP because there's no guarantee that they aren't grabbing DNS queries en route and recording them for posterity.
posted by mikeh at 3:45 PM on September 24, 2019


I know for a fact that my ISP plays shenanigans with DNS (redirecting not-founds to their own pages... at least), so I use an alternate DNS (whom I trust more since there are more eyes on it, not for any inherent belief in trustworthiness). Yeah, my ISP could redirect those queries to their own servers but so far they haven't (AFIK).

So, mikeh makes an important point! A secured DNS connection would also mean you're talking to the DNS you think you are rather than one your ISP (or hotspot) prefers.
posted by sjswitzer at 4:02 PM on September 24, 2019


there's no guarantee that they aren't grabbing DNS queries en route and recording them for posterity.

For some people this is a feature and not a bug - many Google devices hardcode to Google's DNS servers because they don't trust ISP DNS at all and on top of that ISP DNS servers are often slooooow.

But! using Google for all your DNS needs prevents local DNS naming so there are some bad-asses out there with routers that capture all outgoing traffic to 8.8.8.8 and redirect it to their own DNS servers.

Like I said, with DNS you can't win. You just get to choose how to lose.
posted by GuyZero at 4:32 PM on September 24, 2019


Encrypted DNS is indeed a good thing.
Cramming yet another feature into web browsers is a bad thing.
Adding yet another single point of failure into network design is a bad thing.
Forcing IT to work around a half-assed implementation is a bad thing.
Making IT opt-out of someone's ill though out experiment is a bad thing.
DNS-over-HTTPS is a bad thing.

You want to secure things, force the use of IPv6, force the use of IPSec, encrypt all the packets end-to-end, don't half-assedly encrypt every new protocol as it comes along, encrypt every packet, all the time.
posted by madajb at 9:14 PM on September 24, 2019 [1 favorite]


Reverse lookups may or may not work, but a big cache of forward lookups will always work to let you reverse addresses.

I thought so until I tried to limit my son's YouTube access time. And... strictly speaking, it's more-or-less true. But your cache will need to take into account who asked, and when in order to distinguish what a particular endpoint is talking to. In theory my cache is pretty good, and I still have to guess on some of my connections.
posted by wotsac at 7:45 AM on September 25, 2019 [2 favorites]


Relevant: Cloudflare releases WARP VPN service for mobile users
posted by armoir from antproof case at 5:14 PM on September 25, 2019


Google Draws House Antitrust Scrutiny of Internet Protocol. ISPs are mad that they can't spy on user DNS requests any more and have convinced Congress to add encrypted DNS to the list of things to consider as an antitrust concern when looking in to Google. What a twisted way to look at things.

Note this garbage in the article:
But the new standard could alter the internet’s competitive landscape, cable and wireless companies say. They fear being shut out from much of user data if browser users move wholesale to this new standard, which many internet service providers don’t currently support.
The whole point of encrypted DNS is to shut ISPs out of that user data. It's none of their damn business. And if you don't support encrypted DNS it's your own stupid fault for not implementing it.
posted by Nelson at 7:46 AM on September 29, 2019


How DNS over HTTPS is Reshaping Privacy, Performance, and Policy in the Internet Ecosystem. A really thoughtful academic article on what the impact of DNS over HTTPS will be. I was particularly struck by something in section 4.1 I had not known about:
one of the FCC’s core arguments rests on the assertion that “the vast majority of ordinary consumers rely upon the DNS functionality provided by their ISP,and the absence of ISP-provided DNS would fundamentally change the online experience for the consumer”. But, as discussed above, DoH allows browsers, applications or web sites to substitute for the ISP-provided DNS function without any noticeable impact to the end user experience. If ISP-provided DNS is no longer critical, then an important rationale for the treatment of Internet service as an information service falls away.
That has significant implications for net neutrality. Put more simply, DoH means that your ISP is more like a dumb pipe than a smart information service.
posted by Nelson at 9:43 AM on September 29, 2019


UK fears DoH will cripple its national web blocking scheme
Ah, once again the net perceives censorship as damage and routes around it.
posted by Mitheral at 10:04 AM on September 29, 2019


« Older A list of wellness myths, debunked   |   A little conversation about topographical agnosia... Newer »


This thread has been archived and is closed to new comments