Re: Last Call: draft-ietf-dnsop-reflectors-are-evil (Preventing Use of Recursive Nameservers in Reflector Attacks) to BCP

[Paul Hoffman <paul.hoffman at vpnc.org>]

The Security Considerations section for this document is much too 
narrow. It ignores one of the main reasons that many organizations 
purposely choose to provide recursive lookup to the public, namely 
for their own roaming users. Without an open, known-good nameserver 
at a fixed address, roaming users need to trust whatever is given to 
them by their ISP at the moment, and it is reasonable for 
organizations to consider this too large of a risk. Unless the 
organization has a way to tunnel DNS queries back to a non-recursive 
nameserver (such as through IPsec), having a recursive nameserver 
available increases the security of their roaming users.

There are two major reasons for an organization to not want roaming 
users to trust locally-assigned DNS servers.

- An attacker might have compromised the DHCP server to which the 
user conntect to point to a compromised DNS server. Although such an 
attacker can also cause the DHCP server to point to a compromised 
next-hop router, it is easier and less detectable for most attackers 
to compromise a DNS server than a router. There are plenty of 
examples where compromised DNS servers lead to spoofing and MITM 
attacks.

- Some ISPs use DNS servers that purposely do not follow the same 
good practices that the organization uses. In particular, some ISPs 
have used bogus TLDs and name-lookup services to generate revenue.

The Security Considerations section needs to deal with these issues, 
even if they do not change the advice given in section 4.

--Paul Hoffman, Director
--VPN Consortium

_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf