DoH no!

As was entirely predictable DNS-over-HTTPS has now been implicated in a spam campaign. Google DoH instance was used to access TXT records to control the spam campaign via a bit of javascript on web pages. This isn’t a weakness in DNS or for that matter in DoH, it’s just using Googles DoH as a side channel. They could have achieved the same thing by accessing a specific web page, but that would be more easily blocked or shut down. There are also mobile application, both IOS and android, that are using DoH by default without giving the user a choice in the matter*. At this point if you use DNS as part of your security posture – either via RPZ, pi-hole or some other mechanism ( and if you aren’t you really should ) then you need to be blocking DoH. At present there are over 70 advertised public DoH… Continue reading

The state of DNS security records 2019

Record type occurence

My recent search for DNS hosting, reminded me that it’s been a while since my first state of DNS report. I had meant to do it every year so this is a bit late, I should probably set myself a reminder. At this point lets just say I missed 2018 and this is the 2019 report and I’ll try to remember for 2020. TLDR: Summary The deployment of security records in DNS has got slightly worse. The average score (out of 10) based on deployment of CAA, DKIM, DMARC, DNSSEC and SPF was 2.48 in 2017 , the same records checked today averaged 2.15 with this years data set averaging 2.42. Two data sets where used this year, the 2017 lists and updated lists taken from the same sources. Usage of IPv6, SPF and DMARC have seen significant decreases across both sets of data, off set only slightly by the… Continue reading

RPZs a personal history

Ten years ago today at a “secure off site meeting” ( i.e. in the pub ) I asked a colleague if there was any reason why we couldn’t use DNS load balancers to “load balance” bad domains to an address of our choosing. After some thought there didn’t seem to be any reason why we couldn’t do it or why it wouldn’t work. So the next morning as it still seemed like a good idea we added load balancing rules for three choice domains with less than savoury reputation. This quickly proved to be quite a successful tactic so we dubbed it “the naughty step”, and assumed that as it was such an “obvious” thing to do loads of other people must also be doing it. After we’d been going on like this for a while Paul Vixie published his excellent article on taking back DNS, which gave us a… Continue reading