Some problems with DoH!

With recent announcements from Mozilla about wanting to use DNS-over-HTTPS by default and partnering with Cloudflare to at least test this, I’ve been giving the matter of DoH quite a bit of thought. This is therefore the first of two possibly three articles dealing with various aspects of DNS over HTTPS. For those that are unaware the idea behind DNS-over-HTTPS ( henceforth DoH ) is that DNS isn’t by default secure or private so let tunnel it over HTTPS so that those pesky firewalls don’t get in the way and secure it that way. This will allegedly make DNS faster, more private and just all round better. Personally I think it will do few if any of those things and that the problems it will create will far out weight any perceived benefits. As Bert Hurbert said this looks a lot more like a land grab by CDN and browser… Continue reading

The state of DNS security records 2017

These days there are quite a few security initiatives that depends upon DNS, and to keep those secure you need to implement DNSSEC. Many people across the board from Google, to security advisory firms are encouraging the uptake of these initiatives many of which are getting quite long in the tooth (SPF is over a decade old). However, I’ve for a long time thought that many of these “enhancements” are far from trivial to implement, if you’re a small operator it’s a lot of work for small gains, and if your large then unless you can automate it it’s just not viable. Looking at implementing many of these enhancements myself, and the work involved I started wondering what deployment looked like amongst other people, so I thought I’d do a quick survey and on the whole it’s not a pretty sight. From my far from scientific survey the only thing… Continue reading

A possible issue with SPF

This problem may already have been addressed, and I’ve no doubt that other people have also given it thought – but I’ve not been able to find any information pertaining to it, so if it has the answer hasn’t been widely disseminated. However I think there is an issue with how SPF relates to non-mail servers and non-existent sub-domains. First a bit of background though – the purpose of SPF is to prevent sender address forgery and correctly configured it does achieve this for domains and subdomains both for those you intend to send e-mail from and those you don’t. To prevent abuse of domains, and presumably sub-domains that you don’t send e-mail from the SPF FAQ advises that you: “Publish null SPF records for your domains that don’t send mail” http://www.openspf.org/FAQ/Common_mistakes#all-domains They acknowledge that there is a problem with people spoofing non-email sending domains, however the FAQ doesn’t mention… Continue reading

DNS trouble shooting for beginners

Introduction DNS generally just works (at least as far as you’re concerned), which is good as the internet would be far less fun without it. However this does mean that many people don’t really know how to tell if a problem is a DNS error or something else – this makes life difficult for support desks and even worse causes work for DNS admins. It needn’t be so! Telling if something is a DNS issue is actually quite simple, and trouble shooting it isn’t much more difficult. To start with there are really only a very few ways that DNS can go wrong ( from a user perspective – from an admin perspective DNS can go wrong in many and varied ways ). Not responding at all Returning the wrong data Not returning a record when it should That from an end users point of view are really the only… Continue reading