Maintained by: NLnet Labs

[Unbound-users] Unbound Android port

lst_hoe02 at kwsoft.de
Sat Aug 22 17:24:36 CEST 2015


Zitat von Patrik Fältström <paf at frobbit.se>:

> On 21 Aug 2015, at 9:49, Andi via Unbound-users wrote:
>
>> I also find it very useful because DNSSEC should be integrated per  
>> Device to be useful/secure IMHO.
>
> I must say I disagree with the statement, because it sounds like if  
> usefulness of DNSSEC is black and white, yes or no. And that it is  
> useless today as no validation is happening locally.
>
> In reality, you already today must trust various pieces of the  
> zeroconf tussle, and one of them is the recursive resolver of your  
> choice (or rather, the one your [trusted] DHCP server is giving to  
> you).

At least for mobile Devices the user has no real way to decide if the  
DNS provided is really secure or not. Because of this it is preferable  
to do DNSSEC per Device and ignore the resolver provided by DHCP if  
possible.

> There are a multitude of attack vectors in the local network, but  
> because of that, creating mechanisms for those to do a better job  
> will make things better. And I am specifically thinking of the  
> ability for a recursive resolver to do validation.
>
> So, I definitely think DNSSEC is useful even if validation is not  
> happening in the local device.

There are networks where it indeed is no problem to do central DNSSEC  
validation, but mostly if the network is seperated from the internet  
and is some form of managed network like in company environments. We  
do it that way since .de is signed.

> In Sweden, more than 95% of resolvers do validate DNSSEC signed  
> responses (I think it was, according to Geoff measurements), and  
> that is A Good Thing. More ISPs and cellphone providers etc should  
> immediately turn on validation!

It doesn't harm, but for devices using random untrusted networks it is  
best to do DNSSEC on the device, so you will always be sure that the  
DNS replies are as save as possible.

> Unfortunately statements like the one above I hear as arguments for  
> not doing so.

Possibility for doing better shold never be a excuse for doing  
nothing. My only point was that Unbound or something similar should be  
on stock Android soon, so the ones who care about secure DNS can  
simply activate it.

> That said, I completely agree that the goal must be to have  
> validation to happen locally, although that will in some cases  
> (various mixed IPv6/IPv4 environments for example) will not work.  
> But in those you are doomed anyway if you do not trust the local  
> environment.
>

The only cases where i have seen DNSSEC completely fail is if UDP  
*and* TCP Port 53 is not possible unfiltered. There are some stupid  
SOHO routers which always direct all Port 53 traffic to itself, but  
fail to handle DNSSEC in a useful way.

Regards

Andreas