top | item 15840266

Ask HN: Secure DNS resolution in a system

1 points| shincert | 8 years ago | reply

I am working on a system with a typical client-server architecture. In this scenario the server has to validate a client's certificate, including checking if it has been revoked. To do this the server has to send an HTTP request to download CRLs or make an OCSP query. Naturally, it has to resolve the domain via DNS.

I want to secure the DNS resolution process. Intuitively I think I should not be relying on the ISP's DNS server and roll my own that maybe implements DNS-over-TLS. What should I do to secure DNS resolution in this simple scenario?

Recall all I want to do is securely resolve some occasional DNS queries. Which existing solutions can I use for this purpose?

4 comments

[+] jlgaddis|8 years ago|reply

Run your own resolver locally, with DNSSEC enabled.

Assuming the RRs for the domains you are querying are signed, that's (IMO) probably all you need to do. While OCSP happens over plain-text HTTP, the responses are also signed so that you can verify them.

If the CA isn't using DNSSEC for their zones (or, specifically, the RRs for the hosts listed in the URIs in the signed certificates), I don't think there's much more you can really do (as the DNS queries/responses will travel over the Internet "in the clear" -- and, thus, subject to tampering/modification).

Or am I missing some part of your process that could potentially be compromised that you're trying to protect against?

Also, an attacker could block your HTTP requests (for CRL downloads/OCSP queries). How does your application react when it doesn't get a response? "Fail open" or "fail closed"?

[+] shincert|8 years ago|reply

> Assuming the RRs for the domains you are querying are signed, that's (IMO) probably all you need to do. While OCSP happens over plain-text HTTP, the responses are also signed so that you can verify them.

I will make sure that's the case. What I didn't explain yet is that I am doing this for a university project and I am fishing for extra points. So I was trying to justify running my own DNS server. Is it reasonable?

> I don't think there's much more you can really do (as the DNS queries/responses will travel over the Internet "in the clear" -- and, thus, subject to tampering/modification).

I really should have done more research on this, but I imagined I could encrypt the DNS queries themselves and forward them to a public recursive DNS server. Could I not use DNSCRYPT or DNS-over-TLS for this purpose?

> Also, an attacker could block your HTTP requests (for CRL downloads/OCSP queries). How does your application react when it doesn't get a response? "Fail open" or "fail closed"?

Assuming the server has at least downloaded an initial CRL, I could always fallback to that. I haven't played much with this yet, but I think that's the big advantage of a CRL versus an OCSP query, no?

I guess I should "fail closed" to cover all holes but then I'm basically letting the attacker DoS the server. What is best?