undefined | Better HN

0 pointsthayne5y ago0 comments

Google could, you know, use their own DNS servers for this...

0 comments

No, they couldn't. The whole purpose of these probe requests is to assess whether the DNS server used by a particular client is acting normally (responding with NXDOMAIN if a domain does not exist), so these must bde sent to the DNS server of the client, which effectively means that unless this DNS server performs the hijacking that is to be detected, they will inevitably end up on a root DNS server, because no server in the hierarchy will know those domains.

Forcing these probe requests onto Google's DNS would completely defy their purpose in the first place.

majewsky5y ago

Instead of http://asdoguhwrouyh, they could probe something like http://asdoguhwrouyh.google or anything else in a zone owned by them, so the uncachable traffic would hit only their authoritative name servers and not the root servers.

warp5y ago

But then a lying DNS server could easily identify those, and NOT lie about http://*.google -- the reason these requests are entirely random domain names is so they're not easily recognized as probes.

1 more reply

JdeBP5y ago

... only when the delegation for google. is cached.

thayneOP5y ago

ah, good point.

amalcon5y ago

It wouldn't usually help to use 8.8.8.8, but they probably could use their own authoritative servers instead of the root servers. Look up <random chars>.dnstest.google.com or <random chars>.dev or something.

The problem with this is, of course, that a malicious resolver could detect this and NXDOMAIN those queries, while passing others through. I don't see what the incentive would be for ISPs to do that, but ISPs are weird.

londons_explore5y ago

> that a malicious resolver could detect this

I assume the reason for changing from a 10 char random string to a 7-14 char random string was exactly because some ISP's were detecting it...

jml7c55y ago

Unfortunately the commit message doesn't explain why the change was made:

https://chromium.googlesource.com/experimental/chromium/src/...

1 more reply

corty5y ago

They could just use DNSSEC...

johncolanduoni5y ago

DNSSEC has to be supported by your ISP’s DNS server, which they won’t if they’re trying to intercept your queries.

tptacek5y ago

They're suggesting you install your own local DNS server --- nothing prevents you from doing that, and just talking straight to the roots instead of through your ISP's DNS server.

The real problem is not your ISP, but rather the fact that the most important sites on the Internet have rejected DNSSEC and aren't signed. DNSSEC can't do anything for you with hostnames in zones that haven't been signed by their operators, and, to a first approximation, every zone managed by a serious security team (with a tiny number of exceptions like Cloud Flare, who sells DNSSEC services) has declined to do so.

1 more reply

j / k navigate · click thread line to collapse

0 comments

Slartie5y ago

Forcing these probe requests onto Google's DNS would completely defy their purpose in the first place.

majewsky5y ago

warp5y ago

But then a lying DNS server could easily identify those, and NOT lie about http://*.google -- the reason these requests are entirely random domain names is so they're not easily recognized as probes.

1 more reply

JdeBP5y ago

... only when the delegation for google. is cached.

thayneOP5y ago

ah, good point.

amalcon5y ago

londons_explore5y ago

> that a malicious resolver could detect this

I assume the reason for changing from a 10 char random string to a 7-14 char random string was exactly because some ISP's were detecting it...

jml7c55y ago

Unfortunately the commit message doesn't explain why the change was made:

https://chromium.googlesource.com/experimental/chromium/src/...

1 more reply

corty5y ago

They could just use DNSSEC...

johncolanduoni5y ago

DNSSEC has to be supported by your ISP’s DNS server, which they won’t if they’re trying to intercept your queries.

tptacek5y ago

They're suggesting you install your own local DNS server --- nothing prevents you from doing that, and just talking straight to the roots instead of through your ISP's DNS server.

1 more reply

j / k navigate · click thread line to collapse