On Mon, Oct 7, 2019 at 11:44 AM Kevin McCormick <kmccormick@mdtc.net> wrote:
If the DNS request comes from an IP in matching a CIDR network address in the ULS record, then the server would respond with an error message telling the application to use the configured local DNS server.
All if this is ultimately falsifiable by a malicious or rogue DNS operator. My suggestion would be ultimately that DNS Clients implement DNSSEC validation themself to avoid tampering by a malicious client on their network for phishing purposes or a malicious recursive DNS Resolver server --- Such a DNS proxy service in a home router corrupted by malware that modifies DNS resposes for an attacker, or those rogue DNS servers of ISPs that typically sometimes replace NXDOMAIN replies with A records attempting to collect typo queries for advertising or that redirect A records to other hosts designed to intercept and monitor or proxy traffic with advertisements inserted. A secure administrative selection of local DNS server could be supported by allowing a TXT record to be placed in the reverse DNS zone for the IP address which is the IP address configured on the client's IP network interface alongside PTR records. The client software would then be required to perform a DNSSEC signature check to ensure that the reverse DNS zone is signed and has the proper chain of signed DS records ultimately coming from the IP6.ARPA or IN-ADDR.ARPA zone. * Clients using RFC1918 IP addresses would not be able to support this; Because, there is no way of establishing WHO is authorized to sign locally on behalf of the "operator" of a RFC1918 or link-local IP address... The latter seems more like a system administration problem however -- The DHCP software running on a client ought to have some way of indicating whether the network being connected to is Secure and "Managed" by the same entity that owns and configures the client device: I.E. Same company manages the LAN and the entire path up to recursive DNS servers are secure, Or whether the PC is owned and managed by different entities -- such as a mobile PC user connected to someone else's network, or a Home user connected to their own ISP, and the network is, therefore, untrusted. (Untrusted in the sense that DNS Servers are controlled by a 3rd party who is not the owner or operator of the personal computer or client device which is connecting for the supposed purpose of accessing the public internet --- therefore no legitimate authority exists for having clients tolerate tampering with private traffic between that device and another internet host, content in DNS or other IP traffic content, and so on)
Thoughts? Thank you, Kevin McCormick -- -JH