Minority Opinions

Not everyone can be mainstream, after all.

DNS Service Discovery

leave a comment »

Recently, I’ve been annoyed by trying to jam too many websites into a single IP address.  An obscure detail of Apache configuration caused half an hour of downtime for one of our sites, and is threatening to cause more.  Somewhere in the middle, I remembered something about DNSCurve, a project to encrypt and authenticate all traffic on the internet, starting at the DNS level.

Basically, DNSCurve is starting with the premise that public keys can be published via the DNS protocol itself.  In fact, if the nameserver’s public key has been published, then those keys can be used to encrypt and authenticate the DNS traffic itself.  For other services, the server can decrypt traffic using the corresponding private key either as part of the service’s protocol, or as part of the network stack itself.  For extra protection, a symmetric key can be negotiated as part of setting up a streaming transport.  The keys don’t even have to be signed by a trusted authority, as long as you can trust your DNS cache and each of the servers it contacts.  (If you don’t, then you have bigger problems anyway.)

The weakest link in the chain is adoption.  DNS-based attacks haven’t yet been severe enough for everyone to be clamoring for encrypted traffic, nor has it been entirely clear that this is the best solution.  Worse, name servers are largely run by registry companies, and name caches are largely run by internet service providers, neither of whom are the ones truly affected by an attack.  They need some pressure to switch, either from the (uninformed and unorganized) consumer base, or from (inertial and slightly less uninformed) companies.  To provide that pressure, the companies need to know that they’re going to get something out of it.

As long as we’re meddling with DNS, it might be nice to get rid of the idea of well-known ports, and throw load-balancing in for free.  It turns out that this isn’t a new idea, either; in fact, it’s the sole purpose of the SRV record type.  A few major protocols and plenty of minor ones seem to be using it, but not the most important ones.  Am I missing something important?  If I were to publish _https._tcp.example.com records, would anything use it?  In particular, would getaddrinfo() look for it?

If that’s the case, then a little DNS trickery is all we would really need to make Apache serve the right SSL certificate for each domain name, without having to put the port number into every URL.  (Yes, I know that modern browsers and SSL implementations allow for server name indications, but we’re forced to deal with IE 7.  And still get complaints from IE 6 users.)  Sadly, there might still be some firewall issues to work around; some of our clients might be restricted to ports 80 and 443.  Then again, certain firewalls are already configured with our domain names, so maybe the firewall could dynamically open the right ports if it knew that it would need to.

For an ideal connection, the two ideas could be combined.  Take a hostname and service, and open an encrypted connection to any of several load-balanced servers listening on arbitrary ports.  It would still take quite a bit to overcome the inertia of well-known port numbers, but even that can be promoted in the name of security.  I’m already dealing with SSH servers with goofy port numbers, for example; the default ones were collecting too much brute-force traffic, even with passwords completely disabled.

I imagine we’d get some pushback from certificate authorities, though.  How much of their business model is based on making people pay for a bit of assurance against man-in-the-middle attacks?  There might also be complaints from people worried about every last bit of performance, particularly in embedded systems, and from Iran, where all encrypted connections are blocked in the name of national security.

It’s also possible that IPv6 has some of this baked in.  One of these days, I may get around to trying it out.


Written by eswald

5 Feb 2013 at 6:53 pm

Posted in Linux, Technology

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s