[Idea] DNS Perspectives

[Doc Flay]

Inspired by the idea of Perspectives, it made me think of another idea to improve browser security.

As I have issues with my ISP redirecting/blocking "bad domains" (competing services) I use alternative DNS providers.

My idea is best implemented in the browser itself, but the concept may be workable as a Firefox extension.

Even if it cannot override the DNS lookup, maybe it can at least confirm that the IP address is agreed on and notify the user if any do not match.

I know people change IP and sometimes the system is a bit of a let-down with delays, but at that point many of the DNS fail rather than disagree.

Pasted below is my post on the Vivaldi forum;

https://vivaldi.net/en-US/forum/all/1311-feature-request-dns-override

I am assuming Vivaldi will be setup to offer Opera-style portable installs.

If used on a foreign PC, it would be handy to be able to bypass the ISPs DNS

Would it be possible to add DNS lookups the same way as adding proxy info to a browser ?

I have my network drivers configured to only use DNSSEC capable DNS, and I would like the same security in a portable install.

What I would also like to see;

alternative DNS lookup, inspired by Perspectives as a way to help avoid DNS pollution.

At least 3 or 4 DNS (using DNSSEC) on separate networks must agree on the IP.

This could either be in a new TCP stack (driver) or internal to a browser.

Could test the chosen DNS regularly for redirections/blocking and DNSSEC.

If no extra load, then the status can be tested with each request, otherwise check during launch or daily updates.

User can be notified of a discrepancy and either blocked or sent to the most agreed upon URL.

Security profiles can be based on the same percentage of agreement style system used by Perspectives, and the user simply activates Low, Medium, or High.

Connecting via BT in the UK, I can access 8 DNSSEC lookups.

5x UUNET

2x Google

1x BT

So I only get to use 3 separate networks 

I used Steve Gibsons DNSBench to find the servers I can use.

Out of over 4k DNS, less than 200 were available/responding from my location.

DNSBench cuts the list to the fastest 50. I may be able to access more (but slower) DNSSEC cabable networks.

If the list of DNSSEC servers is so small, maybe it can be updated into the browser ?

Well, there you have it, I hope this can a) work as an extension, and b) inspire you to either make one or add more functionality to Perspectives ;)

I hope you can see what I am clumsily suggesting, and the value it has, and possibly that in the future this idea will have to happen anyway (just like Perspectives).

Cheers for reading,

Doc.

[Dave Schaefer]

Hi Doc, this is an interesting idea. I am not sure we want to start messing with DNS resolution inside Perspectives. As open source projects often have limited development time, it is very important for them to maintain a good focus. Given the current backlog of important Perspectives fixes I personally would not have time to investigate any DNS related features.

That said, notary results are still valid for sites you visit, so you would be able to compare the notary results to what you see to get a clue about whether the certificates match and if you're seeing the site you expect.

[Doc Flay]

I understand you don't want to go bolting extras into Perspectives, I was actually suggesting a second extension based on the Perspectives principal, and thought this may be the most suitable project to achieve it, due to the obvious parallel.

As DNS is not your area, maybe another visiting Dev will speak up.

Mostly I just want some feedback and to hit the idea with a few hammers, because the idea seems so simple it must have a massive hole I cannot see.

The only programmers I have been able to discuss this with, have been in person "IRL" (maybe I should do blog posts rather than forums).

The Devs at Avira said they like it and will contemplate it if they look at what to do with DNS. The feeling is that DNS is borked and needs a complete replacement. However in the mean-time I see we have no alternative, so where does that leave us right now ?

So far no body has given me a negative, or a reason why it would not work.They all say the same things (probably similar to people discovering Perspectives)

"Oh this seems like such an obvious/simple/cool idea, why is it not already standard if DNS poisoning still happens ?"

It is now standard for most browsers to validate certs and check for fishing and malware before allowing access. I see adding DNS validation as an unavoidable requirement.

As I'm no security expert, I don't know how deep an extension would need to probe.

So in my simple terms, I figured that it would not be required to go as far as Perspectives, as it only requires the 1 aspect, "Do all the DNS agree on the IP address ?".

You are not trying to validate an individual DNS capabilities, only test if you can trust the DNS.

It does not need to fetch or send anything other than what the browser is already asking for.

However an extension could then offer the user the option to navigate to the most agreed upon IP.

Different security settings could either automate, prompt or block access.

When a miss-match is spotted, a Whois check could be done for domain and IP (I use extensions already that pull the Whois data for any site I am on)

My suggestion is to pre-load with the open DNSSEC servers, and allow users to edit/add their own.

This helps to sort out 2 things.

1) starting with authenticating DNS will immediately use known robust independent networks.

2) allowing users to change them will increase the chance of spotting polluted networks.

In summation.

An extension like this could quickly report DNS poisoning without user intervention, while acting as a shield or guiding hand to an IP address.

It could even be a way to confirm that your ISP is blocking or redirecting you.

The only way we have to quickly confirm a domain/IP is ask a DNS.

The only way we have to quickly confirm a  DNS is ask another DNS.

(I am not including Whois lookups in that generalisation, as speed is important)

OK.then, what have I missed ?

Does it need to gather more detailed info about a DNS or simply what it "regularly" responds with ?

I hope this prangs in someones mind at least, and I have planted another seed, while I crusade elsewhere ;)

(I did it with Metalinks hehe, and I'll damn-well do it again. I'm already on the way to getting the hashes commonly used on geeky DL sites, used as part of the Avira browser download and validation).

Thankyou for reading, and thankyou even more if you take the time to dissect.