In his company’s suite in a hotel in San Francisco, Infosecurity met with Farsight Security CEO Paul Vixie, who said he was in a mood that has caused him “wake up angry.”
He was referring to overnight reports of a variation of Mozart “which uses DNS to get its commands.” He said that any botnet has the problem of collecting instructions of what the botmaster wants it to do, and this usually involves an Opsec indicator like an IP address or domain name, which would then make the operator a target for law enforcement.
“So anyone who captures the malicious binary that is running inside the botnet can disassemble and reverse engineer it and figure out how it is getting its command and control,” he says.
Vixie explained that a lot of work has been done around how to control a botnet, without getting arrested, and this variant uses DNS so all it has to do is ask the text record associated with a domain name. “This is still pretty flaky, as when the proposed action is malicious, you can generally get it taken down,” he said, adding that it really falls upon the decision of the nation where the domain name is registered to be held responsible for taking it down.
“This time it wasn’t an issue,” he continued, saying that the controller was able to put the instruction in the botnet. “One of the reasons the DNS was so good here is because it was a reliable, autonomous and hierarchical database – the idea that you consume from anywhere, and it just works.”
However, Vixie said the point of the breaking story that irked him was that Mozilla had “carried out its threat of changing the default DNS provider for all US-based Firefox users to ignore whatever the operating system thinks is the DNS service, and go out to the internet in order to use a DNS-over-HTTPS service that is operated by a partner chosen by Mozilla.”
Vixie said that in security, a business model has been made around trying to take down domain names and in how to use the look ups as a beacon so a CISO can find out who is infected, and can use that data to filter by those DNS addresses.
Mozilla said that this effort is part of its work to “update and secure one of the oldest parts of the internet. Today, we know that unencrypted DNS is not only vulnerable to spying but is being exploited, and so we are helping the internet to make the shift to a more secure alternative,” it claimed. However, Vixie argued that DNS-over-HTTPS is designed to prevent people from seeing what users are doing, “and if you ask the Mozilla people they will say ‘you know your CISO has the same profile in TCP/IP terms as the great firewall of China’ but we cannot tell if this is a good or bad purpose for this type of surveillance or this type of control – you just have to treat it all as bad.” Vixie said that he sees this as “too much collateral damage.”
These headlines occurred just before Vixie spoke at the recent RSA Conference, in a shortened version of a talk he gave last November on the issue of adversaries being able to surveil and control the user experience. He said that users will not be happy if your ISP is surveilling your DNS traffic, and associating keywords with your profile to sell information to advertisers to monetize their business.
“Today, we know that unencrypted DNS is not only vulnerable to spying but is being exploited”
Vixie said this was “the battle of our age” and that he concluded his talk at RSA Conference by saying that when delegates returned to work, they should check their regulatory requirements around recording of email traffic. “If you cannot comply with regulations because there is now an internet standard that tells everybody how to bypass all of your machinery for compliance, that creates risk.”
Was the issue here that he didn’t approve of Mozilla’s actions? He said he was hesitant to “point the finger at them in particular” as he called this “post-Snowden rage” from people who heard his 2013 disclosures and have found a way to work around it.
“Now we’re in the hands of people who don’t know what the alternatives were,” he said. “We the operators need to know what is happening on our networks, as controls will be routinely bypassed as the new DNS cannot be firewalled.”
This is the main issue, according to Vixie, as previously “nothing talked to the outside world except our own DNS servers,” so no one would be able to reach the DNS servers, but now they can as DNS-over-HTTPS “folds invisibly into HTTPS as it is on the same port number.”
He said that now anyone who wants to prevent malicious actors from doing what Firefox does is “going to have to do some very expensive things to block the web itself and force it through filtering that will be very expensive and very disruptive.”
Vixie admitted that he is not ready to let someone else decide how to run the internet in his home or company, “and I’ll be angry every day while I am doing it.”