10

I understood that Windows 7 and newer Windows clients are DNSSEC aware, but that they are non-validating. That means that they are not performing any DNSSEC validation, but that they can require the DNS server to perform DNSSEC validation.

When the client gets the DNS response, as I understood, it just looks at the AD (Authenticated Data) flag to see if the server performed DNSSEC validation. But wouldn't it be possible for an attacker sitting between the client and the DNS server to just send fake DNS responses to the client with the AD flag set to 1? Would the non-validating DNSSEC aware client blindly trust those responses?

pineappleman
  • 2,289
  • 11
  • 21

1 Answers1

3

Yes, and yes.

DNSSEC is the first successful attempt to add a security standard to the light-weight DNS infrastructure protocol. DNS must remain light-weight in order for the Internet infrastructure to operate efficiently and quickly serve requests to users. DNSSEC is backwards compatible and remains light-weight enough that DNS is efficient.

DNSSEC can be performed by the DNS servers without the knowledge or participation of client computers. The term DNSSEC aware is a bit redundant since DNSSEC is backwards compatible. A DNS server that does the DNSSEC validation will deliver trusted responses to DNS queries. Specifically, the DNSSEC standard means that at the time the response is sent by the DNS server, the DNS server must have cryptographic evidence that the response is correct and trusted, otherwise the DNS server sends nothing.

The main issue at hand is that DNSSEC is not fully implemented on the DNS servers. Some servers implement it, some do not. If a client is configured to require that the DNS servers do DNSSEC validation, then the AD flag you mention is redundant, particularily since a DNSSEC server should not sent untrusted information to clients. Windows computers can be configured to rely only on authenticated DNS responses, and this is what Microsoft means when they discuss 'non-validating DNSSEC-aware computers'. See their discussion, for details.

As you observe, since the DNS server is doing the authentication, and the client is not, it is possible for attacks to be inserted between the server and client. Such attacks could include poisoning of the client's local DNS cache and spoofing of server responses. From a security stand-point, one would want the client to validate the DNS response. However, there are probably implementation and efficiency obstacles for creating such a system.