[161763] in North American Network Operators' Group
Re: DNS for mobile devices
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Mar 26 14:19:14 2013
To: Joe Abley <jabley@hopcount.ca>
In-Reply-To: Your message of "Tue, 26 Mar 2013 13:09:53 -0400."
<6E25B5D8-9459-410D-9CB6-FB0978ACA97F@hopcount.ca>
From: Valdis.Kletnieks@vt.edu
Date: Tue, 26 Mar 2013 14:15:26 -0400
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1364321726_1855P
Content-Type: text/plain; charset=us-ascii
On Tue, 26 Mar 2013 13:09:53 -0400, Joe Abley said:
> What mobile devices do you support that don't acquire a suitable local DNS resolver using DHCP or PPP?
Pretty much all devices are *able* to acquire a DNS resolver via DHCP.
> Honest question. I presume you wouldn't bring it up if it wasn't a real problem.
The problem starts when you don't *trust* DHCP to hand you a pointer to
a *working* DNS resolver (anybody who's had a hotel net hand them a DNS
that's either busted or MITMs your queries knows what I mean, and I hope
I don't have to explain about the fun involved in using wireless anywhere
near a DefCon or Black Hat conference).
And yes, unless you turn on DNSSEC you don't have much defense against
a hotel net or rogue net that decides to spoof replies to your queries
to your home DNS server
Now in day-to-day production, it's *mostly* a non-issue, because many/most of
the people who hard-code our DNS into their mobile configs will also fire up a
VPN to our campus. Unfortunately, that leaves us a lot of interesting to
diagnose corner cases involving DNS lookups that happen between when they boot
the device and when they launch the VPN (for instance, coding a DNS name
rather than an IP for the VPN endpoint :)
--==_Exmh_1364321726_1855P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iQIVAwUBUVHlvQdmEQWDXROgAQKUpxAArxcM1aSMtC6sM18LeCp5543n/3pac0Yi
uWpFXuuS/pyvtfi8leBE4DaBjxfryCSzrtB1GVxKO4r77JvFaBrt7PdWgkLKF9HC
grAtWOlxYfYb1866MnhSteUoW/uFtViQSvIbTuHl0EMK9w/BWf0xrt+ZLzOKrkc/
+/0Er4bsVxn0LLtdz0ETXCk+6Nes4tGZpYX5FKA54WQJ5zcj/KHweX7ayDVN+47e
pXJk2vUujhdQwR0CE/2nQn/h1DxTpKjCz+SHt/YOmYu/rQzy7gKhDtDJVMHBOkDe
42IMM+ogZ86SQdD6B9AwnojoVaL0T6WdAytX+XrRGwvzu2QN+o548/QbBHFXnymo
e5U3UNh8XTjhtuJqcwp4kBVgr6/6RMuc/dOPcewGTFm9q7TRk4gAaR4FGTer8Vq/
Hc+Y55nNU/EDoj2GIkS5qFMOq4tdMtVCU68eoLNiwul1H9DFg9wtQPpEygzrETgn
F+S4K3aGooexjCQHZ7WXIO+pWLQwCzOhE2FvX3aX28GXE8mX2SKSO6IC7PJJ4ny5
5XIoChp5IPiYxrS98rv45fFvDM5DVr1VxyQZiik7sFaQyDmGHn7rl/3qjMLKRQKS
qJbgJ4eynoNjLVps9Bendk59lZRZq7PUtedX44XeYrxTfD2IIfLiTi6rPd5MSQ1Y
yM8aO+V2KJw=
=W3mV
-----END PGP SIGNATURE-----
--==_Exmh_1364321726_1855P--
