On 7/12/2016 at 4:10 PM, "Shane Kerr" wrote:John, At 2016-07-11 23:50:05 -0000 "John Levine" wrote: > I'd also want to change some of the motivation text. To me, by far > the most likely scenario here is javascript applications that want to > do DNS queries, e.g. for SRV, but can't because javascript doesn't let > you do that. Now the server that provided the javascript blob can > also be the DNS proxy. The javascript can't query random other DNS > proxies due to cross-site scripting rules.
As I think that I mentioned before, the current draft of DNS-over-HTTP is poorly suited for JavaScript. Building and parsing DNS binary messages in JavaScript seems like a really hard way to get at the few tidbits of information that you actually want. OTOH, I am (obviously) not a web developer, so perhaps I overestimate the difficulty in working with DNS binary-format. Maybe it's a relatively compact set of JavaScript functions that can be used? Maybe I just found a project for the IETF Hackathon? Hm... :) My first thought (and maybe this says more about me than the project) is that this seems like the perfect way to make a fully self-contained piece of malware. Ransom32 already proved that you can create ransomware developed entirely in JavaScript, imagine if you combined a JavaScript DNS library with a JavaScript TLS library (https://github.com/digitalbazaar/forge) you could create a piece of malware that is significantly harder to detect because all of the network indicators would be encrypted or not in places that security tools normally look. Now, it would also be somewhat easy to detect because there are very few legitimate reasons for someone to be emailing you 25+ Meg .js file. I am not saying something shouldn't be done simply because bad guys might abuse it, otherwise we should have gotten rid of email a long time ago. What I am asking is are there more legitimate uses for DNS over JavaScript than there are illegitimate? I don't know the answer, but I don't know if the "cool" factor outweighs the potential security risk. allan
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
