Warn on Google DNS resolver use, issue a notice on non-localhost use
|Reported by:||gummybearcandies.wordpress.com||Owned by:|
|uname -a:||Does this really matter?|
|nginx -V:||Ditto above.|
Virtually every example out there I see on using OCSP stapling ends up using this line:
resolver 220.127.116.11 18.104.22.168;
Anyone using Google DNS servers for OCSP stapling should be punched in the face. It opens the door to DNS cache poisoning of the OCSP stapling mechanism by a third-party. Data centers are easy enough to identify by IP address range. So all Google has to do is verify that someone is requesting known OCSP servers, verify that the server supports OCSP stapling, and they can easily engage in an OCSP stapling MITM attack (e.g. at the behest of the NSA). A warning should be issued when Google DNS in conjunction with OCSP stapling to the effect of:
"[warn] You have entered one or more Google DNS addresses for 'resolver'. Please use a more secure setup. See [URL here] for more information."
Is potentially just as bad. A notice for non-localhost DNS should be issued to the effect of:
"[notice] Please install a localhost DNS caching server (e.g. BIND) on this system and point 'resolver' to it. See [URL here] for more information."
The only valid values should be:
resolver 127.0.0.1 [::1];
There's literally no excuse for not running BIND locally in it's default configuration. It's easy to install and set up on most distributions (e.g. Debian/Ubuntu - sudo apt-get install bind9). Everyone not using localhost for DNS resolution should get their butts kicked over to the documentation where it should inform the user about how to not screw up their web server's security.