ietf97 edu dns privacy - internet engineering task forcedns privacy tutorial @ ietf 97 nov 2016,...
TRANSCRIPT
![Page 1: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/1.jpg)
EDU Tutorial:
DNS Privacy
Sara Dickinson Sinodun
EDU Tutorial @ IETF_97 Seoul (Nov 2017)
![Page 2: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/2.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
Overview
• Goal:
• Give audience historical background on why DNS Privacy is an important topic
• Chart progress during last 3 years
• Present current status and tools
2
![Page 3: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/3.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
Agenda• Internet Privacy - presented by dkg
• DNS Privacy - A brief history
• DPRIVE WG et al.
• Implementation & deployment today
• Meet Stubby - a privacy stub resolver
• Ongoing & future work
3
![Page 4: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/4.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
Internet Privacy
Daniel Kahn Gillmor ACLU
4
![Page 5: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/5.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
DNS Privacy - A brief history
5
![Page 6: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/6.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
IETF Privacy activity
6
March 2011 I-D: Privacy Considerations for Internet Protocols (IAB)
June 2013 Snowdon revelations
July 2013 RFC6973: Privacy Considerations for Internet Protocols
May 2014 RFC7258: Pervasive Monitoring is an Attack
August 2015 RFC7624: Confidentiality in the Face of Pervasive Surveillance: A Threat model and Problem Statement
Much other ongoing work…..
What timing!
![Page 7: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/7.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
RFC 7258
“The IETF community's technical assessment is that PM is an attack on the privacy of Internet users and organisations.”
“The IETF community has expressed strong agreement that PM is an attack that needs to be mitigated where possible, via the design of protocols that make PM significantly more expensive or infeasible. “
7
![Page 8: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/8.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
DNS Privacy in 2013?• DNS [RFC1034/5 - 1987] - original design availability,
redundancy and speed!
• DNS standards:
• UDP (99% of traffic to root)
• TCP only for ‘fallback’ when UDP MTU exceeded and XFR (support only mandatory from 2010)
• Perception: The DNS is public, right? It is not sensitive/personal information….it doesn’t need to be encrypted
8
DNS sent in clear text => NSA: ‘MORECOWBELL’
DNS monitoring
![Page 9: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/9.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
DNS Disclosure Example 1
9
RecAuth
for .org
Root
datatracker.ietf.org
Auth for ietf.org
datatracker.ietf.org
datatracker.ietf.org
datatracker.ietf.org
Leak information datatracker.ietf.org
datatracker.ietf.org
![Page 10: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/10.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
DNS Privacy in 2013?• RFC6891: Extension Mechanisms for DNS (EDNS0)
• But…. mechanism enabled addition of end-user data into DNS queries (non-standard options)
• Client subnet (RFC7871*)
• User MAC addresses oruser name/id
10
CDN justification: Faster content (geo location)
ISP justification: Parental Filtering (per device)
Intended to enhance DNS protocol capabilities
* Informational
![Page 11: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/11.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
DNS Disclosure Example 2
11
[User src address] MAC address in DNS query
Client Subnet option contains source subnet
in DNS query
Rec AuthStub
CPE
ietf.org ? [00:00:53:00:53:00]
? ietf.org ? [192.168.1]
![Page 12: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/12.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
DNS Disclosure Example 2
12
Even behind a NAT, do not have anonymity!
Rec AuthStub
CPE
ietf.org ? conradhotels.hilton.com ?
ba.com ? ietfmemes.tumblr.com ?
Even behind a recursive do not have anonymity!
![Page 13: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/13.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
DNS Disclosure Example 3
13
Rec
Auth for .org
Root
Who monitors or has access here?
• When at home… • When in a coffee shop…
Who monitors or has access here?
Who monitors or has access here?
![Page 14: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/14.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
DNS - complications• Basic problem is leakage of meta data
• Allows re-identification of individuals
• But.. legal requirements on providers regarding access to user data (country specific)
• Traffic analysis is possible based just on timings and cache snooping
• DNS Filtering is becoming more prevalent
14
![Page 15: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/15.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
DNS Risk Matrix
15
In-Flight At Rest
Risk Stub => Rec Rec => Auth At Recursive
At Authoritative
PassiveMonitoring
ActiveMonitoring
Other Disclosure
Risks e.g. Data breaches
![Page 16: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/16.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
Run a local resolver?
• Some users chose to run a local resolver on their client machine (e.g. Unbound) for increased privacy
• bypass intermediate resolvers
• have local DNSSEC validation
• But still sending queries in clear text, still querying authoritative servers
16
![Page 17: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/17.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
DNS Privacy options (2013)• DNSCurve
• Daniel J. Bernstein, initial interest but not adoption
• DNSCrypt
• Many implementations, several open DNSCrypt Resolvers (OpenDNS), [Yandex browser]
• Authentication with some privacy
• Documented but not standard
17
Stub-Recursive
Recursive-Auth
Anti-spoofing, anti DoS
![Page 18: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/18.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
DNS Privacy options (2014)• DNSTrigger (NLNet Labs)
• Client software to enable DNSSEC
• Used TLS on port 443 as last ditch attempt to enable DNSSEC
• So… there was a DNS-over-TLS implementation in Unbound recursive resolver
18
Goal was DNSSEC, not Privacy!
![Page 19: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/19.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
DPRIVE WG et al.
19
![Page 20: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/20.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
DPRIVE WG• DPRIVE WG create in 2014
• Why not tackle whole problem?
• Don’t boil the ocean
• Rec to Auth is a particularly hard problem
• Step-by-step solution
20
Charter: Primary Focus is Stub to recursive
![Page 21: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/21.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
DNS Privacy problem
21
Rec
Auth for .org
RootRelationship: 1 to ‘a few’
some of whom are know (ISP)
Relationship:1 to many most of whom are not known
=> Authentication is hard
![Page 22: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/22.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
RFC 7626 - DNS Privacy Considerations
• Problem statement: Expert coverage of risks throughout DNS ecosystem
• Rebuts “alleged public nature of DNS data”
• The data may be public, but a DNS ‘transaction’ is not/should not be.
22
Worth a read - many interesting issues here!
“A typical example from outside the DNS world is: the web site of Alcoholics Anonymous is public; the fact that you visit it should not be.”
![Page 23: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/23.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
Choices, choices…• So… we know the problem but what
mechanism to use for encrypting DNS?
• STARTTLS
• TLS
• DTLS
• Confidential DNS draft23
Drafts submitted on all these solutions to the working group
![Page 24: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/24.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
Encryption OptionsPros Cons
STARTTLS• Port 53 • Known technique • Incrementation deployment
• Downgrade attack on negotiation • Port 53 - middleboxes blocking? • Latency from negotiation
TLS (new port)
• New DNS port (no interference with port 53)
• Existing implementations
• New port assignment • Scalability?
DTLS (new port)
• UDP based • Not as widely used/
deployed
• Truncation of DNS messages (just like UDP) ➡Fallback to TLS or clear text
❌Can’t be standalone solution
24
![Page 25: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/25.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
Encrypted DNS ‘TODO’ list
• Get a new port • DNS-over-TLS: Address issues with DNS-
over-TCP in standards and implementations
• Tackle authentication of DNS Privacy servers
• What about traffic analysis of encrypted traffic (padding, etc.)
25
![Page 26: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/26.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
Get a new port!
• Oct 2015 - 853 is the magic number
26
Your request has been processed. We have assigned the following system port number as an early allocations per RFC7120, with the DPRIVE Chairs as the point of contact:
domain-s 853 tcp DNS query-response protocol run over TLS/DTLS domain-s 853 udp DNS query-response protocol run over TLS/DTLS
![Page 27: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/27.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
DNS + TCP/TLS?• TCP/TLS is a new challenge for DNS operators
• DNS-over-TCP history:
• typical DNS clients do ‘one-shot’ TCP
• DNS servers have very basic TCP capabilities
• No attention paid to TCP tuning, robustness
• Performance tools based on one-shot TCP
27
![Page 28: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/28.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
Fix DNS-over-TCP/TLS
28
Goal How?
Optimise set up & resumption
TFO Fast Open TLS session resumption
[TLS 1.3]
Amortise cost of TCP/TLS setup
RFC7766 (bis of RFC5966) - March 2016:Client pipelining (not one-shot!), Server concurrent processing,
Out-of-order responses
RFC7858: Persistent connections (Keepalive)
Servers handle many connections robustly
Learn from HTTP world!
![Page 29: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/29.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
Performance (RFC7766)Client - pipeline requests, keep connection open and handle out-of-order response
Server - concurrent processing of requests sending of out of order responses
29
q1, q2 q1
a1
q2
a2
in-order
q2 delayedwaiting for q1
(+1 RTT)
q1, q2 q1
a1
q2
a2
concurrent, OOOR
0 extraRTT
stub
R A R A
reply as soonas possible
![Page 30: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/30.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
Authentication in DNS-over-(D)TLS
2 Usage Profiles:
• Strict
• “Do or do not. There is no try.”
• Opportunistic
• “Success is stumbling from failure to failure with no loss of enthusiasm”
30
Encrypt & Authenticate or Nothing
Try (in order):
• Authentication & Encryption then • Encryption then • Clear text
![Page 31: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/31.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
Authentication in DNS-over-(D)TLS
• Authentication based on either:
• Authentication domain name
• SPKI pinset
• Shouldn’t DNS use DANE…? Well - even better:
• draft-shore-tls-dnssec-chain-extension
31
![Page 32: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/32.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
DNS Auth using DANE
32
DNS Privacy serverDNS Privacy client [DNSSEC]
1: Obtain a Auth Domain name
& IP address
(1a) • Configure Auth
domain name • Do Opportunistic
SRV lookup
2a: • Opportunistic lookup of DANE
records for server • Validate locally with DNSSEC
TLSDNS Privacy client [DNSSEC]
DNS Privacy client [DNSSEC]
![Page 33: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/33.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
TLS DNSSEC Chain Extension
33
DNS Privacy serverDNS Privacy client [DNSSEC]
1: Obtain a Auth Domain name
& IP address
(1a) • Configure Auth
domain name • Do Opportunistic
SRV lookup
0 (or 2): Obtains DANE records for
itself!
Server Hello: Server DANE records
Client Hello: TLS DNSSEC Chain Ext
DNS Privacy client [DNSSEC]
DNS Privacy client [DNSSEC]
• Reduces Latency • Eliminates need for
validating recursive
![Page 34: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/34.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
DPRIVE Solution Documents (stub to recursive)
34
Document Date Topic
RFC7858 May 2016 DNS-over-TLS
RFC7830 May 2016 Padding
draft-ietf-dprive-dnsodtls* Completed WGLC DNS-over-DTLS
draft-ietf-dprive-dtls-and-tls-profiles In WGLC Authentication for DNS-over-(D)TLS
*Intended status: Experimental
![Page 35: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/35.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
What about Recursive to Authoritative?
• DPRIVE - Next step is to tackle this issue with encryption
• draft-bortzmeyer-dprive-step-2
• Presents 6 authentication options/models
• Authoritative DNS servers using TLS…
• Re-charter? WG discussion on this here in Seoul (Fri)!
• DNSOP - RFC7816: QNAME Minimisation (mitigates)
35
![Page 36: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/36.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
DNS Disclosure Example 1
36
RecAuth
for .org
Root
datatracker.ietf.org
Auth for ietf.org
datatracker.ietf.org
datatracker.ietf.org
datatracker.ietf.org
Leaks information
![Page 37: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/37.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
QNAME Minimisation
37
RecAuth
for .org
Root
datatracker.ietf.org
Auth for ietf.org
org
ietf.org
datatracker.ietf.org
![Page 38: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/38.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
DNS-over-HTTP(S)
• DNS-over-HTTP(S) has been around a while…
• draft-shane-review-dns-over-http
• Privacy (HTTPS authentication)
• Bypass port 53 interference (middlebox, captive portals)
• Higher level API
38
![Page 39: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/39.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
DNS-over-HTTP(S)• Google: DNS-over-HTTPS
• draft-ietf-dnsop-dns-wireformat-http
• “Servers and clients SHOULD use TLS for communication.”
• draft-hoffman-dns-over-http - DNS Queries over HTTPS
• Non-WG Mailing list and Bar BOF here (Tuesday)
39
![Page 40: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/40.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
Data handling policies• Do you read the small print of your ISPs contract?
• More work/research needed in this area
• Transparency from providers
• Methods for de-identification of user data (e.g. DITL)
• Use of ‘PassiveDNS’ data for research/security analysis
40
![Page 41: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/41.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
Risk Mitigation Matrix
41
In-Flight At Rest
Risk Stub => Rec Rec => Auth At Recursive
At Authoritative
Passive monitoring
Encryption(e.g. TLS, HTTPS)
QNAME Minimization
Active monitoring
Authentication & Encryption
Other Disclosure
Risks e.g. Data breaches
Data Best Practices (Policies)e.g. De-identification
![Page 42: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/42.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
Implementation Status
42
![Page 43: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/43.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
Recursive implementations
43
Features Recursive resolver
Unbound
(drill)
BIND Knot Res
res
TCP/TLS Features
TCP fast open
Process pipelined queries
Provide OOOR
EDNS0 Keepalive
TLS Features
TLS on port 853
Provide server certificate
EDNS0 Padding
Rec => Auth QNAME Minimisation
Dark Green: Latest stable release supports this Light Green: Patch available Yellow: Patch/work in progress, or requires building a patched dependency Purple: Workaround available Grey: Not applicable or not yet planned
RECURSIVE
![Page 44: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/44.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
Alternative server side solutions
• dnsdist from PowerDNS would be great…
• But no support yet
• Pure TLS load balancer • NGINX, HAProxy • BIND article on using stunnel
44
Disadvantages • server must still have decent TCP capabilities • DNS specific access control is missing • pass through of edns0-tcp-keepalive option
RECURSIVE
![Page 45: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/45.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
Stub implementations
45
Features Stub
ldns
(drill)
digit getdns BIND (dig)
(dig)
TCP/TLS Features
TCP fast open
Connection reuse
Pipelining of queries
Process OOOR
EDNS0 Keepalive
TLS Features
TLS on port 853
Authentication of server
EDNS0 Padding
Dark Green: Latest stable release supports this Light Green: Patch available Yellow: Patch/work in progress, or requires building a patched dependancy Grey: Not applicable or not yet planned
* getdns uses libunbound in recursive mode
STUB
![Page 46: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/46.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
Implementation Status
• Increasing uptake of better DNS-over-TCP
• Several implementations of DNS-over-TLS
• None yet of DNS-over-DTLS
• Key is enabling end users and application developers to easily adopt DNS Privacy
46
![Page 47: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/47.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
Deployment Status
47
![Page 48: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/48.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
DNS-over-TLS Servers
48
RECURSIVE
https://portal.sinodun.com/wiki/display/TDNS/DNS-over-TLS+test+servers
Hosted by Software Supports Strict?
NLnet Labs Unbound Y
OARC Unbound
Surfnet (Sinodun)
Bind + HAProxy Bind + nginx Y
IETF?
![Page 49: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/49.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
RIPE NCC
• RIPE DNS WG: Discussion support of experimental DNS Privacy Services
• RIPE NCC have expressed interest in a community effort:
• Research various solutions and issues • ‘DNS-over-TLS operational guidance’
49
RECURSIVE
![Page 50: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/50.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
getdns
• Modern async DNSSEC enabled API
• https://getdnsapi.net
• Written in C, several bindings
• DNS-over-TLS, validating DNSSEC stub
• ‘Stubby’ now available for testing
50
STUB
![Page 51: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/51.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
Meet Stubby - A Privacy Enabling Stub Resolver
51
![Page 52: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/52.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
Stubby - getdns_query by another name• 1.1.0a3 - getdns_query tool extended to
• Run as daemon handling requests
• Configure OS DNS resolution to point at 127.0.0.1
• Reads default from /etc/stubby.conf (TLS)
• Supports domain name and SPKI pinset authentication, Strict and Opportunistic
52
![Page 53: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/53.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
Stubby Demo
• How to build and use Stubby
53
![Page 54: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/54.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
Ongoing and Future work
• Hacking this weekend at the IETF 97 Hackathon
• Lots of work on Stubby!
• More complete recursive implementations
• Increased deployment
• More DPRIVE work: Recursive to Auth….
54
![Page 55: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/55.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
Summary
• DNS Privacy is important issue
• Active work on the large solution space
• Can test DNS Privacy today using Stubby & current test recursive servers
• More DNS Privacy services on the way…
55
![Page 56: IETF97 EDU DNS Privacy - Internet Engineering Task ForceDNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul Overview • Goal: • Give audience historical background on why DNS Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022060313/5f0b63be7e708231d43047d0/html5/thumbnails/56.jpg)
DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul
Thank you!
Any Questions?
56