Today, nearly all DNS queries are send unencrypted. This makes DNS vulnerable to eavesdropping by someone with access to the network. The DNS-Privacy group (DPRIVE) inside the Internet Engineering Task Force (IETF), as well as people outside the IETF, are working on new transport protocols to encrypt DNS traffic between DNS clients and resolver. * DNS over TLS (RFC 7858) * DNS over DTLS (RFC 8094) * DNS over HTTP(S) (ID-draft) * DNS over QUIC (ID-draft) * DNS over DNSCrypt (outside IETF) * DNS over TOR (outside IETF) In this webinar, we will explain the protocols available or discussed inside and outside the IETF, and give some example configurations on how to use this new privacy protocols today.

1. © Men & Mice http://menandmice.com
How to send DNS over
anything encrypted
1

2. © Men & Mice http://menandmice.com
Agenda
The DNS-Privacy group (DPRIVE) inside the Internet Engineering
Task Force (IETF), as well as a number of dedicated people outside
the IETF, are working on new transport protocols to allow for
encrypting DNS traffic between DNS clients and resolvers. Current
developments include:
•DNS over TLS (RFC 7858)
•DNS over DTLS (RFC 8094)
•DNS over HTTP(S) (ID-draft)
•DNS over QUIC (ID-draft)
•DNS over DNSCrypt (outside IETF)
•DNS over TOR (outside IETF)
2

3. © Men & Mice http://menandmice.com
DNS Privacy
3

4. © Men & Mice http://menandmice.com
DNS is Metadata
•IETF started the DPRIVE (DNS Privacy Working
Group) after the Snowden revelations
•RFC 7626 DNS Privacy Considerations
https://tools.ietf.org/html/rfc7626
•current focus of DPRIVE is the client to resolver
channel
•creating protocols that are stealthy sometimes
painfully collides with clean protocol design
4

5. © Men & Mice http://menandmice.com
DNS OVER TLS
5

6. © Men & Mice http://menandmice.com
DNS-over-TLS
•RFC 7858 Specification for DNS over Transport
Layer Security (TLS)
•DNS wireformat over TLS over TCP
•Port 853 (TCP)
•encryption and authentication
6

7. © Men & Mice http://menandmice.com
DNS-over-TLS Performance
•performance of DNS-over-TLS can be quite good
•for existing sessions with TLS 1.3 as good as DNS-
over-UDP
•pipelining
•TCP fast open
•0-RTT resume
•current implementations are not optimized
7

8. © Men & Mice http://menandmice.com
DNS-over-TLS Implementations
•Client
•Unbound (as local forwarder)
•Stubby (getdnsapi)
•dnsfwd
•Server
•Unbound (as remote resolver)
•Knot
•any DNS server via stunnel
8

9. © Men & Mice http://menandmice.com
DNS-over-TLS Developments
•TLS 1.3 deployment stalled because of
misbehaving middle-boxes (BlueCoat)
•controversial in the IETF, but useful: multiplexing
HTTPS and DNS on port 443
•https://gitlab.com/dkg/hddemux
9

10. © Men & Mice http://menandmice.com
DNS OVER DTLS
10

11. © Men & Mice http://menandmice.com
DNS-over-DTLS
•RFC 8094 DNS over Datagram Transport Layer
Security (DTLS)
•DNS wireformat over TLS over UDP
•Port 853 (UDP)
•encryption and authentication
11

12. © Men & Mice http://menandmice.com
DNS-over-DTLS Issues
•adversary can block DNS queries
•resource exhaustion attacks against DNS server
possible
•no known implementations
12

13. © Men & Mice http://menandmice.com
DNS OVER HTTP(S)
13

14. © Men & Mice http://menandmice.com
DNS-over-HTTP(S)
•IETF Internet Draft DNS Queries over HTTPS
https://tools.ietf.org/html/draft-hoffman-dns-over-https
•DNS HTTP-Format over HTTPS over TCP
•Port 443 (HTTP/2)
•URL: https://server/.well-known/dns-query
•base64url encoded DNS data, Content-Header
application/dns-udpwireformat
•encryption and authentication
14

15. © Men & Mice http://menandmice.com
DNS-over-HTTP(S) Benefits
•HTTPS might be the only option in highly
firewalled networks
•easy to implement for (Web-)Developers
(JavaScript etc)
15

16. © Men & Mice http://menandmice.com
DNS-over-HTTP(S) additional
documents
•Representing DNS Messages in JSON
https://tools.ietf.org/html/draft-hoffman-dns-in-json
•DNS Messages in XML (expired)
https://tools.ietf.org/html/draft-mohan-dns-query-xml
16

17. © Men & Mice http://menandmice.com
DNS-over-HTTP(S)
similar implementations
•DNS over JSON over HTTPS over TCP
•Google DNS Server-Side
https://developers.google.com/speed/public-dns/docs/dns-
over-https
•dingo - A DNS client in Go that supports Google DNS
over HTTPS
https://github.com/pforemski/dingo
•CoreDNS
https://coredns.io/2016/11/26/dns-over-https/
17

18. © Men & Mice http://menandmice.com
DNS-WIREFORMAT OVER
HTTPS
18

19. © Men & Mice http://menandmice.com
DNS-Wireformat-over-HTTP(S)
•DNS wireformat over HTTP(S) over TCP
•Internet Draft DNS wire-format over HTTP
https://tools.ietf.org/html/draft-ietf-dnsop-dns-wireformat-http
•Port 80 or 443 (HTTP 1.1 or HTTP/2)
•URL: https://server/.well-known/dns-wireformat
•Content-Header application/dns-wireformat
•may provide encryption and authentication
•DNS wire-format data is wrapped with an HTTP header and
transmitted on port 80 or 443
19

20. © Men & Mice http://menandmice.com
DNS OVER QUIC
20

21. © Men & Mice http://menandmice.com
DNS-Wireformat-over-HTTP(S)
•DNS over QUIC over UDP
•Specification of DNS over Dedicated QUIC
Connections
https://tools.ietf.org/html/draft-huitema-quic-dnsoquic
21

22. © Men & Mice http://menandmice.com
DNS-over-QUIC
•modern TCP replacement from Google, now
standardised in the IETF
•uses UDP, implements TCP features
•usually implemented in applications, not OS kernel
•includes TLS 1.3
•0-RTT
•performance in-par with DNS-over-UDP
•QUIC Documents https://tools.ietf.org/wg/quic/
22

23. © Men & Mice http://menandmice.com
DNS-over-QUIC Comparison
23
Source: https://datatracker.ietf.org/meeting/99/materials/slides-99-dprive-dns-over-quic

24. © Men & Mice http://menandmice.com
DNS OVER OPPORTUNISTIC
IPSEC
24

25. © Men & Mice http://menandmice.com
DNS OVER OPPORTUNISTIC IPSEC
•DNS over UDP or TCP over IPSec
•DNS queries will be tunnelled via IPSec
•provides encryption (but only limited
authentication)
•Unauthenticated Opportunistic IPsec
https://libreswan.org/wiki/
HOWTO:_Unauthenticated_Opportunistic_IPsec
25

26. © Men & Mice http://menandmice.com
DNS-over-opportunistic IPSEC
Implementations
• LibreSWAN and Unbound (IPSec Module)
26

27. © Men & Mice http://menandmice.com
DNS-over-opportunistic IPSEC
additional work
•make IPSec work in case of heavy firewalling:
RFC 8229 TCP Encapsulation of IKE and IPsec
Packets
•allows IPSec to work on Port 443
(multiplexed with HTTPS)
27

28. © Men & Mice http://menandmice.com
DNS OVER DNSCrypt
28

29. © Men & Mice http://menandmice.com
DNS OVER DNSCrypt
•DNS over DNSCrypt over UDP or TCP
•DNSCrypt is a DNS privacy solution originally developed
by OpenDNS (now Cisco)
•encryption and authentication
•protocol is open source, but somewhat underdocumented
•client operates a DNS proxy that tunnels DNS over
DNSCrypt
•some, but not all DNSCrypt resolver support DNSSEC
29

30. © Men & Mice http://menandmice.com
DNS OVER Tor
30

31. © Men & Mice http://menandmice.com
DNS OVER TOR
•DNS over Tor over TCP
•Port 9053
•Tor client proxies the DNS queries through a tor
circuit
•only A/AAAA-Records supported (no TXT, MX, SOA …)
•no DNSSEC, rogue Tor exit node can spoof DNS traffic
•> 30 % of Tor exit nodes use Google public DNS
31

32. © Men & Mice http://menandmice.com
Padding of DNS data
32

33. © Men & Mice http://menandmice.com
DNS padding
•DNS query/responses are small data chunks
•traffic analysis might be acute when dealing with
DNS queries
•the IETF is working on padding schemes for DNS
to make traffic analysis more difficult
•RFC 7830 The EDNS(0) Padding Option
•Padding Policy for EDNS(0)
https://tools.ietf.org/html/draft-ietf-dprive-padding-policy
33

34. © Men & Mice http://menandmice.com
Performance
34

35. © Men & Mice http://menandmice.com
Performance
Alexa Top 1000 domains
35

36. © Men & Mice http://menandmice.com
Performance
1000 DNS queries from office network
36

37. © Men & Mice http://menandmice.com
Links
37

38. © Men & Mice http://menandmice.com
Informational resources
•DNS Privacy Project
https://dnsprivacy.org
•Specification for DNS over Transport Layer Security (TLS)
https://tools.ietf.org/html/rfc7858
•public DNS resolver with DNS over TLS
https://dnsprivacy.org/wiki/display/DP/
DNS+Privacy+Test+Servers
•HDDMUX sourcecode
https://0xacab.org/dkg/hddemux
38

39. © Men & Mice http://menandmice.com
Informational resources
•DNSCrypt
https://dnscrypt.org/
• DNSCrypt-proxy
https://github.com/jedisct1/dnscrypt-proxy
•list of DNSCrypt-Resolver
https://dnscrypt.org/dnscrypt-resolvers.html
•Simple DNSCrypt for Windows
https://simplednscrypt.org/
•DNSCrypt GUI für macOS
https://github.com/alterstep/dnscrypt-osxclient
•DNSCrypt Blacklist Konfiguration
https://github.com/jedisct1/dnscrypt-proxy/blob/master/contrib/domains-
blacklist.conf
39

40. © Men & Mice http://menandmice.com
Informational resources
•Tor-Project
https://torproject.org
• The Effect of DNS on Tor’s Anonymity
https://freedom-to-tinker.com/2016/09/29/the-
effect-of-dns-on-tors-anonymity/
• DNS-over-TLS Forwarder
https://github.com/randomstuff/dnsfwd
40

41. © Men & Mice http://menandmice.com
Next
41

42. © Men & Mice http://menandmice.com
Men & Mice DNS Training
•Introduction to DNS & BIND Hands-On Class
•September 18 – 20, 2017 (Zurich, Switzerland)
42
https://www.menandmice.com/training/

43. © Men & Mice http://menandmice.com
Men & Mice DNS Training
•Introduction & Advanced DNS and BIND Topics
Hands-On Class
•September 18 – 22, 2017 (Zurich, Switzerland)
43
https://www.menandmice.com/training/

44. © Men & Mice http://menandmice.com
Men & Mice DNS Training
•DNSSEC and DANE (German Language)
•December 4-12, 2017, Essen, DE
44
http://linuxhotel.de/

45. © Men & Mice http://menandmice.com
Thank you!
Questions? Comments?
45