8. AgendaAgenda
The insecure DNSThe insecure DNS
DNS-over-HTTPS is secure DNSDNS-over-HTTPS is secure DNS
How to enable DNS-over-HTTPSHow to enable DNS-over-HTTPS
The resistanceThe resistance
We’re not done yet!We’re not done yet!
DNSSEC, DNScrypt and DNS-over-TLSDNSSEC, DNScrypt and DNS-over-TLS
Common secure-DNS challengesCommon secure-DNS challenges
9. Imagine you walk into a coffee shop
Or a huge room at a conference offering free wifi
10. DHCP
Anyone, is there a DNS server
around for me??!?!1!!
Sure, send all your
requests in clear text to
the server over there!
11. DHCP
Asking for a serverAsking for a server
In clear textIn clear text
Getting a response from an unverified sourceGetting a response from an unverified source
In clear textIn clear text
Suggesting we use another unverified sourceSuggesting we use another unverified source
To send sensitive data toTo send sensitive data to
In clear textIn clear text
12. DNS over UDP (or TCP)DNS over UDP (or TCP)
Asking for an name-to-address translation
in clear text
Getting a response from an unverified source
in clear text
That server might ask one or more other servers
in clear text
16. DNS over HTTPS
RFC 8484
Never over clear-text HTTP
HTTPS protection
RFC 1035 packets in HTTPS “payloads”
Privacy and security
Needs to be manually configured
17. Why HTTPS?
Applications can resolve names easily
Proxy friendly
Hard to block
Easy to implement
Easy connection re-use
HTTPS with HTTP/2 means
✔
Multiplexing
✔
Server push
21. DoH in curl
$ curl --doh-url https://doh.example.com/
https://daniel.haxx.se/
Shipped in 7.62.0
22. DoH in libcurl
Shipped in 7.62.0
curl = curl_easy_init();
curl_easy_setopt(curl, CURLOPT_URL,
"https://curl.haxx.se/");
curl_easy_setopt(curl, CURLOPT_DOH_URL,
"https://doh.example.com/");
res = curl_easy_perform(curl);
23. DoH in Chrome
Code added in the repository
Unknown status
Bromite offers DoH support
Google runs an experimental DoH end-point
24. DoH in the server
Several public end-points
Google, quad9, Cloudflare, cleanbrowsing, Power-DNS, etc *
Many server implementations *
Proxy options makes it easy to run your own
I wrote my toy DoH server in hours
* = https://github.com/curl/curl/wiki/DNS-over-HTTPS
26. DNS over HTTPS – the resistance
A protocol layer violationA protocol layer violation
DNS centralization is wrongDNS centralization is wrong
Cl**dfl**e is evilCl**dfl**e is evil
GDPR will save all EuropeansGDPR will save all Europeans
HTTPS allows for more user-trackingHTTPS allows for more user-tracking
27. DNS over HTTPS – the resistance
User configuration is hardUser configuration is hard
Admins need to monitor usersAdmins need to monitor users
Name resolves can’t be unsupervisedName resolves can’t be unsupervised
““Debugging DNS issues is impossible”Debugging DNS issues is impossible”
““Split horizon” problemsSplit horizon” problems
Bad responses due to wrong geographyBad responses due to wrong geography
29. DoH - areas to explore further
No browser enables it by default
Discovery (draft-hoffman-resolver-
associated-doh)
More than one?
Trusted service operators?
“I run a service, ask me about my domains”
HTTP/3 (vs DNS over QUIC)
31. ᄃᄃ
DNSSEC
By the IETF in 1999
Prevents fake responses and tampering
Still done over clear text – no privacy protection
Basically never used to the end user
15% of the world’s DNS resolvers verify
Should be used by the resolver you DoH/DoT
with
32. DNScryptDNScrypt
Traces back to 2008
Not done through IETF
TCP/UDP on port 443
No connection re-use
No multiplexing
“probably the most deployed encrypted DNS protocol
to date”
33. DNS over TLS
Uses TLS instead of UDP/TCP
RFC 7858 (May 2016)
Secure
Private
- easy to block since it uses a unique port (853)
- typically done opportunistically
- not widely used yet
34. DoT vs DoH – what you really wanted to know
System configured
Controlled server
Trivially blockable
Not multiplexed
Often no connection reuse
DoTDoT DoHDoH
User controlled
Secured network path
Hard to block
Multiplexed (HTTP/2)
Basically always connection reuse
37. Wrap-up
DoH is authenticated secure name resolves
Easy to use
Easy to serve
Offers functionality related tech lacks
It does not imply centralization
Secure DNS is not completely solved yet