DNS Privacy - RIPE Network Coordination Centre · DNS over TLS • DNS queries to resolver via...
Transcript of DNS Privacy - RIPE Network Coordination Centre · DNS over TLS • DNS queries to resolver via...
http://www.nlnetlabs.nl/
DNSPrivacyImplementa3onandDeployment
DNSWG,RIPE74,May2017
BennoOvereinderNLnetLabs
http://www.nlnetlabs.nl/
WhyDNSPrivacy?• IABpublishedRFC6473:“PrivacyConsideraNonsforInternetProtocols”,July2013
• SnowdenrevelaNons,June2013• RFC7258:“PervasiveMonitoringisanAVack”,May2014
• RFC7624:“ConfidenNalityintheFaceofPervasiveSurveillance:AThreatmodelandProblemStatement”,August2015
http://www.nlnetlabs.nl/
ButWait...DNSandPrivacy?
http://www.nlnetlabs.nl/
ButWait...DNSandPrivacy?• RFC7626:“DNSPrivacyConsideraNons”,August2015
• Debunk“theallegedpublicnatureofDNSdata”
• Datamightbepublic,butaDNStransacNonisnot(orshouldnotbe)
http://www.nlnetlabs.nl/
ATTACKS
http://www.nlnetlabs.nl/
TheFirst/LastMile
resolverauthoritaNvenameserversstubresolvers
ripe.net?ie_.org?icann.org?
http://www.nlnetlabs.nl/
DNSInforma3onLeakage
resolverauthoritaNvenameservers
stubresolver
root
.net
.ripe.netripe74.ripe.net?
ripe74.ripe.net?
ripe74.ripe.net?
ripe74.ripe.net?
leaksinformaNon
http://www.nlnetlabs.nl/
Etc.andMoreInforma3on• ExcellentIETFtutorialbySaraDickinson(Sinodun)– BackgroundinformaNon– OtheraVackorDNSdisclosurescenarios– RecentIETFRFCsandIETFWGacNviNes– hVps://www.ie_.org/meeNng/97/tutorials/dns-privacy.html
• hVps://dnsprivacy.org/
http://www.nlnetlabs.nl/
IMPLEMENTATION
http://www.nlnetlabs.nl/
Protec3ngtheFirst/LastMile• EncryptyourDNStraffic
– STARTTLS– TLS– DTLS– ConfidenNalDNSdraf– DNSCurveandDNSCrypt(notinIETF)
http://www.nlnetlabs.nl/
DNSoverTLS• DNSqueriestoresolvervia(authenNcated)TLSconnecNons
• Requires“tuning”forDNSoverTCP/TLS– opNmisesessionsetup&resumpNon
• TCPFastOpenandTLSsessionresumpNon– pipelining&out-of-orderprocessing
• seenextslide– robustTCPmanagementofmanyconnecNons
• learnfromHTTPservers&proxies
http://www.nlnetlabs.nl/
Out-of-OrderProcessing
http://www.nlnetlabs.nl/
ReducingDNSLeakage:QNAMEMinimisa3on
resolverauthoritaNvenameservers
stubresolver
root
.net
.ripe.netripe74.ripe.net?
.net?
.ripe.net?
ripe74.ripe.net
http://www.nlnetlabs.nl/
DEPLOYMENT
http://www.nlnetlabs.nl/
DeploymentofDNSPrivacyEnhancedDNSservices
resolverauthoritaNvenameservers
stubresolver
root
.net
.ripe.netripe74.ripe.net?
.net?
.ripe.net?
ripe74.ripe.net?
DNSoverTLS QNAMEMinimisaNon
http://www.nlnetlabs.nl/
DeploymentofDNSOverTLS• getdnsasstub
– actasstuborfullrecursive– DNSSECasastub
• evenwithoutvalidaNngupstreams– avoidDNSSECroadblocks
• worksaroundupstreamsthathamperDNSSEC– DNS64
• signedIPv4canbevalidated– DNSPrivacy
• DNSoverTLS
• StubbyisgetdnsstubresolverwithallprivacyopNonsenabled
http://www.nlnetlabs.nl/
DNSPrivacyEnhancedResolvers• AvailableimplementaNons
– Unbound– KnotResolver– Bind+TLSproxy(nginxorHAProxy)
• DNS-over-TLStestresolvers(seednsprivacy.net)– NLnetLabs/OARC/YeN:Unbound– SURFnet/Sinodun:Bind+HAProxy/nginx– dkg:KnotResolver
http://www.nlnetlabs.nl/
QNAMEMinimisa3onEnabledResolvers
• Implemented– Unbound– KnotResolver
• Infuturerelease– Bind
http://www.nlnetlabs.nl/
WRAPPING-UP
http://www.nlnetlabs.nl/
Resources• IETFDPRIVETutorialbySaraDickinsonandDanielKahn
Gillmor– hVps://www.ie_.org/meeNng/97/tutorials/dns-privacy.html
• DNSPrivacywebsites– Community,non-technical:dnsprivacy.org– Enterprise/corporateusers:dnsprivacy.net
• getdnsprojectwebsite– getdnsapi.net
http://www.nlnetlabs.nl/
Acknowledgements&Ques3ons?
• Acknowledgements– SaraDickinson– AllisonMankin– WillemToorop– getdnsteam– IETFhackathonparNcipants