SlideShare a Scribd company logo

How to send DNS over anything encrypted

Men and Mice, profile picture
Men and Mice

The document discusses various protocols being developed to encrypt DNS traffic between clients and resolvers, including DNS over TLS, DTLS, HTTP(s), QUIC, and others. It highlights the importance of DNS privacy, especially post-Snowden revelations, and outlines the performance and implementation details of each method. Additionally, the document addresses the implementation challenges and potential security issues associated with some encryption methods.

Technology
1 of 45
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
© Men & Mice http://menandmice.com How to send DNS over anything encrypted 1
© Men & Mice http://menandmice.com Agenda The DNS-Privacy group (DPRIVE) inside the Internet Engineering Task Force (IETF), as well as a number of dedicated people outside the IETF, are working on new transport protocols to allow for encrypting DNS traffic between DNS clients and resolvers. Current developments include: •DNS over TLS (RFC 7858) •DNS over DTLS (RFC 8094) •DNS over HTTP(S) (ID-draft) •DNS over QUIC (ID-draft) •DNS over DNSCrypt (outside IETF) •DNS over TOR (outside IETF) 2
© Men & Mice http://menandmice.com DNS Privacy 3
© Men & Mice http://menandmice.com DNS is Metadata •IETF started the DPRIVE (DNS Privacy Working Group) after the Snowden revelations •RFC 7626 DNS Privacy Considerations
 https://tools.ietf.org/html/rfc7626 •current focus of DPRIVE is the client to resolver channel •creating protocols that are stealthy sometimes painfully collides with clean protocol design 4
© Men & Mice http://menandmice.com DNS OVER TLS 5
© Men & Mice http://menandmice.com DNS-over-TLS •RFC 7858 Specification for DNS over Transport Layer Security (TLS) •DNS wireformat over TLS over TCP •Port 853 (TCP) •encryption and authentication 6
© Men & Mice http://menandmice.com DNS-over-TLS Performance •performance of DNS-over-TLS can be quite good •for existing sessions with TLS 1.3 as good as DNS- over-UDP •pipelining •TCP fast open •0-RTT resume •current implementations are not optimized 7
© Men & Mice http://menandmice.com DNS-over-TLS Implementations •Client •Unbound (as local forwarder) •Stubby (getdnsapi) •dnsfwd •Server •Unbound (as remote resolver) •Knot •any DNS server via stunnel 8
© Men & Mice http://menandmice.com DNS-over-TLS Developments •TLS 1.3 deployment stalled because of misbehaving middle-boxes (BlueCoat) •controversial in the IETF, but useful: multiplexing HTTPS and DNS on port 443 •https://gitlab.com/dkg/hddemux 9
© Men & Mice http://menandmice.com DNS OVER DTLS 10
© Men & Mice http://menandmice.com DNS-over-DTLS •RFC 8094 DNS over Datagram Transport Layer Security (DTLS) •DNS wireformat over TLS over UDP •Port 853 (UDP) •encryption and authentication 11
© Men & Mice http://menandmice.com DNS-over-DTLS Issues •adversary can block DNS queries •resource exhaustion attacks against DNS server possible •no known implementations 12
© Men & Mice http://menandmice.com DNS OVER HTTP(S) 13
© Men & Mice http://menandmice.com DNS-over-HTTP(S) •IETF Internet Draft DNS Queries over HTTPS
 https://tools.ietf.org/html/draft-hoffman-dns-over-https •DNS HTTP-Format over HTTPS over TCP •Port 443 (HTTP/2) •URL: https://server/.well-known/dns-query •base64url encoded DNS data, Content-Header
 application/dns-udpwireformat •encryption and authentication 14
© Men & Mice http://menandmice.com DNS-over-HTTP(S) Benefits •HTTPS might be the only option in highly firewalled networks •easy to implement for (Web-)Developers (JavaScript etc) 15
© Men & Mice http://menandmice.com DNS-over-HTTP(S) additional documents •Representing DNS Messages in JSON
 https://tools.ietf.org/html/draft-hoffman-dns-in-json •DNS Messages in XML (expired)
 https://tools.ietf.org/html/draft-mohan-dns-query-xml 16
© Men & Mice http://menandmice.com DNS-over-HTTP(S) 
 similar implementations •DNS over JSON over HTTPS over TCP •Google DNS Server-Side
 https://developers.google.com/speed/public-dns/docs/dns- over-https •dingo - A DNS client in Go that supports Google DNS over HTTPS
 https://github.com/pforemski/dingo •CoreDNS
 https://coredns.io/2016/11/26/dns-over-https/ 17
© Men & Mice http://menandmice.com DNS-WIREFORMAT OVER HTTPS 18
© Men & Mice http://menandmice.com DNS-Wireformat-over-HTTP(S) •DNS wireformat over HTTP(S) over TCP •Internet Draft DNS wire-format over HTTP
 https://tools.ietf.org/html/draft-ietf-dnsop-dns-wireformat-http •Port 80 or 443 (HTTP 1.1 or HTTP/2) •URL: https://server/.well-known/dns-wireformat •Content-Header application/dns-wireformat •may provide encryption and authentication •DNS wire-format data is wrapped with an HTTP header and transmitted on port 80 or 443 19
© Men & Mice http://menandmice.com DNS OVER QUIC 20
© Men & Mice http://menandmice.com DNS-Wireformat-over-HTTP(S) •DNS over QUIC over UDP •Specification of DNS over Dedicated QUIC Connections
 https://tools.ietf.org/html/draft-huitema-quic-dnsoquic 21
© Men & Mice http://menandmice.com DNS-over-QUIC •modern TCP replacement from Google, now standardised in the IETF •uses UDP, implements TCP features •usually implemented in applications, not OS kernel •includes TLS 1.3 •0-RTT •performance in-par with DNS-over-UDP •QUIC Documents https://tools.ietf.org/wg/quic/ 22
© Men & Mice http://menandmice.com DNS-over-QUIC Comparison 23 Source: https://datatracker.ietf.org/meeting/99/materials/slides-99-dprive-dns-over-quic
© Men & Mice http://menandmice.com DNS OVER OPPORTUNISTIC IPSEC 24
© Men & Mice http://menandmice.com DNS OVER OPPORTUNISTIC IPSEC •DNS over UDP or TCP over IPSec •DNS queries will be tunnelled via IPSec •provides encryption (but only limited authentication) •Unauthenticated Opportunistic IPsec
 https://libreswan.org/wiki/ HOWTO:_Unauthenticated_Opportunistic_IPsec 25
© Men & Mice http://menandmice.com DNS-over-opportunistic IPSEC Implementations • LibreSWAN and Unbound (IPSec Module) 26
© Men & Mice http://menandmice.com DNS-over-opportunistic IPSEC additional work •make IPSec work in case of heavy firewalling: 
 RFC 8229 TCP Encapsulation of IKE and IPsec Packets •allows IPSec to work on Port 443 
 (multiplexed with HTTPS) 27
© Men & Mice http://menandmice.com DNS OVER DNSCrypt 28
© Men & Mice http://menandmice.com DNS OVER DNSCrypt •DNS over DNSCrypt over UDP or TCP •DNSCrypt is a DNS privacy solution originally developed by OpenDNS (now Cisco) •encryption and authentication •protocol is open source, but somewhat underdocumented •client operates a DNS proxy that tunnels DNS over DNSCrypt •some, but not all DNSCrypt resolver support DNSSEC 29
© Men & Mice http://menandmice.com DNS OVER Tor 30
© Men & Mice http://menandmice.com DNS OVER TOR •DNS over Tor over TCP •Port 9053 •Tor client proxies the DNS queries through a tor circuit •only A/AAAA-Records supported (no TXT, MX, SOA …) •no DNSSEC, rogue Tor exit node can spoof DNS traffic •> 30 % of Tor exit nodes use Google public DNS 31
© Men & Mice http://menandmice.com Padding of DNS data 32
© Men & Mice http://menandmice.com DNS padding •DNS query/responses are small data chunks •traffic analysis might be acute when dealing with DNS queries •the IETF is working on padding schemes for DNS to make traffic analysis more difficult •RFC 7830 The EDNS(0) Padding Option •Padding Policy for EDNS(0)
 https://tools.ietf.org/html/draft-ietf-dprive-padding-policy 33
© Men & Mice http://menandmice.com Performance 34
© Men & Mice http://menandmice.com Performance 
 Alexa Top 1000 domains 35
© Men & Mice http://menandmice.com Performance 
 1000 DNS queries from office network 36
© Men & Mice http://menandmice.com Links 37
© Men & Mice http://menandmice.com Informational resources •DNS Privacy Project
 https://dnsprivacy.org •Specification for DNS over Transport Layer Security (TLS)
 https://tools.ietf.org/html/rfc7858 •public DNS resolver with DNS over TLS
 https://dnsprivacy.org/wiki/display/DP/ DNS+Privacy+Test+Servers •HDDMUX sourcecode
 https://0xacab.org/dkg/hddemux 38
© Men & Mice http://menandmice.com Informational resources •DNSCrypt
 https://dnscrypt.org/ • DNSCrypt-proxy
 https://github.com/jedisct1/dnscrypt-proxy •list of DNSCrypt-Resolver
 https://dnscrypt.org/dnscrypt-resolvers.html •Simple DNSCrypt for Windows
 https://simplednscrypt.org/ •DNSCrypt GUI für macOS
 https://github.com/alterstep/dnscrypt-osxclient •DNSCrypt Blacklist Konfiguration
 https://github.com/jedisct1/dnscrypt-proxy/blob/master/contrib/domains- blacklist.conf 39
© Men & Mice http://menandmice.com Informational resources •Tor-Project
 https://torproject.org • The Effect of DNS on Tor’s Anonymity
 https://freedom-to-tinker.com/2016/09/29/the- effect-of-dns-on-tors-anonymity/ • DNS-over-TLS Forwarder
 https://github.com/randomstuff/dnsfwd 40
© Men & Mice http://menandmice.com Next 41
© Men & Mice http://menandmice.com Men & Mice DNS Training •Introduction to DNS & BIND Hands-On Class •September 18 – 20, 2017 (Zurich, Switzerland) 42 https://www.menandmice.com/training/
© Men & Mice http://menandmice.com Men & Mice DNS Training •Introduction & Advanced DNS and BIND Topics Hands-On Class •September 18 – 22, 2017 (Zurich, Switzerland) 43 https://www.menandmice.com/training/
© Men & Mice http://menandmice.com Men & Mice DNS Training •DNSSEC and DANE (German Language) •December 4-12, 2017, Essen, DE 44 http://linuxhotel.de/
© Men & Mice http://menandmice.com Thank you! Questions? Comments? 45

More Related Content

PDF
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Men and Mice
 
PDF
Yeti DNS - Experimenting at the root
Men and Mice
 
PDF
The DNSSEC KSK of the root rolls
Men and Mice
 
PDF
DNS High-Availability Tools - Open-Source Load Balancing Solutions
Men and Mice
 
PDF
DNSSEC signing Tutorial
Men and Mice
 
PDF
Part 2 - Local Name Resolution in Windows Networks
Men and Mice
 
PDF
Namespaces for Local Networks
Men and Mice
 
PDF
DNSTap Webinar
Men and Mice
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Men and Mice
 
Yeti DNS - Experimenting at the root
Men and Mice
 
The DNSSEC KSK of the root rolls
Men and Mice
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
Men and Mice
 
DNSSEC signing Tutorial
Men and Mice
 
Part 2 - Local Name Resolution in Windows Networks
Men and Mice
 
Namespaces for Local Networks
Men and Mice
 
DNSTap Webinar
Men and Mice
 

What's hot (20)

PDF
BIND 9 logging best practices
Men and Mice
 
PDF
Keeping DNS server up-and-running with “runit
Men and Mice
 
PDF
The CAA-Record for increased encryption security
Men and Mice
 
PDF
RIPE 71 and IETF 94 reports webinar
Men and Mice
 
PDF
What is new in BIND 9.11?
Men and Mice
 
PDF
SMTP STS (Strict Transport Security) vs. SMTP with DANE
Men and Mice
 
PDF
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
APNIC
 
PDF
Windows Server 2016 Webinar
Men and Mice
 
PDF
Kea DHCP – the new open source DHCP server from ISC
Men and Mice
 
PDF
Encrypted DNS - DNS over TLS / DNS over HTTPS
Alex Mayrhofer
 
PPTX
DoH, DoT and ESNI
Jisc
 
ODP
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
Utah Networxs Consultoria e Treinamento
 
PDF
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
APNIC
 
PDF
Passive DNS Collection – Henry Stern, Cisco
Henry Stern
 
PDF
Troubleshooting Tips from a Docker Support Engineer
Jeff Anderson
 
PDF
Windows 2012 and DNSSEC
Men and Mice
 
PDF
Get your instance by name integration of nova, neutron and designate
Miguel Lavalle
 
PDF
Dnssec
guest3131f85
 
PDF
DNSSEC Tutorial; USENIX LISA 2013
Shumon Huque
 
PDF
Debugging Network Issues
Apcera
 
BIND 9 logging best practices
Men and Mice
 
Keeping DNS server up-and-running with “runit
Men and Mice
 
The CAA-Record for increased encryption security
Men and Mice
 
RIPE 71 and IETF 94 reports webinar
Men and Mice
 
What is new in BIND 9.11?
Men and Mice
 
SMTP STS (Strict Transport Security) vs. SMTP with DANE
Men and Mice
 
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
APNIC
 
Windows Server 2016 Webinar
Men and Mice
 
Kea DHCP – the new open source DHCP server from ISC
Men and Mice
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Alex Mayrhofer
 
DoH, DoT and ESNI
Jisc
 
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
Utah Networxs Consultoria e Treinamento
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
APNIC
 
Passive DNS Collection – Henry Stern, Cisco
Henry Stern
 
Troubleshooting Tips from a Docker Support Engineer
Jeff Anderson
 
Windows 2012 and DNSSEC
Men and Mice
 
Get your instance by name integration of nova, neutron and designate
Miguel Lavalle
 
Dnssec
guest3131f85
 
DNSSEC Tutorial; USENIX LISA 2013
Shumon Huque
 
Debugging Network Issues
Apcera
 
Ad

Viewers also liked (20)

PDF
Scripting and automation with the Men & Mice Suite
Men and Mice
 
PDF
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...
Cisco Canada
 
ODP
DerbyCon 7.0 Legacy: Regular Expressions (Regex) Overview
ThreatReel Podcast
 
PDF
Comodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurity
CheapSSLsecurity
 
PDF
Umbrella Webcast: Redefining Security for the Nomadic Worker
OpenDNS
 
PPTX
Microsoft Cyber Security IT-Camp
Alexander Benoit
 
PDF
Dns Hardening Linux Os
ecarrow
 
ODP
OISF: Regular Expressions (Regex) Overview
ThreatReel Podcast
 
PPTX
Cyber crime & security
Avani Patel
 
PPTX
Phishing Scams: 8 Helpful Tips to Keep You Safe
CheapSSLsecurity
 
PDF
Role of DNS in Botnet Command and Control
OpenDNS
 
PDF
Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Canada
 
PPTX
Cyber Security # Lec 2
Kabul Education University
 
PPTX
Tcp udp
Programmer
 
PDF
Social Networks And Phishing
ecarrow
 
PDF
Symantec (ISTR) Internet Security Threat Report Volume 22
CheapSSLsecurity
 
ODP
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
ThreatReel Podcast
 
PDF
Cisco umbrella overview
Cisco Canada
 
PDF
Cisco Connect Toronto 2017 - NFV/SDN Platform for Orchestrating Cloud and vBr...
Cisco Canada
 
PPT
Dns ppt
Mauood Hamidi
 
Scripting and automation with the Men & Mice Suite
Men and Mice
 
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...
Cisco Canada
 
DerbyCon 7.0 Legacy: Regular Expressions (Regex) Overview
ThreatReel Podcast
 
Comodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurity
CheapSSLsecurity
 
Umbrella Webcast: Redefining Security for the Nomadic Worker
OpenDNS
 
Microsoft Cyber Security IT-Camp
Alexander Benoit
 
Dns Hardening Linux Os
ecarrow
 
OISF: Regular Expressions (Regex) Overview
ThreatReel Podcast
 
Cyber crime & security
Avani Patel
 
Phishing Scams: 8 Helpful Tips to Keep You Safe
CheapSSLsecurity
 
Role of DNS in Botnet Command and Control
OpenDNS
 
Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Canada
 
Cyber Security # Lec 2
Kabul Education University
 
Tcp udp
Programmer
 
Social Networks And Phishing
ecarrow
 
Symantec (ISTR) Internet Security Threat Report Volume 22
CheapSSLsecurity
 
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
ThreatReel Podcast
 
Cisco umbrella overview
Cisco Canada
 
Cisco Connect Toronto 2017 - NFV/SDN Platform for Orchestrating Cloud and vBr...
Cisco Canada
 
Dns ppt
Mauood Hamidi
 
Ad

Similar to How to send DNS over anything encrypted (20)

PDF
Report from IETF 89 in London - DNS, DHCP and IPv6
Men and Mice
 
PPTX
Understanding DNS Security
Nihal Pasham, CISSP
 
PDF
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE - ATT&CKcon
 
PPTX
Network tunneling techniques
inbroker
 
PDF
NZNOG 2020: DOH
APNIC
 
PDF
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
DTM Security
 
PPTX
How DNS works and How to secure it: An Introduction
yasithbagya1
 
PPT
Bo2004
Dan Kaminsky
 
PPTX
DNS Security Issues NES 554 for DNS Security
AliAlwesabi
 
PDF
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
Men and Mice
 
PPT
Dns
Sanoj Kumar
 
PDF
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
EC-Council
 
PDF
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
APNIC
 
PPTX
IGF 2023: DNS Privacy
APNIC
 
PDF
Lets talk dns
Abhinav Mehta
 
PDF
RIPE 82: DNS Evolution
APNIC
 
PDF
08 tcp-dns
pantu_1961
 
PPTX
2_Chapter 2_DNS.pptx
hoangdinhhanh88
 
PDF
DNS Over HTTPS by Michael Casadevall
Glenn McKnight
 
PDF
getdns PyCon presentation
Melinda Shore
 
Report from IETF 89 in London - DNS, DHCP and IPv6
Men and Mice
 
Understanding DNS Security
Nihal Pasham, CISSP
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE - ATT&CKcon
 
Network tunneling techniques
inbroker
 
NZNOG 2020: DOH
APNIC
 
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
DTM Security
 
How DNS works and How to secure it: An Introduction
yasithbagya1
 
Bo2004
Dan Kaminsky
 
DNS Security Issues NES 554 for DNS Security
AliAlwesabi
 
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
Men and Mice
 
Dns
Sanoj Kumar
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
EC-Council
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
APNIC
 
IGF 2023: DNS Privacy
APNIC
 
Lets talk dns
Abhinav Mehta
 
RIPE 82: DNS Evolution
APNIC
 
08 tcp-dns
pantu_1961
 
2_Chapter 2_DNS.pptx
hoangdinhhanh88
 
DNS Over HTTPS by Michael Casadevall
Glenn McKnight
 
getdns PyCon presentation
Melinda Shore
 

More from Men and Mice (12)

PPTX
Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network Strategies
Men and Mice
 
PDF
Fighting Abuse with DNS
Men and Mice
 
PDF
PowerDNS Webinar - Part 2
Men and Mice
 
PDF
PowerDNS Webinar
Men and Mice
 
PDF
IETF 93 Review Webinar
Men and Mice
 
PDF
RIPE 70 Report Webinar
Men and Mice
 
PDF
DNSSEC best practices Webinar
Men and Mice
 
PDF
IETF 92 Webinar
Men and Mice
 
PDF
The KNOT DNS Server
Men and Mice
 
PDF
DNSSEC and DANE – E-Mail security reloaded
Men and Mice
 
PDF
IETF 90 Report – DNS, DHCP, IPv6 and DANE
Men and Mice
 
PDF
RIPE 68 Webinar
Men and Mice
 
Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network Strategies
Men and Mice
 
Fighting Abuse with DNS
Men and Mice
 
PowerDNS Webinar - Part 2
Men and Mice
 
PowerDNS Webinar
Men and Mice
 
IETF 93 Review Webinar
Men and Mice
 
RIPE 70 Report Webinar
Men and Mice
 
DNSSEC best practices Webinar
Men and Mice
 
IETF 92 Webinar
Men and Mice
 
The KNOT DNS Server
Men and Mice
 
DNSSEC and DANE – E-Mail security reloaded
Men and Mice
 
IETF 90 Report – DNS, DHCP, IPv6 and DANE
Men and Mice
 
RIPE 68 Webinar
Men and Mice
 

Recently uploaded (20)

PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
KodekX | Application Modernization Development
KodekX
 
Cloud computing and distributed systems.
kkkkkhan
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 

How to send DNS over anything encrypted

  • 1. © Men & Mice http://menandmice.com How to send DNS over anything encrypted 1
  • 2. © Men & Mice http://menandmice.com Agenda The DNS-Privacy group (DPRIVE) inside the Internet Engineering Task Force (IETF), as well as a number of dedicated people outside the IETF, are working on new transport protocols to allow for encrypting DNS traffic between DNS clients and resolvers. Current developments include: •DNS over TLS (RFC 7858) •DNS over DTLS (RFC 8094) •DNS over HTTP(S) (ID-draft) •DNS over QUIC (ID-draft) •DNS over DNSCrypt (outside IETF) •DNS over TOR (outside IETF) 2
  • 3. © Men & Mice http://menandmice.com DNS Privacy 3
  • 4. © Men & Mice http://menandmice.com DNS is Metadata •IETF started the DPRIVE (DNS Privacy Working Group) after the Snowden revelations •RFC 7626 DNS Privacy Considerations
 https://tools.ietf.org/html/rfc7626 •current focus of DPRIVE is the client to resolver channel •creating protocols that are stealthy sometimes painfully collides with clean protocol design 4
  • 5. © Men & Mice http://menandmice.com DNS OVER TLS 5
  • 6. © Men & Mice http://menandmice.com DNS-over-TLS •RFC 7858 Specification for DNS over Transport Layer Security (TLS) •DNS wireformat over TLS over TCP •Port 853 (TCP) •encryption and authentication 6
  • 7. © Men & Mice http://menandmice.com DNS-over-TLS Performance •performance of DNS-over-TLS can be quite good •for existing sessions with TLS 1.3 as good as DNS- over-UDP •pipelining •TCP fast open •0-RTT resume •current implementations are not optimized 7
  • 8. © Men & Mice http://menandmice.com DNS-over-TLS Implementations •Client •Unbound (as local forwarder) •Stubby (getdnsapi) •dnsfwd •Server •Unbound (as remote resolver) •Knot •any DNS server via stunnel 8
  • 9. © Men & Mice http://menandmice.com DNS-over-TLS Developments •TLS 1.3 deployment stalled because of misbehaving middle-boxes (BlueCoat) •controversial in the IETF, but useful: multiplexing HTTPS and DNS on port 443 •https://gitlab.com/dkg/hddemux 9
  • 10. © Men & Mice http://menandmice.com DNS OVER DTLS 10
  • 11. © Men & Mice http://menandmice.com DNS-over-DTLS •RFC 8094 DNS over Datagram Transport Layer Security (DTLS) •DNS wireformat over TLS over UDP •Port 853 (UDP) •encryption and authentication 11
  • 12. © Men & Mice http://menandmice.com DNS-over-DTLS Issues •adversary can block DNS queries •resource exhaustion attacks against DNS server possible •no known implementations 12
  • 13. © Men & Mice http://menandmice.com DNS OVER HTTP(S) 13
  • 14. © Men & Mice http://menandmice.com DNS-over-HTTP(S) •IETF Internet Draft DNS Queries over HTTPS
 https://tools.ietf.org/html/draft-hoffman-dns-over-https •DNS HTTP-Format over HTTPS over TCP •Port 443 (HTTP/2) •URL: https://server/.well-known/dns-query •base64url encoded DNS data, Content-Header
 application/dns-udpwireformat •encryption and authentication 14
  • 15. © Men & Mice http://menandmice.com DNS-over-HTTP(S) Benefits •HTTPS might be the only option in highly firewalled networks •easy to implement for (Web-)Developers (JavaScript etc) 15
  • 16. © Men & Mice http://menandmice.com DNS-over-HTTP(S) additional documents •Representing DNS Messages in JSON
 https://tools.ietf.org/html/draft-hoffman-dns-in-json •DNS Messages in XML (expired)
 https://tools.ietf.org/html/draft-mohan-dns-query-xml 16
  • 17. © Men & Mice http://menandmice.com DNS-over-HTTP(S) 
 similar implementations •DNS over JSON over HTTPS over TCP •Google DNS Server-Side
 https://developers.google.com/speed/public-dns/docs/dns- over-https •dingo - A DNS client in Go that supports Google DNS over HTTPS
 https://github.com/pforemski/dingo •CoreDNS
 https://coredns.io/2016/11/26/dns-over-https/ 17
  • 18. © Men & Mice http://menandmice.com DNS-WIREFORMAT OVER HTTPS 18
  • 19. © Men & Mice http://menandmice.com DNS-Wireformat-over-HTTP(S) •DNS wireformat over HTTP(S) over TCP •Internet Draft DNS wire-format over HTTP
 https://tools.ietf.org/html/draft-ietf-dnsop-dns-wireformat-http •Port 80 or 443 (HTTP 1.1 or HTTP/2) •URL: https://server/.well-known/dns-wireformat •Content-Header application/dns-wireformat •may provide encryption and authentication •DNS wire-format data is wrapped with an HTTP header and transmitted on port 80 or 443 19
  • 20. © Men & Mice http://menandmice.com DNS OVER QUIC 20
  • 21. © Men & Mice http://menandmice.com DNS-Wireformat-over-HTTP(S) •DNS over QUIC over UDP •Specification of DNS over Dedicated QUIC Connections
 https://tools.ietf.org/html/draft-huitema-quic-dnsoquic 21
  • 22. © Men & Mice http://menandmice.com DNS-over-QUIC •modern TCP replacement from Google, now standardised in the IETF •uses UDP, implements TCP features •usually implemented in applications, not OS kernel •includes TLS 1.3 •0-RTT •performance in-par with DNS-over-UDP •QUIC Documents https://tools.ietf.org/wg/quic/ 22
  • 23. © Men & Mice http://menandmice.com DNS-over-QUIC Comparison 23 Source: https://datatracker.ietf.org/meeting/99/materials/slides-99-dprive-dns-over-quic
  • 24. © Men & Mice http://menandmice.com DNS OVER OPPORTUNISTIC IPSEC 24
  • 25. © Men & Mice http://menandmice.com DNS OVER OPPORTUNISTIC IPSEC •DNS over UDP or TCP over IPSec •DNS queries will be tunnelled via IPSec •provides encryption (but only limited authentication) •Unauthenticated Opportunistic IPsec
 https://libreswan.org/wiki/ HOWTO:_Unauthenticated_Opportunistic_IPsec 25
  • 26. © Men & Mice http://menandmice.com DNS-over-opportunistic IPSEC Implementations • LibreSWAN and Unbound (IPSec Module) 26
  • 27. © Men & Mice http://menandmice.com DNS-over-opportunistic IPSEC additional work •make IPSec work in case of heavy firewalling: 
 RFC 8229 TCP Encapsulation of IKE and IPsec Packets •allows IPSec to work on Port 443 
 (multiplexed with HTTPS) 27
  • 28. © Men & Mice http://menandmice.com DNS OVER DNSCrypt 28
  • 29. © Men & Mice http://menandmice.com DNS OVER DNSCrypt •DNS over DNSCrypt over UDP or TCP •DNSCrypt is a DNS privacy solution originally developed by OpenDNS (now Cisco) •encryption and authentication •protocol is open source, but somewhat underdocumented •client operates a DNS proxy that tunnels DNS over DNSCrypt •some, but not all DNSCrypt resolver support DNSSEC 29
  • 30. © Men & Mice http://menandmice.com DNS OVER Tor 30
  • 31. © Men & Mice http://menandmice.com DNS OVER TOR •DNS over Tor over TCP •Port 9053 •Tor client proxies the DNS queries through a tor circuit •only A/AAAA-Records supported (no TXT, MX, SOA …) •no DNSSEC, rogue Tor exit node can spoof DNS traffic •> 30 % of Tor exit nodes use Google public DNS 31
  • 32. © Men & Mice http://menandmice.com Padding of DNS data 32
  • 33. © Men & Mice http://menandmice.com DNS padding •DNS query/responses are small data chunks •traffic analysis might be acute when dealing with DNS queries •the IETF is working on padding schemes for DNS to make traffic analysis more difficult •RFC 7830 The EDNS(0) Padding Option •Padding Policy for EDNS(0)
 https://tools.ietf.org/html/draft-ietf-dprive-padding-policy 33
  • 34. © Men & Mice http://menandmice.com Performance 34
  • 35. © Men & Mice http://menandmice.com Performance 
 Alexa Top 1000 domains 35
  • 36. © Men & Mice http://menandmice.com Performance 
 1000 DNS queries from office network 36
  • 37. © Men & Mice http://menandmice.com Links 37
  • 38. © Men & Mice http://menandmice.com Informational resources •DNS Privacy Project
 https://dnsprivacy.org •Specification for DNS over Transport Layer Security (TLS)
 https://tools.ietf.org/html/rfc7858 •public DNS resolver with DNS over TLS
 https://dnsprivacy.org/wiki/display/DP/ DNS+Privacy+Test+Servers •HDDMUX sourcecode
 https://0xacab.org/dkg/hddemux 38
  • 39. © Men & Mice http://menandmice.com Informational resources •DNSCrypt
 https://dnscrypt.org/ • DNSCrypt-proxy
 https://github.com/jedisct1/dnscrypt-proxy •list of DNSCrypt-Resolver
 https://dnscrypt.org/dnscrypt-resolvers.html •Simple DNSCrypt for Windows
 https://simplednscrypt.org/ •DNSCrypt GUI für macOS
 https://github.com/alterstep/dnscrypt-osxclient •DNSCrypt Blacklist Konfiguration
 https://github.com/jedisct1/dnscrypt-proxy/blob/master/contrib/domains- blacklist.conf 39
  • 40. © Men & Mice http://menandmice.com Informational resources •Tor-Project
 https://torproject.org • The Effect of DNS on Tor’s Anonymity
 https://freedom-to-tinker.com/2016/09/29/the- effect-of-dns-on-tors-anonymity/ • DNS-over-TLS Forwarder
 https://github.com/randomstuff/dnsfwd 40
  • 41. © Men & Mice http://menandmice.com Next 41
  • 42. © Men & Mice http://menandmice.com Men & Mice DNS Training •Introduction to DNS & BIND Hands-On Class •September 18 – 20, 2017 (Zurich, Switzerland) 42 https://www.menandmice.com/training/
  • 43. © Men & Mice http://menandmice.com Men & Mice DNS Training •Introduction & Advanced DNS and BIND Topics Hands-On Class •September 18 – 22, 2017 (Zurich, Switzerland) 43 https://www.menandmice.com/training/
  • 44. © Men & Mice http://menandmice.com Men & Mice DNS Training •DNSSEC and DANE (German Language) •December 4-12, 2017, Essen, DE 44 http://linuxhotel.de/
  • 45. © Men & Mice http://menandmice.com Thank you! Questions? Comments? 45