DoH, or Don't?

Agenda

• DNS-Privacy
• DoH/DoT/DoQ
• The Dilemma
• Summary

Privacy in DNS?

• in recent years, the IETF has expanded the DNS protocol with privacy features
  • DNS-over-TLS (transport encryption between DNS client and DNS resolver)
  • DNS-over-HTTPS (transport encryption between DNS client and DNS resolver)
  • QNAME Minimization (less metadata in DNS)
  • EDNS-Padding (hiding of DNS data in encrypted connections)

The need for more DNS privacy

• a study presented at IETF 105 during the Applied Networking Research Workshop in July 2019 found that
  • 8.5 % of networks (AS) intercept DNS queries (27.9% in China)
  • (today) most queries are answered un-altered
• but the situation might change, intercept server might change DNS answers

encrypted transport for DNS

Performance of DoT/DoH (1/2)

• with TLS 1.3 performance of DoT/DoH is quite good
• with established connections, performance can be similar to DNS-over-UDP due to
  • Pipelining
  • TCP fast open
  • 0-RTT resume
• on connections with packet loss, DoT/DoH can be faster and more reliable than Do53!
• not all implementations are fully optimized

Performance of DoT/DoH (2/2)

• Mozilla found that in lossy networks DoH can be faster and more reliable than Do53
• The study "Analyzing the Costs (and Benefits) of DNS, DoT, and DoH for the Modern Web" presented at Applied Networking Research Workshop July 2019 confirms that finding

DoT - DNS-over-TLS

• RFC 7858 "Specification for DNS over Transport Layer Security (TLS)"
• DNS wireformat over TLS over TCP
• Port 853 (TCP)
• Encryption and Authentication (Internet PKI or via DANE)

DNS-over-TLS (1/3)

DNS-over-TLS (2/3)

DNS-over-TLS (3/3)

DNS-over-TLS modes

• DNS-over-TLS can be operated in two modes
  • opportunistic - try TLS authentication, but still use server in case authentication fails
  • strict - only use server if there are no errors in the TLS connection

DNS-over-TLS operators

• Operator
  • Cloudflare/APNIC Resolver (1.1.1.1)
  • Quad9 Resolver (9.9.9.9)
  • SurfNET
  • Digitalcourage (talk to them @camp)
  • Verisign
  • Google (8.8.8.8)
  • viele unabhängige DNS-Resolver

DoH - DNS over HTTP(S)

• RFC 8484 DNS Queries over HTTPS (DoH) (P. Hoffman, ICANN and P. McManus, Mozilla) https://tools.ietf.org/html/rfc8484
• DNS HTTP-Format over HTTPS over TCP, Port 443 (HTTP/2)
• URL: https://server/dns-query{?dns}
• Encryption, Authentication and Cloaking

DoH - DNS-over-HTTPS

DoH timeline

• IETF 100 - November 2017 - DNS over HTTP(S) (DoH) workinggroup started: https://datatracker.ietf.org/wg/doh/about/
• IETF 101 - March 2018 - work on DNS Queries over HTTPS finished, start of working group last call (WGLC) in April 2018
• October 2018 - RFC 8484 published

DNS-over-HTTPS and IDS/Network-filter

Quote from RFC 8484:

Operational Considerations […] Filtering or inspection systems that rely on unsecured transport of DNS will not function in a DNS over HTTPS environment due to the confidentiality and integrity protection provided by TLS.

DoH in Firefox (1/3)

• Firefox 61+ (manual switch)
• Firefox TRR Konfigurations Optionen

DoH in Firefox (2/3)

• Firefox Quantum (Screenshot FF 68)

DoH in Firefox (3/3)

• Mozilla plans to enable DoH in Firefox by default in the future. No date announced.
• User can select among a list of certified DoH operators per "region"
• operators of DoH services can apply for privacy certification
• Mozilla Policy Requirements for DNS over HTTPs Partners: https://wiki.mozilla.org/Security/DOH-resolver-policy

DoH in Google Chrome

• currently, DoH can be enabled in Chrome via commandline switches https://judge.sh/how-to-enable-dns-over-https-on-chrome-right-now/
• a GUI configuration is coming with Chrome Version 78
• Google has no plans to enable DoH by default

DoH operators (Selection)

• Cloudflare https://cloudflare-dns.com/dns-query
• Cloudflare/Mozilla https://mozilla.cloudflare-dns.com/dns-query
• Clean Browsing https://doh.cleanbrowsing.org/doh/family-filter/
• PowerDNS https://doh.powerdns.org
• BlahDNS (de) https://doh.de.blahdns.com/dns-query
• SecureDNS https://doh.securedns.eu/dns-query

Current DoT/DoH status

Firefox Browser

• Firefox Trusted Recursive/Remote Resolver (TRR) Program
  • Cloudflare (default) or NextDNS
  • Comcast XFinity (coming)
  • automatic roll-out started in February 2020

Chrome(ium) Browser

Safari Browser (iOS, iPadOS, MacOS)

• support for DoH and DoT in iOS 14 and MacOS 11 'Big Sur'
• Support for Adaptive DNS resolver discovery and oblivious DNS (oDoH)

Android

• DoT available from Android 9 "Pie"
• manual setting
• "auto upgrade" from the configured DNS resolver, or Google DNS as fallback

Apple MacOS 11 and iOS/iPadOS 14

Microsoft Windows 10

• support in latest Windows 10/11 builds

Linux

• DoT support in systemd-resolved for some time
• opportunistic mode only (automatic fallback to DNS53)
• no server authentication (MITM possible)
• global or "per interface" setting
• not enabled by default

OpenBSD

• DoT support in unwind
• not enabled by default
• opportunistic "auto update" mode or manual configured "strict" mode
• server authentication via TLS certificate

DoT vs DoH

• differences between DoT and DoH
  • DoT can be easily blocked, because it is running on an dedicated port (853)
  • DoH is made to look like normal HTTPS traffic, selective blocking of DoH is difficult
  • DoH seems to be easier to implement, because of existing HTTPS library functions in programming languages
  • DoH enables developers to do DNS name resolution on an application level, which some people think is bad

The DoH dilemma

• to reach the Internet users that are in need of privacy, DoH needs to be enabled by default
  • DoH Server selection can be seen as similar to the CA selections browsers do
• a fixed selection "per region" will (still) lead to centralization of all DNS queries with a few DNS operators
  • but that might still be the case even without DoH, some countries in Asia send > 90% of DNS queries to DoC (Google)

DoH and DoT Software - only browser?

• new DNS privacy protocols sparked a large number of new software projects
• this part of the presentation will look at
  • comparison of the start of new software projects in comparison to the new standards
  • number of projects for DNS-over-HTTPS vs. DNS-over-TLS
  • programming languages used to implement the new protocols

The survey

• looked at 55 DoT/DoH open source software projects on Github and Gitlab
• done in May 2019 and June 2019
• only software products, no composition projects (Docker Container etc)
• full list: https://doh.defaultroutes.de/implementations.html
• see presentation at RIPE 78 and recent blog post in the APNIC blog (linked from the page above)

Languages

DoT vs DoH

Which protocols are implemented. Some projects implement both:

Project start

Year of the first commit, frist release or when DoH/DoT functions were implemented

Freshness

Activity in the project in the last 6 month?

Applications

• Firefox
• Chrome
• curl
• Tenta-Browser
• Bromite

System Resolver

• systemd-resolved
• unwind
• resolver module for Linux glibc

Client-Proxies

• sdns
• dnscrypt-proxy2
• veild
• stubby
• unbound
• cloudflared
• Dohnut
• dns-over-https

Server-Proxies

• rust-doh
• dnsdist
• dns-over-https

Server

• BIND 9.18
• unbound
• Knot
• sdns

Whats missing in DoH/DoT software

• certificate authentication via DANE
• Wittness function - query multiple provider and compare response data
• security audits of DoH/DoT software

DNS over QUIC - the future of DNS?

• DNS over QUIC over UDP
• Specification of DNS over Dedicated QUIC Connections https://datatracker.ietf.org/doc/html/draft-ietf-dprive-dnsoquic

what is QUIC

• modern TCP replacement from Google, being currently standardized in the IETF
  • based on UDP, implements TCP features
  • implemented as part of the application, not the OS
  • includes TLS 1.3
  • 0-RTT
• DoQ similar to Do53 (DNS-over-UDP)
• QUIC IETF WG documents https://tools.ietf.org/wg/quic/

DNS over QUIC

DNS over QUIC Comparision

Was ist dnsdist

• dnsdist ist ein Open-Source DNS load-balancer
  • Homepage: https://dnsdist.org
  • Lizenz: GPL Version 2
• dnsdist wird von PowerDNS.COM B.V erstellt und betreut
  • dnsdist ist unabhängig vom PowerDNS autoritativen DNS server und vom PowerDNS Recursor (die Produkte teilen sich Quellcode)
  • dnsdist kann zusammen mit anderen DNS Servern benutzt werden (BIND 9, NSD, Windows DNS, Unbound …)

dnsdist Besonderheiten (1)

• dnsdist empfängt DNS Anfragen und leitet diese an nachfolgende DNS Resolver oder autoritative DNS Server weiter
  • fail-over oder load-balancing Regeln steuern diese Weiterleitung
• Antworten können im dnsdist gecached werden
• dnsdist kann Angriffe und DNS-Missbrauch erkennen und abwehren
• DNS-over-TLS und DNS-over-HTTPS Unterstützung
• DNScrypt Unterstützung

dnsdist Besonderheiten (2)

• eBPF Socket Filter (Linux)
• Einfache aber mächtige Konfigurations-Möglichkeiten mit der Programmiersprache Lua
• Kann im Betrieb dynamisch umkonfiguriert werden (ohne Neustart)
• Remote HTTP API
• Eingebauter Web-Server für API-Zugriffe, Monitoring und Statistiken

Anwendungsszenarien für dnsdist

Fail-Over

• dnsdist kann DNS Anfragen basierend auf der Verfügbarkeit von Backend-Servern im Pool verteilen
  • Hierzu wird die Policy firstAvailable benutzt
  • Bei dieser Policy haben die Server im Pool eine Reihenfolge: der erste verfügbare Server in der Reihenfolge bekommt alle Anfragen
  • Diese Policy kann zusätzlich mit einem "Anfragen pro Sekunde" Limit konfiguriert werden
    • Wird dieses Limit überschritten, so werden die überzähligen Anfragen an den nächsten DNS Server in der Reihe geleitet

Fail-Over

Load-Balancing

• dnsdist kann DNS Anfragen auf verschiedene Back-End-Server (oder Back-End-Server Pools) verteilen. Hierbei gibt es verschiedene Load-Balancing Konfigurationen:

Load-Balancing

• Die Load-Balancing Regeln können durch eigene, in der Programmiersprache Lua (https://www.lua.org/) programmierten, Regeln erweitert werden
  • Beispiel einer einfachen Round-Robin Policy:

counter=0
function luaroundrobin(servers, dq)
     counter=counter+1
     return servers[1+(counter % #servers)]
end

setServerPolicyLua("luaroundrobin", luaroundrobin)

Load-Balancing

DoH/DoT Proxy, DDoS und Malware Absicherung

• dnsdist kann neue Funktionen zu bestehenden autoritativen DNS Server und DNS Resolvern hinzufügen, ohne das Änderungen an diesen Backend-Servern notwendig sind
  • Schutz vor Denial-of-Service Angriffen
  • Filtern von bekannten Malware-Domains (aka DNS-Firewall)
  • DNS Transport-Verschlüsselung (DNS-over-TLS und DNS-over-HTTPS)

DoH/DoT Transport Verschlüsselung

Messdaten in einem DNS-Server-Cluster zusammenführen

• Da dnsdist als zentrales System die Anfragen an die Server eines DNS-Clusters weiterleitet, kann dnsdist ein Monitoring für einen DNS-Cluster bereitstellen
  • für mehrere DNS Resolver
  • für mehrere autoritative DNS Server

Messdaten zusammenführen

Zentraler DNS Cache

• dnsdist ist kein DNS-Resolver, es kann keine DNS-Delegationen verfolgen und DNS Namen selbstständig auflösen
  • dnsdist kann jedoch die Antworten von DNS-Resolvern im Cache speichern und von dort beantworten
  • dnsdist kann optional abgelaufene DNS-Informationen senden (TTL expired), wenn keiner der konfigurierten Back-End-Server erreichbar ist

> getPool(""):getCache():printStats()
Entries: 122/10000
Hits: 9147
Misses: 10147
Deferred inserts: 1
Deferred lookups: 0
Lookup Collisions: 0
Insert Collisions: 0
TTL Too Shorts: 0

Zentraler DNS Cache

Schutz von autoritativen DNS Servern

• dnsdist kann als front-end Load-Balancer vor autoritativen DNS Servern eingesetzt werden
  • Mittels spezieller Regeln kann dnsdist die autoritativen DNS Server vor bestimmen bösartigen DNS Anfragen schützen
  • Back-End Server können aus dem Cluster genommen werden (für Wartung oder zur Analyse von Vorfällen), ohne das der DNS-Dienst beeinträchtigt wird

Schutz von autoritativen DNS Servern

Schutz von autoritativen DNS Servern

DoH/DoT Termination

• dnsdist kann DNS-over-TLS (DoT) und DNS-over-HTTPS (DoH) Verbindungen terminieren
  • dnsdist erstellt einen DoH/DoT "proxy", welcher DoH/DoT Anfragen von DNS Clients annimmt und via klassischem DNS (UDP/TCP Port 53) an einen Back-End-Resolver weiterleitet

DoH/DoT Proxy

Motivation für einen DoH/DoT Proxy?

• Einfache Installation
• Die existierenden DNS-Resolver müssen nicht geändert werden
• Über separate Hardware/Server lässt sich diese Lösung einfach skalieren

Questions?

Links 1

• Passive DNS Replication https://www.first.org/conference/2005/papers/florian-weimer-paper-1.pdf
• RFC 7858 "Specification for DNS over Transport Layer Security (TLS) https://tools.ietf.org/html/rfc7858
• DNS-over-TLS in Android 9
  • https://www.heise.de/security/meldung/Android-P-verschluesselt-DNS-Anfragen-4027745.html
  • https://security.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html
  • https://android-review.googlesource.com/q/topic:dns-dev-opt+(status:open+OR+status:merged)

Links 2

• DNS-over-TLS implementations https://doh.defaultroutes.de/implementations.html
• DNS-over-TLS operator (selection)
  • Cloudflare/APNIC https://developers.cloudflare.com/1.1.1.1/dns-over-tls/
  • Quad9 Resolver https://www.quad9.net/
  • SurfNET https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
  • Verisign https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers

Links 3

• DNS over HTTPS
  • DNS-over-HTTPS RFC 8484 https://tools.ietf.org/html/rfc8484
  • Google DNS-over-HTTPS Dienst https://developers.google.com/speed/public-dns/docs/dns-over-https
  • OpenResolve https://www.openresolve.com/
  • DinGO https://github.com/pforemski/dingo
  • CoreDNS https://coredns.io/2016/11/26/dns-over-https/

Links 4

• DNS-over-QUIC
  • IETF Draft https://tools.ietf.org/html/draft-huitema-quic-dnsoquic
  • QUIC Documents https://tools.ietf.org/wg/quic/
• Is the DNS evolving to fast?
  • “The DNS Camel”, or, the rise in DNS complexity https://blog.powerdns.com/2018/03/22/the-dns-camel-or-the-rise-in-dns-complexit/
  • RFC 8324 - DNS Privacy, … Time for Another Look? https://tools.ietf.org/html/rfc8324

Links 5

• July 2019 ANRW Workshop (Videos and Proceedings) https://irtf.org/anrw/2019/program.html
• Who Is Answering My Queries:Understanding and Characterizing Interception of the DNS Resolution Path http://delivery.acm.org/10.1145/3350000/3341122/p15-liu.pdf
• Analyzing the Costs (and Benefits) of DNS, DoT, and DoH for the Modern Web https://irtf.org/anrw/2019/program.html