DoH, or Don't?

Carsten Strotmann, dnsworkshop.de

CCCamp 2019

Created: 2019-08-21 Wed 08:37

Agenda

  • DNS-Privacy
  • DoH/DoT/DoQ
  • The Dilemma
  • Summary

About me?

Carsten Strotmann

dnsworkshop.de

DNS(SEC)/DANE/DHCP/IPv6 trainer and supporter

RIPE/IETF

Privacy in DNS?

  • in recent years, the IETF has expanded the DNS protocol with privacy features
    • DNS-over-TLS (transport encryption between DNS client and DNS resolver)
    • DNS-over-HTTPS (transport encryption between DNS client and DNS resolver)
    • QNAME Minimization (less metadata in DNS)
    • EDNS-Padding (hiding of DNS data in encrypted connections)

The need for more DNS privacy

  • a study presented at IETF 105 during the Applied Networking Research Workshop in July 2019 found that
    • 8.5 % of networks (AS) intercept DNS queries (27.9% in China)
    • (today) most queries are answered un-altered
  • but the situation might change, intercept server might change DNS answers

encrypted transport for DNS

  • Terminology
    • Do53 = DNS-over-Port53 - classic DNS (UDP/TCP port 53)
    • DoT = DNS-over-TLS - TLS as the transport for DNS
    • DoH = DNS-over-HTTPS - HTTPS as the transport for DNS
    • DoQ = DNS-over-QUIC - QUIC as the transport for DNS
    • DoC = DNS-over-Cloud - DNS resolution via cloud services (Google, Q9, Cloudflare …)

Performance of DoT/DoH (1/2)

  • with TLS 1.3 performance of DoT/DoH is quite good
  • with established connections, performance can be similar to DNS-over-UDP due to
    • Pipelining
    • TCP fast open
    • 0-RTT resume
  • on connections with packet loss, DoT/DoH can be faster and more reliable than Do53!
  • not all implementations are fully optimized

Performance of DoT/DoH (2/2)

  • Mozilla found that in lossy networks DoH can be faster and more reliable than Do53
  • The study "Analyzing the Costs (and Benefits) of DNS, DoT, and DoH for the Modern Web" presented at Applied Networking Research Workshop July 2019 confirms that finding

DoT - DNS-over-TLS

DNS-over-TLS (1/3)

dns-over-tls01.png

DNS-over-TLS (2/3)

dns-over-tls02.png

DNS-over-TLS (3/3)

dns-over-tls03.png

DNS-over-TLS modes

  • DNS-over-TLS can be operated in two modes
    • opportunistic - try TLS authentication, but still use server in case authentication fails
    • strict - only use server if there are no errors in the TLS connection

DNS-over-TLS operators

DoH - DNS over HTTP(S)

DoH - DNS-over-HTTPS

dns-over-https.png

DoH timeline

  • IETF 100 - November 2017 - DNS over HTTP(S) (DoH) workinggroup started: https://datatracker.ietf.org/wg/doh/about/
  • IETF 101 - March 2018 - work on DNS Queries over HTTPS finished, start of working group last call (WGLC) in April 2018
  • October 2018 - RFC 8484 published

DNS-over-HTTPS and IDS/Network-filter

Quote from RFC 8484:

Operational Considerations […] Filtering or inspection systems that rely on unsecured transport of DNS will not function in a DNS over HTTPS environment due to the confidentiality and integrity protection provided by TLS.

DoH in Firefox (1/3)

Firefox-61-TRR-Lookups.png

DoH in Firefox (2/3)

  • Firefox Quantum (Screenshot FF 68)

firefox-doh-setting.png

DoH in Firefox (3/3)

  • Mozilla plans to enable DoH in Firefox by default in the future. No date announced.
  • User can select among a list of certified DoH operators per "region"
  • operators of DoH services can apply for privacy certification
  • Mozilla Policy Requirements for DNS over HTTPs Partners: https://wiki.mozilla.org/Security/DOH-resolver-policy

DoH in Google Chrome

DoH operators (Selection)

DoT vs DoH

  • differences between DoT and DoH
    • DoT can be easily blocked, because it is running on an dedicated port (853)
    • DoH is made to look like normal HTTPS traffic, selective blocking of DoH is difficult
    • DoH seems to be easier to implement, because of existing HTTPS library functions in programming languages
    • DoH enables developers to do DNS name resolution on an application level, which some people think is bad

The DoH dilemma

  • to reach the Internet users that are in need of privacy, DoH needs to be enabled by default
    • DoH Server selection can be seen as similar to the CA selections browsers do
  • a fixed selection "per region" will (still) lead to centralization of all DNS queries with a few DNS operators
    • but that might still be the case even without DoH, some countries in Asia send > 90% of DNS queries to DoC (Google)

DoH and DoT Software - only browser?

  • new DNS privacy protocols sparked a large number of new software projects
  • this part of the presentation will look at
    • comparison of the start of new software projects in comparison to the new standards
    • number of projects for DNS-over-HTTPS vs. DNS-over-TLS
    • programming languages used to implement the new protocols

The survey

  • looked at 55 DoT/DoH open source software projects on Github and Gitlab
  • done in May 2019 and June 2019
  • only software products, no composition projects (Docker Container etc)
  • full list: https://doh.defaultroutes.de/implementations.html
  • see presentation at RIPE 78 and recent blog post in the APNIC blog (linked from the page above)

Languages

Projects-by-pgm-language.png

DoT vs DoH

Which protocols are implemented. Some projects implement both:

Projects-by-DNS-privacy-protocol.png

Project start

Year of the first commit, frist release or when DoH/DoT functions were implemented

Project-by-project-start-year.png

Freshness

Activity in the project in the last 6 month?

Project-by-project-activity.png

Applications

  • Firefox
  • Chrome
  • curl
  • Tenta-Browser
  • Bromite

System Resolver

  • systemd-resolved
  • unwind
  • resolver module for Linux glibc

Client-Proxies

  • sdns
  • dnscrypt-proxy2
  • veild
  • stubby
  • unbound
  • cloudflared
  • Dohnut
  • dns-over-https

Server-Proxies

  • rust-doh
  • dnsdist
  • dns-over-https

Server

  • unbound
  • Knot
  • sdns

Whats missing in DoH/DoT software

  • certificate authentication via DANE
  • Wittness function - query multiple provider and compare response data
  • security audits of DoH/DoT software

DNS over QUIC - the future of DNS?

what is QUIC

  • modern TCP replacement from Google, being currently standardized in the IETF
    • based on UDP, implements TCP features
    • implemented as part of the application, not the OS
    • includes TLS 1.3
    • 0-RTT
  • DoQ similar to Do53 (DNS-over-UDP)
  • QUIC IETF WG documents https://tools.ietf.org/wg/quic/

DNS over QUIC

dns-over-quic01.png

DNS over QUIC Comparision

Summary (1/2)

Summary (2/2)

  • what can be done?
    • operate DoH or DoT server (responsibly)
    • hack on DoH/DoT software (security audit, "witness" function)
    • bring DoH/DoT into open source operating systems
    • use DoH/DoT and provide feedback to the projects
    • engage with the IETF
    • deploy DNSSEC

Thank you

Discussion (@Digitalcourage)

Contact: cstrotm@dnsworkshop.de

Links