How to upgrade existing DNS Resolver

Carsten Strotmann, sys4.de

eco/CENTR Webinar February 2020

Created: 2021-02-08 Mon 12:39

Agenda

  • DNS-Privacy
  • What is DoH/DoT?
  • The current status
  • Enabling DoT/DoH on an existing DNS resolver with dnsdist

About me?

Carsten Strotmann (email: cs@sys4.de)

DNS(SEC)/DANE/DHCP/IPv6 trainer and supporter

RIPE/IETF

Privacy in DNS?

  • in recent years, the IETF has expanded the DNS protocol with privacy features
    • DNS-over-TLS (Transport-Encryption between DNS client and DNS resolver)
    • DNS-over-HTTPS (Transport-Encryption between DNS client and DNS resolver)
    • QNAME Minimization (less meta data in DNS)
    • EDNS-Padding (hiding of DNS data in encrypted connections)

The need for more DNS privacy

  • a study presented at IETF 105 during the Applied Networking Research Workshop in July 2019 found that
    • 8.5 % of networks (AS) intercept DNS queries (27.9% in China)
    • (today) most queries are answered un-altered
  • but the situation might change, intercept server might change DNS answers

DoT - DNS-over-TLS

DoH - DNS over HTTP(S)

  • RFC 8484 DNS Queries over HTTPS (DoH) (P. Hoffman, ICANN and P. McManus, Mozilla) https://tools.ietf.org/html/rfc8484
  • DNS HTTP-Format over HTTPS over TCP, Port 443 (HTTP/2)
  • URL: https://server/dns-query?dns
  • Encryption, Authentication and Cloaking

DoT vs DoH

  • differences between DoT and DoH
    • DoT can be easily blocked, because it is running on an dedicated port (853)
    • DoH is made to look like normal HTTPS traffic, selective blocking of DoH is difficult
    • DoH seems to be easier to implement, because of existing HTTPS library functions in programming languages
    • DoH enables developers to do DNS name resolution on an application level, which some people think is bad

Current DoT/DoH status

Firefox Browser

  • Firefox Trusted Recursive/Remote Resolver (TRR) Program
    • Cloudflare (default) or NextDNS
    • Comcast XFinity (coming)
    • automatic roll-out started in February 2020

Chrome(ium) Browser

  • DoH is implemented and can be enabled by the user
    • Google Chrome
    • Opera
    • Vivaldi
    • Brave
    • Microsoft Edge
    • Bromite
  • DoH "auto upgrade" for the configured DNS resolver (manual configured or DHCP/RA supplied)
  • Google is experimenting with adaptive DoH-Resolver-Discovery via DNS

Safari Browser (iOS, iPadOS, MacOS)

  • support for DoH and DoT is coming with iOS 14 and MacOS 11 'Big Sur'
  • possibly also support for Adaptive DNS resolver discovery

Android

  • DoT available from Android 9 "Pie"
  • manual setting
  • "auto upgrade" from the configured DNS resolver, or Google DNS as fallback

Apple MacOS 11 and iOS/iPadOS 14

  • support for DoT and DoH
  • global and per App/Application resolver selection possible
  • "encrypted DNS" configuration Apps possible, user can choose provider by installing App
  • OS can learn "per Domain" DoH/DoT setting via DNS or HTTP (Adaptive DNS-over-HTTPS)
  • OS can discover DoH/DoT Server via DHCP/PvD (Provisioning Domains) or queries to resolver.arpa via classic DNS53
  • Discovery methods in active discussion in the IETF ADD working group

Microsoft Windows 10

  • support in latest "Inside" builds of Windows 10
  • customer can enable DoH via registry key
  • uses the configured DNS resolver in the network stack (aka "auto update" to DoH)

Linux

  • DoT support in systemd-resolved for some time
  • opportunistic mode only (automatic fallback to DNS53)
  • no server authentication (MITM possible)
  • global or "per interface" setting
  • not enabled by default

OpenBSD

  • DoT support in unwind
  • not enabled by default
  • opportunistic "auto update" mode or manual configured "strict" mode
  • server authentication via TLS certificate

Enabling DoH and/or DoT for an existing DNS resolver

Deployment of an DoH/DoT proxy (1/2)

eco-doh-dot-proxy-01.png

Deployment of an DoH/DoT proxy (2/2)

eco-doh-dot-proxy-02.png

Why an DoH/DoT proxy?

  • easy deployment
  • existing DNS resolver infrastructure does not need to be touched
  • scaling through separate hardware/server instances
  • hardware TLS acceleration possible (in commercial offerings)

Why not use an DoH/DoT proxy?

  • additional complexity
  • additional latency / less performance
  • more about pro/cons in the upcoming presentation from Tomas Krizek

Hands-On - Deploying a DoH/DoT Proxy with DNSdist

Instructions

  • Instructions on https://doh.defaultroutes.de/eco-workshop/
  • Every participant gets a virtual machine (see table on the instruction page)
  • Replace every occurrence of "XX" in the instruction with your participant number
  • Use the chat if you have questions
  • Raise your hand in the conferencing tool to indicate you're finished with the setup

Thank you

Questions

Contact: cs@sys4.de