Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Quad9 and DNS Privacy

100 views

Published on

Presentació a càrrec de de Gaël Hernández, gerent sènior de Packet Clearing House (PCH), duta a terme al CSUC prèviament a la celebració de reunió de la Comissió Tècnica del CATNIX el 23 de novembre de 2018.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Quad9 and DNS Privacy

  1. 1. Quad9 and DNS Privacy CATNIX Barcelona, 23 Noviembre 2018 Gael Hernandez Interconnection Policy at PCH gael@pch.net
  2. 2. What’s the DNS? The Domain Name System (DNS) is the “phone book” of the Internet. It translates domain names like www.example.org into Internet Protocol addresses, like 192.0.2.89.
  3. 3. How the system works ? 3 recursive resolverEnd User www.example.net root nameserver www.example.net ns: a.gtld-servers.net .net nameserver www.example.net example.net nameserver www.example.net 93.184.216.3 web server 93.184.216.34 https 93.184.216.34
  4. 4. How the system works ? 4 recursive resolverEnd User www.example.net root nameserver www.example.net ns: a.gtld-servers.net .net nameserver www.example.net example.net nameserver www.example.net 93.184.216.3 web server 93.184.216.34 https 93.184.216.34 1 2 4 7 8 9 5 6
  5. 5. recursive resolver .org nameserver root nameserver 5 example.net nameserver What are the Problems with this System? ?
  6. 6. .org nameserver root nameserver 6 example.org nameserver So What are the Problems with this System? recursive resolver www.example.org
  7. 7. .org nameserver root nameserver 7 example.org nameserver So What are the Problems with this System? recursive resolver €€€€PII = PII constitutes a rich “click trail” of information about the user’s browsing history, email, all of the software on their computer that’s checking for updates, and all of the malicious software that’s infected their machine. www.example.org
  8. 8. .org nameserver root nameserver 8 example.org nameserver So What are the Problems with this System? recursive resolver Even when users are already using recursive resolvers that are broadly anycast, the failure of a local node often results in users’ queries being backhauled to other continents. www.example.org X
  9. 9. .org nameserver root nameserver 9 example.org nameserver So What are the Problems with this System? recursive resolver The maximum performance a user can receive is limited by the distance between the user and the recursive resolver: the further away, the slower the user’s performance will be. www.example.org
  10. 10. recursive resolver .org nameserver root nameserver 10 example.org nameserver So What are the Problems with this System? When a recursive resolver has a “cache miss” performance takes another huge hit as the resolver begins querying authoritative servers that are far away and potentially slow to respond. Many commercial recursive resolver operators intentionally pass user IP address information onward to authoritative server operators. www.example.org
  11. 11. recursive resolver .org nameserver root nameserver 11 example.org nameserver So What are the Problems with this System? As the recursive resolver continues to query authoritative servers, the performance degrades still further. www.example.org Any authoritative nameserver in the recursion chain which fails to provide cryptographic authentication of the DNS data (DNSSEC) precludes the authentication of any domain names further downstream.
  12. 12. www.example.org recursive resolver .net nameserver root nameserver 12 example.org nameserver So What are the Problems with this System? Every additional authoritative server in the chain is another potential weak link which could be compromised and caused to provide malicious data to the end user. Attacks against authoritative servers can leave recursive resolvers unable to obtain answers on users’ behalf.
  13. 13. recursive resolver .net nameserver root nameserver 13 example.org nameserver So What are the Problems with this System? Recursive resolvers leak far more information to authoritative servers than is necessary to answer queries. In this example, a query to a Root nameserver need not include the “www.example” portion of the domain name. www.example.org Many authoritative nameserver operators monetise click-trail information by collecting and selling recordings of network traffic collected between the recursive servers and their authoritative servers.
  14. 14. Quad9: Collaboration Between Internet Industry Leaders
  15. 15. Quad9: A DNS Public Recursive Resolver ▪ Global open recursive DNS platform ▪ Populated by data crowd- sourced from the security industry ▪ Strong privacy controls built in (not even we know the source of requests) ▪ Core/root DNS level reliability on infrastructure ▪ NO INDIVIDUAL REPORTING OF BLOCKS! 15
  16. 16. .org nameserver root nameserver 16 example.org nameserver How does Quad9 protect you? Quad9 recursive resolver www.example.org PII
  17. 17. .org nameserver root nameserver 17 example.org nameserver How does Quad9 protect you? Quad9 recursive resolver www.example.org DNS-over-TLS (since launch) DNSCrypt (July 2018) DNS-over-HTTP (in beta)
  18. 18. www.example.org .org nameserver root nameserver 18 example.org nameserver How does Quad9 protect you? Quad9 recursive resolver PCH DNS Node
  19. 19. 19 How does Quad9 protect you? Quad9 recursive resolver www.random_malware.example www.random_malware.example on average Quad9 “blocks” over 8 million malware requests daily NXDOMAIN
  20. 20. !20 END USER PROTECTION ▪ Reduction of malicious events: the accidental turn-off of Quad9 increased in 2200% the malicious events. In other words, Quad9 reduced the events those events in 95.5%
  21. 21. !21 Quad9 Architecture ▪ Cisco UCS servers with VM support. ▪ 3 DNS resolvers and 1 telemetry instance per node ▪ Load balancing with dnsdist ▪ DNS redundancy: PowerDNS and Unbound ▪ Root and TLD DNS “back-to-back” in the same physical installation ▪ Routing using Quad9’s own ASN (AS19281) and via PCH’s ASN (AS42) ▪ Peering connections of 10/1Gbps depending on the size of the node
  22. 22. !22 Matriz de sabores Quad9 ▪ Por defecto: 9.9.9.9 o 2620:fe::fe ▪ Sin bloqueo (insegura): 9.9.9.10 o 2620:fe::ff ▪ CDN-Friendly: 9.9.9.11 (todavia no esta operacional) ▪ IoT-Friendly: 9.9.9.12 (todavia no esta operacional) Name | IP | Blocklist | NXDOMAIN only | Send EDNS Subnet | DNSSEC Validation Default 9.9.9.9 x x Non-secure 9.9.9.10 x CDN-Friendly 9.9.9.11 x x x IOT-Friendly 9.9.9.12 x x x
  23. 23. !23 162 ubicaciones de IX en 79 países (Noviembre 2018) Quad9 Deployments
  24. 24. !24 Quad9 recent and future deployments in Europe ▪ Albania: Albanian Neutral Internet Exchange, Tirana (2019) ▪ France: France-IX Paris*, Equinix Paris* (in November), France-IX Marseille and DE-CIX Marseille. ▪ Germany: DE-CIX Frankfurt*, DE-CIX Dusseldorf, DE-CIX Munich, DE-CIX Hamburg and Wuppertal (UP-IXP). ▪ Netherlands: AMS-IX Amsterdam* ▪ Portugal: GigaPIX Lisbon (October) ▪ Serbia: Serbian Open Exchange (SOX) (December) ▪ Spain: DE-CIX Madrid and CATNIX Barcelona (October) ▪ Switzerland: RomandIX Laussane (November) * = Dedicated Quad9 servers
  25. 25. !25 Ya estamos en CATNIX
  26. 26. !26 CURRENT LINES OF WORK ▪ Collaboration with IoT device manufacturers ▪ Routing optimisation to improve traffic delivery and latency with new deployments, including at ISPs own network ▪ Addition of specialised thread-intelligence data to the block list: ▪ Financial services providers and cryptocurrency domain attack data ▪ Specific API-based service attack data ▪ Mobile device platforms at high risk ▪ Implementation of DNS-over-TLS on Android’s source code ▪ Implementation of ECDN Client Subnet (ECS) to mitigate potential issues with highly distributed CDNs ▪ In the meanwhile, mapping of Quad9 nodes with CDNs
  27. 27. 2620:fe::fe www.quad9.net 9.9.9.9 Gracias CATNIX!

×