Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

DNS over HTTPS - the good, the bad and the ugly. A presentation held at FOSDEM 2019 by Daniel Stenberg

Published in: Technology
  • Be the first to comment


  1. 1. 1 DNS over HTTPS
  2. 2. Daniel Stenberg @bagder
  3. 3. Daniel Stenberg @bagder
  4. 4. Daniel Stenberg @bagder
  5. 5. Daniel Stenberg @bagder
  6. 6. Daniel Stenberg @bagder
  7. 7. Daniel Stenberg @bagder Any DNS (over HTTPS) provider
  8. 8. AgendaAgenda The insecure DNSThe insecure DNS DNS-over-HTTPS is secure DNSDNS-over-HTTPS is secure DNS How to enable DNS-over-HTTPSHow to enable DNS-over-HTTPS The resistanceThe resistance We’re not done yet!We’re not done yet! DNSSEC, DNScrypt and DNS-over-TLSDNSSEC, DNScrypt and DNS-over-TLS Common secure-DNS challengesCommon secure-DNS challenges
  9. 9. Imagine you walk into a coffee shop Or a huge room at a conference offering free wifi
  10. 10. DHCP Anyone, is there a DNS server around for me??!?!1!! Sure, send all your requests in clear text to the server over there!
  11. 11. DHCP Asking for a serverAsking for a server In clear textIn clear text Getting a response from an unverified sourceGetting a response from an unverified source In clear textIn clear text Suggesting we use another unverified sourceSuggesting we use another unverified source To send sensitive data toTo send sensitive data to In clear textIn clear text
  12. 12. DNS over UDP (or TCP)DNS over UDP (or TCP) Asking for an name-to-address translation in clear text Getting a response from an unverified source in clear text That server might ask one or more other servers in clear text
  13. 13. A lot of clear text
  14. 14. PhotobyAntonioMarínSegovia
  15. 15. What’s being done to secure DNS?
  16. 16. DNS over HTTPS RFC 8484 Never over clear-text HTTP HTTPS protection RFC 1035 packets in HTTPS “payloads” Privacy and security Needs to be manually configured
  17. 17. Why HTTPS? Applications can resolve names easily Proxy friendly Hard to block Easy to implement Easy connection re-use HTTPS with HTTP/2 means ✔ Multiplexing ✔ Server push
  18. 18. How to enable DoH
  19. 19. DoH in Firefox Added in 62/63 Multiple modes Defaults to “soft-fail”
  20. 20. DoH in curl $ curl --doh-url Shipped in 7.62.0
  21. 21. DoH in libcurl Shipped in 7.62.0 curl = curl_easy_init(); curl_easy_setopt(curl, CURLOPT_URL, ""); curl_easy_setopt(curl, CURLOPT_DOH_URL, ""); res = curl_easy_perform(curl);
  22. 22. DoH in Chrome Code added in the repository Unknown status Bromite offers DoH support Google runs an experimental DoH end-point
  23. 23. DoH in the server Several public end-points Google, quad9, Cloudflare, cleanbrowsing, Power-DNS, etc * Many server implementations * Proxy options makes it easy to run your own I wrote my toy DoH server in hours * =
  24. 24. What’s considered less good
  25. 25. DNS over HTTPS – the resistance A protocol layer violationA protocol layer violation DNS centralization is wrongDNS centralization is wrong Cl**dfl**e is evilCl**dfl**e is evil GDPR will save all EuropeansGDPR will save all Europeans HTTPS allows for more user-trackingHTTPS allows for more user-tracking
  26. 26. DNS over HTTPS – the resistance User configuration is hardUser configuration is hard Admins need to monitor usersAdmins need to monitor users Name resolves can’t be unsupervisedName resolves can’t be unsupervised ““Debugging DNS issues is impossible”Debugging DNS issues is impossible” ““Split horizon” problemsSplit horizon” problems Bad responses due to wrong geographyBad responses due to wrong geography
  27. 27. We’re not done yet
  28. 28. DoH - areas to explore further No browser enables it by default Discovery (draft-hoffman-resolver- associated-doh) More than one? Trusted service operators? “I run a service, ask me about my domains” HTTP/3 (vs DNS over QUIC)
  29. 29. Some neighboring technologies and why they aren’t enough
  30. 30. ᄃᄃ DNSSEC By the IETF in 1999 Prevents fake responses and tampering Still done over clear text – no privacy protection Basically never used to the end user 15% of the world’s DNS resolvers verify Should be used by the resolver you DoH/DoT with
  31. 31. DNScryptDNScrypt Traces back to 2008 Not done through IETF TCP/UDP on port 443 No connection re-use No multiplexing “probably the most deployed encrypted DNS protocol to date”
  32. 32. DNS over TLS Uses TLS instead of UDP/TCP RFC 7858 (May 2016) Secure Private - easy to block since it uses a unique port (853) - typically done opportunistically - not widely used yet
  33. 33. DoT vs DoH – what you really wanted to know System configured Controlled server Trivially blockable Not multiplexed Often no connection reuse DoTDoT DoHDoH User controlled Secured network path Hard to block Multiplexed (HTTP/2) Basically always connection reuse
  34. 34. Common secure-DNS challenges Discovery Probing Opportunistic Blocking forces downgrade System vs users
  35. 35. DNS privacy panel DNS room 11:55 Sunday February 3rd
  36. 36. Wrap-up DoH is authenticated secure name resolves Easy to use Easy to serve Offers functionality related tech lacks It does not imply centralization Secure DNS is not completely solved yet
  37. 37. Daniel Stenberg @bagder Thank you!Thank you! Questions?Questions?