SlideShare a Scribd company logo
1 of 38
Download to read offline
1
DNS over HTTPS
Daniel Stenberg
@bagder
Daniel Stenberg
@bagder
Daniel Stenberg
@bagder
Daniel Stenberg
@bagder
Daniel Stenberg
@bagder
Daniel Stenberg
@bagder
Any DNS (over
HTTPS) provider
AgendaAgenda
The insecure DNSThe insecure DNS
DNS-over-HTTPS is secure DNSDNS-over-HTTPS is secure DNS
How to enable DNS-over-HTTPSHow to enable DNS-over-HTTPS
The resistanceThe resistance
We’re not done yet!We’re not done yet!
DNSSEC, DNScrypt and DNS-over-TLSDNSSEC, DNScrypt and DNS-over-TLS
Common secure-DNS challengesCommon secure-DNS challenges
Imagine you walk into a coffee shop
Or a huge room at a conference offering free wifi
DHCP
Anyone, is there a DNS server
around for me??!?!1!!
Sure, send all your
requests in clear text to
the server over there!
DHCP
Asking for a serverAsking for a server
In clear textIn clear text
Getting a response from an unverified sourceGetting a response from an unverified source
In clear textIn clear text
Suggesting we use another unverified sourceSuggesting we use another unverified source
To send sensitive data toTo send sensitive data to
In clear textIn clear text
DNS over UDP (or TCP)DNS over UDP (or TCP)
Asking for an name-to-address translation
in clear text
Getting a response from an unverified source
in clear text
That server might ask one or more other servers
in clear text
A lot of clear text
PhotobyAntonioMarínSegovia
What’s being done to secure DNS?
DNS over HTTPS
RFC 8484
Never over clear-text HTTP
HTTPS protection
RFC 1035 packets in HTTPS “payloads”
Privacy and security
Needs to be manually configured
Why HTTPS?
Applications can resolve names easily
Proxy friendly
Hard to block
Easy to implement
Easy connection re-use
HTTPS with HTTP/2 means
✔
Multiplexing
✔
Server push
How to enable DoH
DoH in Firefox
Added in 62/63
Multiple modes
Defaults to “soft-fail”
DoH in curl
$ curl --doh-url https://doh.example.com/
https://daniel.haxx.se/
Shipped in 7.62.0
DoH in libcurl
Shipped in 7.62.0
curl = curl_easy_init();
curl_easy_setopt(curl, CURLOPT_URL,
"https://curl.haxx.se/");
curl_easy_setopt(curl, CURLOPT_DOH_URL,
"https://doh.example.com/");
res = curl_easy_perform(curl);
DoH in Chrome
Code added in the repository
Unknown status
Bromite offers DoH support
Google runs an experimental DoH end-point
DoH in the server
Several public end-points
Google, quad9, Cloudflare, cleanbrowsing, Power-DNS, etc *
Many server implementations *
Proxy options makes it easy to run your own
I wrote my toy DoH server in hours
* = https://github.com/curl/curl/wiki/DNS-over-HTTPS
What’s considered less good
DNS over HTTPS – the resistance
A protocol layer violationA protocol layer violation
DNS centralization is wrongDNS centralization is wrong
Cl**dfl**e is evilCl**dfl**e is evil
GDPR will save all EuropeansGDPR will save all Europeans
HTTPS allows for more user-trackingHTTPS allows for more user-tracking
DNS over HTTPS – the resistance
User configuration is hardUser configuration is hard
Admins need to monitor usersAdmins need to monitor users
Name resolves can’t be unsupervisedName resolves can’t be unsupervised
““Debugging DNS issues is impossible”Debugging DNS issues is impossible”
““Split horizon” problemsSplit horizon” problems
Bad responses due to wrong geographyBad responses due to wrong geography
We’re not done yet
DoH - areas to explore further
No browser enables it by default
Discovery (draft-hoffman-resolver-
associated-doh)
More than one?
Trusted service operators?
“I run a service, ask me about my domains”
HTTP/3 (vs DNS over QUIC)
Some neighboring technologies and why they aren’t enough
ᄃᄃ
DNSSEC
By the IETF in 1999
Prevents fake responses and tampering
Still done over clear text – no privacy protection
Basically never used to the end user
15% of the world’s DNS resolvers verify
Should be used by the resolver you DoH/DoT
with
DNScryptDNScrypt
Traces back to 2008
Not done through IETF
TCP/UDP on port 443
No connection re-use
No multiplexing
“probably the most deployed encrypted DNS protocol
to date”
DNS over TLS
Uses TLS instead of UDP/TCP
RFC 7858 (May 2016)
Secure
Private
- easy to block since it uses a unique port (853)
- typically done opportunistically
- not widely used yet
DoT vs DoH – what you really wanted to know
System configured
Controlled server
Trivially blockable
Not multiplexed
Often no connection reuse
DoTDoT DoHDoH
User controlled
Secured network path
Hard to block
Multiplexed (HTTP/2)
Basically always connection reuse
Common secure-DNS challenges
Discovery
Probing
Opportunistic
Blocking forces downgrade
System vs users
DNS privacy panel
DNS room 11:55 Sunday February 3rd
Wrap-up
DoH is authenticated secure name resolves
Easy to use
Easy to serve
Offers functionality related tech lacks
It does not imply centralization
Secure DNS is not completely solved yet
Daniel Stenberg
@bagder
https://daniel.haxx.se/
Thank you!Thank you!
Questions?Questions?

More Related Content

What's hot

Building Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPABuilding Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPA
LDAPCon
 

What's hot (20)

PPPoE With Mikrotik and Radius
PPPoE With Mikrotik and RadiusPPPoE With Mikrotik and Radius
PPPoE With Mikrotik and Radius
 
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
 
Building Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPABuilding Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPA
 
Dhcp presentation
Dhcp presentationDhcp presentation
Dhcp presentation
 
도커 없이 컨테이너 만들기 2편
도커 없이 컨테이너 만들기 2편도커 없이 컨테이너 만들기 2편
도커 없이 컨테이너 만들기 2편
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
 
Ospf.ppt
Ospf.pptOspf.ppt
Ospf.ppt
 
464XLAT Tutorial
464XLAT Tutorial464XLAT Tutorial
464XLAT Tutorial
 
Windows server
Windows serverWindows server
Windows server
 
Basic command to configure mikrotik
Basic command to configure mikrotikBasic command to configure mikrotik
Basic command to configure mikrotik
 
Ftp server
Ftp serverFtp server
Ftp server
 
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
 
IPv6 Transition Strategies
IPv6 Transition StrategiesIPv6 Transition Strategies
IPv6 Transition Strategies
 
Google Cloud DNS
Google Cloud DNSGoogle Cloud DNS
Google Cloud DNS
 
VXLAN and FRRouting
VXLAN and FRRoutingVXLAN and FRRouting
VXLAN and FRRouting
 
How to configure static nat on cisco routers
How to configure static nat on cisco routersHow to configure static nat on cisco routers
How to configure static nat on cisco routers
 
Licensing on Cisco 2960, 3560X and 3750X...
Licensing on Cisco 2960, 3560X and 3750X...Licensing on Cisco 2960, 3560X and 3750X...
Licensing on Cisco 2960, 3560X and 3750X...
 
CCNA 200-301 VOLUME 2.pdf
CCNA 200-301 VOLUME 2.pdfCCNA 200-301 VOLUME 2.pdf
CCNA 200-301 VOLUME 2.pdf
 
Users and groups in Linux
Users and groups in LinuxUsers and groups in Linux
Users and groups in Linux
 
Ldap introduction (eng)
Ldap introduction (eng)Ldap introduction (eng)
Ldap introduction (eng)
 

Similar to DNS over HTTPS

Similar to DNS over HTTPS (20)

MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
 
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
 
Understanding DNS Security
Understanding DNS SecurityUnderstanding DNS Security
Understanding DNS Security
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOH
 
Introduction To The DANE Protocol (DNSSEC)
Introduction To The DANE Protocol  (DNSSEC)Introduction To The DANE Protocol  (DNSSEC)
Introduction To The DANE Protocol (DNSSEC)
 
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 HackathonDNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
 
DaNode - A home made web server in D
DaNode - A home made web server in DDaNode - A home made web server in D
DaNode - A home made web server in D
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
 
Linux and DNS Server
Linux and DNS ServerLinux and DNS Server
Linux and DNS Server
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
 
IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS Privacy
 
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan YorkION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
 
DNS Rebinding Attack
DNS Rebinding AttackDNS Rebinding Attack
DNS Rebinding Attack
 
Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
 
Ost ssl lec
Ost ssl lecOst ssl lec
Ost ssl lec
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutions
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
 
5 things you didn't know nginx could do velocity
5 things you didn't know nginx could do   velocity5 things you didn't know nginx could do   velocity
5 things you didn't know nginx could do velocity
 
DNS Fundamentals Presentation_PANDI-2022.pdf
DNS Fundamentals Presentation_PANDI-2022.pdfDNS Fundamentals Presentation_PANDI-2022.pdf
DNS Fundamentals Presentation_PANDI-2022.pdf
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael Casadevall
 

More from Daniel Stenberg

More from Daniel Stenberg (20)

curl security by Daniel Stenberg from curl up 2024
curl security by Daniel Stenberg from curl up 2024curl security by Daniel Stenberg from curl up 2024
curl security by Daniel Stenberg from curl up 2024
 
rust in curl by Daniel Stenberg from- curl up 2024
rust in curl by Daniel Stenberg from- curl up 2024rust in curl by Daniel Stenberg from- curl up 2024
rust in curl by Daniel Stenberg from- curl up 2024
 
trurl 2024 by Daniel Stenberg from curl up 2024
trurl 2024 by Daniel Stenberg from curl up 2024trurl 2024 by Daniel Stenberg from curl up 2024
trurl 2024 by Daniel Stenberg from curl up 2024
 
curl future 2024 by Daniel Stenberg from curl up 2024
curl future 2024 by Daniel Stenberg from curl up 2024curl future 2024 by Daniel Stenberg from curl up 2024
curl future 2024 by Daniel Stenberg from curl up 2024
 
The state of curl 2024 by Daniel Stenberg from curl up 2024
The state of curl 2024 by Daniel Stenberg from curl up 2024The state of curl 2024 by Daniel Stenberg from curl up 2024
The state of curl 2024 by Daniel Stenberg from curl up 2024
 
mastering libcurl part 2
mastering libcurl part 2mastering libcurl part 2
mastering libcurl part 2
 
mastering libcurl part 1
mastering libcurl part 1mastering libcurl part 1
mastering libcurl part 1
 
curl - openfourm europe.pdf
curl - openfourm europe.pdfcurl - openfourm europe.pdf
curl - openfourm europe.pdf
 
curl experiments - curl up 2022
curl experiments - curl up 2022curl experiments - curl up 2022
curl experiments - curl up 2022
 
curl security - curl up 2022
curl security - curl up 2022curl security - curl up 2022
curl security - curl up 2022
 
HTTP/3 in curl - curl up 2022
HTTP/3 in curl - curl up 2022HTTP/3 in curl - curl up 2022
HTTP/3 in curl - curl up 2022
 
The state of curl 2022
The state of curl 2022The state of curl 2022
The state of curl 2022
 
Let me tell you about curl
Let me tell you about curlLet me tell you about curl
Let me tell you about curl
 
Curl with rust
Curl with rustCurl with rust
Curl with rust
 
Getting started with libcurl
Getting started with libcurlGetting started with libcurl
Getting started with libcurl
 
HTTP/3 is next generation HTTP
HTTP/3 is next generation HTTPHTTP/3 is next generation HTTP
HTTP/3 is next generation HTTP
 
Landing code in curl
Landing code in curlLanding code in curl
Landing code in curl
 
Testing curl for security
Testing curl for securityTesting curl for security
Testing curl for security
 
common mistakes when using libcurl
common mistakes when using libcurlcommon mistakes when using libcurl
common mistakes when using libcurl
 
HTTP/3 in curl 2020
HTTP/3 in curl 2020HTTP/3 in curl 2020
HTTP/3 in curl 2020
 

Recently uploaded

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)
Wonjun Hwang
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
FIDO Alliance
 

Recently uploaded (20)

Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهله
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 

DNS over HTTPS

  • 7. Daniel Stenberg @bagder Any DNS (over HTTPS) provider
  • 8. AgendaAgenda The insecure DNSThe insecure DNS DNS-over-HTTPS is secure DNSDNS-over-HTTPS is secure DNS How to enable DNS-over-HTTPSHow to enable DNS-over-HTTPS The resistanceThe resistance We’re not done yet!We’re not done yet! DNSSEC, DNScrypt and DNS-over-TLSDNSSEC, DNScrypt and DNS-over-TLS Common secure-DNS challengesCommon secure-DNS challenges
  • 9. Imagine you walk into a coffee shop Or a huge room at a conference offering free wifi
  • 10. DHCP Anyone, is there a DNS server around for me??!?!1!! Sure, send all your requests in clear text to the server over there!
  • 11. DHCP Asking for a serverAsking for a server In clear textIn clear text Getting a response from an unverified sourceGetting a response from an unverified source In clear textIn clear text Suggesting we use another unverified sourceSuggesting we use another unverified source To send sensitive data toTo send sensitive data to In clear textIn clear text
  • 12. DNS over UDP (or TCP)DNS over UDP (or TCP) Asking for an name-to-address translation in clear text Getting a response from an unverified source in clear text That server might ask one or more other servers in clear text
  • 13. A lot of clear text
  • 15. What’s being done to secure DNS?
  • 16. DNS over HTTPS RFC 8484 Never over clear-text HTTP HTTPS protection RFC 1035 packets in HTTPS “payloads” Privacy and security Needs to be manually configured
  • 17. Why HTTPS? Applications can resolve names easily Proxy friendly Hard to block Easy to implement Easy connection re-use HTTPS with HTTP/2 means ✔ Multiplexing ✔ Server push
  • 19. DoH in Firefox Added in 62/63 Multiple modes Defaults to “soft-fail”
  • 20.
  • 21. DoH in curl $ curl --doh-url https://doh.example.com/ https://daniel.haxx.se/ Shipped in 7.62.0
  • 22. DoH in libcurl Shipped in 7.62.0 curl = curl_easy_init(); curl_easy_setopt(curl, CURLOPT_URL, "https://curl.haxx.se/"); curl_easy_setopt(curl, CURLOPT_DOH_URL, "https://doh.example.com/"); res = curl_easy_perform(curl);
  • 23. DoH in Chrome Code added in the repository Unknown status Bromite offers DoH support Google runs an experimental DoH end-point
  • 24. DoH in the server Several public end-points Google, quad9, Cloudflare, cleanbrowsing, Power-DNS, etc * Many server implementations * Proxy options makes it easy to run your own I wrote my toy DoH server in hours * = https://github.com/curl/curl/wiki/DNS-over-HTTPS
  • 26. DNS over HTTPS – the resistance A protocol layer violationA protocol layer violation DNS centralization is wrongDNS centralization is wrong Cl**dfl**e is evilCl**dfl**e is evil GDPR will save all EuropeansGDPR will save all Europeans HTTPS allows for more user-trackingHTTPS allows for more user-tracking
  • 27. DNS over HTTPS – the resistance User configuration is hardUser configuration is hard Admins need to monitor usersAdmins need to monitor users Name resolves can’t be unsupervisedName resolves can’t be unsupervised ““Debugging DNS issues is impossible”Debugging DNS issues is impossible” ““Split horizon” problemsSplit horizon” problems Bad responses due to wrong geographyBad responses due to wrong geography
  • 29. DoH - areas to explore further No browser enables it by default Discovery (draft-hoffman-resolver- associated-doh) More than one? Trusted service operators? “I run a service, ask me about my domains” HTTP/3 (vs DNS over QUIC)
  • 30. Some neighboring technologies and why they aren’t enough
  • 31. ᄃᄃ DNSSEC By the IETF in 1999 Prevents fake responses and tampering Still done over clear text – no privacy protection Basically never used to the end user 15% of the world’s DNS resolvers verify Should be used by the resolver you DoH/DoT with
  • 32. DNScryptDNScrypt Traces back to 2008 Not done through IETF TCP/UDP on port 443 No connection re-use No multiplexing “probably the most deployed encrypted DNS protocol to date”
  • 33. DNS over TLS Uses TLS instead of UDP/TCP RFC 7858 (May 2016) Secure Private - easy to block since it uses a unique port (853) - typically done opportunistically - not widely used yet
  • 34. DoT vs DoH – what you really wanted to know System configured Controlled server Trivially blockable Not multiplexed Often no connection reuse DoTDoT DoHDoH User controlled Secured network path Hard to block Multiplexed (HTTP/2) Basically always connection reuse
  • 36. DNS privacy panel DNS room 11:55 Sunday February 3rd
  • 37. Wrap-up DoH is authenticated secure name resolves Easy to use Easy to serve Offers functionality related tech lacks It does not imply centralization Secure DNS is not completely solved yet