SlideShare a Scribd company logo
1 of 38
Download to read offline
1
DNS over HTTPS
Daniel Stenberg
@bagder
Daniel Stenberg
@bagder
Daniel Stenberg
@bagder
Daniel Stenberg
@bagder
Daniel Stenberg
@bagder
Daniel Stenberg
@bagder
Any DNS (over
HTTPS) provider
AgendaAgenda
The insecure DNSThe insecure DNS
DNS-over-HTTPS is secure DNSDNS-over-HTTPS is secure DNS
How to enable DNS-over-HTTPSHow to enable DNS-over-HTTPS
The resistanceThe resistance
We’re not done yet!We’re not done yet!
DNSSEC, DNScrypt and DNS-over-TLSDNSSEC, DNScrypt and DNS-over-TLS
Common secure-DNS challengesCommon secure-DNS challenges
Imagine you walk into a coffee shop
Or a huge room at a conference offering free wifi
DHCP
Anyone, is there a DNS server
around for me??!?!1!!
Sure, send all your
requests in clear text to
the server over there!
DHCP
Asking for a serverAsking for a server
In clear textIn clear text
Getting a response from an unverified sourceGetting a response from an unverified source
In clear textIn clear text
Suggesting we use another unverified sourceSuggesting we use another unverified source
To send sensitive data toTo send sensitive data to
In clear textIn clear text
DNS over UDP (or TCP)DNS over UDP (or TCP)
Asking for an name-to-address translation
in clear text
Getting a response from an unverified source
in clear text
That server might ask one or more other servers
in clear text
A lot of clear text
PhotobyAntonioMarínSegovia
What’s being done to secure DNS?
DNS over HTTPS
RFC 8484
Never over clear-text HTTP
HTTPS protection
RFC 1035 packets in HTTPS “payloads”
Privacy and security
Needs to be manually configured
Why HTTPS?
Applications can resolve names easily
Proxy friendly
Hard to block
Easy to implement
Easy connection re-use
HTTPS with HTTP/2 means
✔
Multiplexing
✔
Server push
How to enable DoH
DoH in Firefox
Added in 62/63
Multiple modes
Defaults to “soft-fail”
DoH in curl
$ curl --doh-url https://doh.example.com/
https://daniel.haxx.se/
Shipped in 7.62.0
DoH in libcurl
Shipped in 7.62.0
curl = curl_easy_init();
curl_easy_setopt(curl, CURLOPT_URL,
"https://curl.haxx.se/");
curl_easy_setopt(curl, CURLOPT_DOH_URL,
"https://doh.example.com/");
res = curl_easy_perform(curl);
DoH in Chrome
Code added in the repository
Unknown status
Bromite offers DoH support
Google runs an experimental DoH end-point
DoH in the server
Several public end-points
Google, quad9, Cloudflare, cleanbrowsing, Power-DNS, etc *
Many server implementations *
Proxy options makes it easy to run your own
I wrote my toy DoH server in hours
* = https://github.com/curl/curl/wiki/DNS-over-HTTPS
What’s considered less good
DNS over HTTPS – the resistance
A protocol layer violationA protocol layer violation
DNS centralization is wrongDNS centralization is wrong
Cl**dfl**e is evilCl**dfl**e is evil
GDPR will save all EuropeansGDPR will save all Europeans
HTTPS allows for more user-trackingHTTPS allows for more user-tracking
DNS over HTTPS – the resistance
User configuration is hardUser configuration is hard
Admins need to monitor usersAdmins need to monitor users
Name resolves can’t be unsupervisedName resolves can’t be unsupervised
““Debugging DNS issues is impossible”Debugging DNS issues is impossible”
““Split horizon” problemsSplit horizon” problems
Bad responses due to wrong geographyBad responses due to wrong geography
We’re not done yet
DoH - areas to explore further
No browser enables it by default
Discovery (draft-hoffman-resolver-
associated-doh)
More than one?
Trusted service operators?
“I run a service, ask me about my domains”
HTTP/3 (vs DNS over QUIC)
Some neighboring technologies and why they aren’t enough
ᄃᄃ
DNSSEC
By the IETF in 1999
Prevents fake responses and tampering
Still done over clear text – no privacy protection
Basically never used to the end user
15% of the world’s DNS resolvers verify
Should be used by the resolver you DoH/DoT
with
DNScryptDNScrypt
Traces back to 2008
Not done through IETF
TCP/UDP on port 443
No connection re-use
No multiplexing
“probably the most deployed encrypted DNS protocol
to date”
DNS over TLS
Uses TLS instead of UDP/TCP
RFC 7858 (May 2016)
Secure
Private
- easy to block since it uses a unique port (853)
- typically done opportunistically
- not widely used yet
DoT vs DoH – what you really wanted to know
System configured
Controlled server
Trivially blockable
Not multiplexed
Often no connection reuse
DoTDoT DoHDoH
User controlled
Secured network path
Hard to block
Multiplexed (HTTP/2)
Basically always connection reuse
Common secure-DNS challenges
Discovery
Probing
Opportunistic
Blocking forces downgrade
System vs users
DNS privacy panel
DNS room 11:55 Sunday February 3rd
Wrap-up
DoH is authenticated secure name resolves
Easy to use
Easy to serve
Offers functionality related tech lacks
It does not imply centralization
Secure DNS is not completely solved yet
Daniel Stenberg
@bagder
https://daniel.haxx.se/
Thank you!Thank you!
Questions?Questions?

More Related Content

What's hot

DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSECAPNIC
 
Deployment Automation & Self-Healing with Dynatrace & Ansible
Deployment Automation & Self-Healing with Dynatrace & AnsibleDeployment Automation & Self-Healing with Dynatrace & Ansible
Deployment Automation & Self-Healing with Dynatrace & AnsibleJürgen Etzlstorfer
 
IoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeIoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeAPNIC
 
Introduction to Rundeck
Introduction to Rundeck Introduction to Rundeck
Introduction to Rundeck Rundeck
 
Introduction to Vespa – The Open Source Big Data Serving Engine, Jon Bratseth...
Introduction to Vespa – The Open Source Big Data Serving Engine, Jon Bratseth...Introduction to Vespa – The Open Source Big Data Serving Engine, Jon Bratseth...
Introduction to Vespa – The Open Source Big Data Serving Engine, Jon Bratseth...Yahoo Developer Network
 
Comp4010 Lecture7 Designing AR Systems
Comp4010 Lecture7 Designing AR SystemsComp4010 Lecture7 Designing AR Systems
Comp4010 Lecture7 Designing AR SystemsMark Billinghurst
 
Introduction to Big Data
Introduction to Big DataIntroduction to Big Data
Introduction to Big DataHaluan Irsad
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 
العلوم الجنائية الرقمية
العلوم الجنائية الرقميةالعلوم الجنائية الرقمية
العلوم الجنائية الرقميةfacemeshfacemesh
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software   august 2011Encase V7 Presented by Guidance Software   august 2011
Encase V7 Presented by Guidance Software august 2011CTIN
 
01 internet-of-things-introduction-to-internet-of-things
01 internet-of-things-introduction-to-internet-of-things01 internet-of-things-introduction-to-internet-of-things
01 internet-of-things-introduction-to-internet-of-thingsJohn Soldatos
 
Internet of Things ( IoT ) Training
Internet of Things ( IoT ) TrainingInternet of Things ( IoT ) Training
Internet of Things ( IoT ) TrainingTonex
 

What's hot (20)

DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSEC
 
Virtual reality
Virtual realityVirtual reality
Virtual reality
 
Deployment Automation & Self-Healing with Dynatrace & Ansible
Deployment Automation & Self-Healing with Dynatrace & AnsibleDeployment Automation & Self-Healing with Dynatrace & Ansible
Deployment Automation & Self-Healing with Dynatrace & Ansible
 
Denial of service
Denial of serviceDenial of service
Denial of service
 
IoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeIoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat Landscape
 
Introduction to Rundeck
Introduction to Rundeck Introduction to Rundeck
Introduction to Rundeck
 
Introduction to Vespa – The Open Source Big Data Serving Engine, Jon Bratseth...
Introduction to Vespa – The Open Source Big Data Serving Engine, Jon Bratseth...Introduction to Vespa – The Open Source Big Data Serving Engine, Jon Bratseth...
Introduction to Vespa – The Open Source Big Data Serving Engine, Jon Bratseth...
 
Hadoop technology
Hadoop technologyHadoop technology
Hadoop technology
 
Comp4010 Lecture7 Designing AR Systems
Comp4010 Lecture7 Designing AR SystemsComp4010 Lecture7 Designing AR Systems
Comp4010 Lecture7 Designing AR Systems
 
Introduction to Big Data
Introduction to Big DataIntroduction to Big Data
Introduction to Big Data
 
Industrial IoT bootcamp
Industrial IoT bootcampIndustrial IoT bootcamp
Industrial IoT bootcamp
 
Log Analysis
Log AnalysisLog Analysis
Log Analysis
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
 
Understanding the Internet of Things Protocols
Understanding the Internet of Things ProtocolsUnderstanding the Internet of Things Protocols
Understanding the Internet of Things Protocols
 
العلوم الجنائية الرقمية
العلوم الجنائية الرقميةالعلوم الجنائية الرقمية
العلوم الجنائية الرقمية
 
Hadoop Technology
Hadoop TechnologyHadoop Technology
Hadoop Technology
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software   august 2011Encase V7 Presented by Guidance Software   august 2011
Encase V7 Presented by Guidance Software august 2011
 
Observability
ObservabilityObservability
Observability
 
01 internet-of-things-introduction-to-internet-of-things
01 internet-of-things-introduction-to-internet-of-things01 internet-of-things-introduction-to-internet-of-things
01 internet-of-things-introduction-to-internet-of-things
 
Internet of Things ( IoT ) Training
Internet of Things ( IoT ) TrainingInternet of Things ( IoT ) Training
Internet of Things ( IoT ) Training
 

Similar to DNS over HTTPS

MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...DTM Security
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOHAPNIC
 
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 HackathonDNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 HackathonDan York
 
DaNode - A home made web server in D
DaNode - A home made web server in DDaNode - A home made web server in D
DaNode - A home made web server in DAndrei Alexandrescu
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS OblivionAPNIC
 
IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS PrivacyAPNIC
 
DNS Rebinding Attack
DNS Rebinding AttackDNS Rebinding Attack
DNS Rebinding AttackFelipe Japm
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutionsNick Owen
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsPeter R. Egli
 
5 things you didn't know nginx could do velocity
5 things you didn't know nginx could do   velocity5 things you didn't know nginx could do   velocity
5 things you didn't know nginx could do velocitysarahnovotny
 
DNS Fundamentals Presentation_PANDI-2022.pdf
DNS Fundamentals Presentation_PANDI-2022.pdfDNS Fundamentals Presentation_PANDI-2022.pdf
DNS Fundamentals Presentation_PANDI-2022.pdfroemahtoedjoeh
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallGlenn McKnight
 

Similar to DNS over HTTPS (20)

MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
 
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
 
Understanding DNS Security
Understanding DNS SecurityUnderstanding DNS Security
Understanding DNS Security
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOH
 
Introduction To The DANE Protocol (DNSSEC)
Introduction To The DANE Protocol  (DNSSEC)Introduction To The DANE Protocol  (DNSSEC)
Introduction To The DANE Protocol (DNSSEC)
 
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 HackathonDNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
 
DaNode - A home made web server in D
DaNode - A home made web server in DDaNode - A home made web server in D
DaNode - A home made web server in D
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
 
Linux and DNS Server
Linux and DNS ServerLinux and DNS Server
Linux and DNS Server
 
IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS Privacy
 
Google Cloud DNS
Google Cloud DNSGoogle Cloud DNS
Google Cloud DNS
 
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan YorkION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
 
DNS Rebinding Attack
DNS Rebinding AttackDNS Rebinding Attack
DNS Rebinding Attack
 
Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
 
Ost ssl lec
Ost ssl lecOst ssl lec
Ost ssl lec
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutions
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
 
5 things you didn't know nginx could do velocity
5 things you didn't know nginx could do   velocity5 things you didn't know nginx could do   velocity
5 things you didn't know nginx could do velocity
 
DNS Fundamentals Presentation_PANDI-2022.pdf
DNS Fundamentals Presentation_PANDI-2022.pdfDNS Fundamentals Presentation_PANDI-2022.pdf
DNS Fundamentals Presentation_PANDI-2022.pdf
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael Casadevall
 

More from Daniel Stenberg

More from Daniel Stenberg (20)

mastering libcurl part 2
mastering libcurl part 2mastering libcurl part 2
mastering libcurl part 2
 
mastering libcurl part 1
mastering libcurl part 1mastering libcurl part 1
mastering libcurl part 1
 
curl - openfourm europe.pdf
curl - openfourm europe.pdfcurl - openfourm europe.pdf
curl - openfourm europe.pdf
 
curl experiments - curl up 2022
curl experiments - curl up 2022curl experiments - curl up 2022
curl experiments - curl up 2022
 
curl security - curl up 2022
curl security - curl up 2022curl security - curl up 2022
curl security - curl up 2022
 
HTTP/3 in curl - curl up 2022
HTTP/3 in curl - curl up 2022HTTP/3 in curl - curl up 2022
HTTP/3 in curl - curl up 2022
 
The state of curl 2022
The state of curl 2022The state of curl 2022
The state of curl 2022
 
Let me tell you about curl
Let me tell you about curlLet me tell you about curl
Let me tell you about curl
 
Curl with rust
Curl with rustCurl with rust
Curl with rust
 
Getting started with libcurl
Getting started with libcurlGetting started with libcurl
Getting started with libcurl
 
HTTP/3 is next generation HTTP
HTTP/3 is next generation HTTPHTTP/3 is next generation HTTP
HTTP/3 is next generation HTTP
 
Landing code in curl
Landing code in curlLanding code in curl
Landing code in curl
 
Testing curl for security
Testing curl for securityTesting curl for security
Testing curl for security
 
common mistakes when using libcurl
common mistakes when using libcurlcommon mistakes when using libcurl
common mistakes when using libcurl
 
HTTP/3 in curl 2020
HTTP/3 in curl 2020HTTP/3 in curl 2020
HTTP/3 in curl 2020
 
The state of curl 2020
The state of curl 2020The state of curl 2020
The state of curl 2020
 
curl roadmap 2020
curl roadmap 2020curl roadmap 2020
curl roadmap 2020
 
curl better
curl bettercurl better
curl better
 
HTTP/3 for everyone
HTTP/3 for everyoneHTTP/3 for everyone
HTTP/3 for everyone
 
HTTP/3, QUIC and streaming
HTTP/3, QUIC and streamingHTTP/3, QUIC and streaming
HTTP/3, QUIC and streaming
 

Recently uploaded

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate AgentsRyan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate AgentsRyan Mahoney
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 

Recently uploaded (20)

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate AgentsRyan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 

DNS over HTTPS

  • 7. Daniel Stenberg @bagder Any DNS (over HTTPS) provider
  • 8. AgendaAgenda The insecure DNSThe insecure DNS DNS-over-HTTPS is secure DNSDNS-over-HTTPS is secure DNS How to enable DNS-over-HTTPSHow to enable DNS-over-HTTPS The resistanceThe resistance We’re not done yet!We’re not done yet! DNSSEC, DNScrypt and DNS-over-TLSDNSSEC, DNScrypt and DNS-over-TLS Common secure-DNS challengesCommon secure-DNS challenges
  • 9. Imagine you walk into a coffee shop Or a huge room at a conference offering free wifi
  • 10. DHCP Anyone, is there a DNS server around for me??!?!1!! Sure, send all your requests in clear text to the server over there!
  • 11. DHCP Asking for a serverAsking for a server In clear textIn clear text Getting a response from an unverified sourceGetting a response from an unverified source In clear textIn clear text Suggesting we use another unverified sourceSuggesting we use another unverified source To send sensitive data toTo send sensitive data to In clear textIn clear text
  • 12. DNS over UDP (or TCP)DNS over UDP (or TCP) Asking for an name-to-address translation in clear text Getting a response from an unverified source in clear text That server might ask one or more other servers in clear text
  • 13. A lot of clear text
  • 15. What’s being done to secure DNS?
  • 16. DNS over HTTPS RFC 8484 Never over clear-text HTTP HTTPS protection RFC 1035 packets in HTTPS “payloads” Privacy and security Needs to be manually configured
  • 17. Why HTTPS? Applications can resolve names easily Proxy friendly Hard to block Easy to implement Easy connection re-use HTTPS with HTTP/2 means ✔ Multiplexing ✔ Server push
  • 19. DoH in Firefox Added in 62/63 Multiple modes Defaults to “soft-fail”
  • 20.
  • 21. DoH in curl $ curl --doh-url https://doh.example.com/ https://daniel.haxx.se/ Shipped in 7.62.0
  • 22. DoH in libcurl Shipped in 7.62.0 curl = curl_easy_init(); curl_easy_setopt(curl, CURLOPT_URL, "https://curl.haxx.se/"); curl_easy_setopt(curl, CURLOPT_DOH_URL, "https://doh.example.com/"); res = curl_easy_perform(curl);
  • 23. DoH in Chrome Code added in the repository Unknown status Bromite offers DoH support Google runs an experimental DoH end-point
  • 24. DoH in the server Several public end-points Google, quad9, Cloudflare, cleanbrowsing, Power-DNS, etc * Many server implementations * Proxy options makes it easy to run your own I wrote my toy DoH server in hours * = https://github.com/curl/curl/wiki/DNS-over-HTTPS
  • 26. DNS over HTTPS – the resistance A protocol layer violationA protocol layer violation DNS centralization is wrongDNS centralization is wrong Cl**dfl**e is evilCl**dfl**e is evil GDPR will save all EuropeansGDPR will save all Europeans HTTPS allows for more user-trackingHTTPS allows for more user-tracking
  • 27. DNS over HTTPS – the resistance User configuration is hardUser configuration is hard Admins need to monitor usersAdmins need to monitor users Name resolves can’t be unsupervisedName resolves can’t be unsupervised ““Debugging DNS issues is impossible”Debugging DNS issues is impossible” ““Split horizon” problemsSplit horizon” problems Bad responses due to wrong geographyBad responses due to wrong geography
  • 29. DoH - areas to explore further No browser enables it by default Discovery (draft-hoffman-resolver- associated-doh) More than one? Trusted service operators? “I run a service, ask me about my domains” HTTP/3 (vs DNS over QUIC)
  • 30. Some neighboring technologies and why they aren’t enough
  • 31. ᄃᄃ DNSSEC By the IETF in 1999 Prevents fake responses and tampering Still done over clear text – no privacy protection Basically never used to the end user 15% of the world’s DNS resolvers verify Should be used by the resolver you DoH/DoT with
  • 32. DNScryptDNScrypt Traces back to 2008 Not done through IETF TCP/UDP on port 443 No connection re-use No multiplexing “probably the most deployed encrypted DNS protocol to date”
  • 33. DNS over TLS Uses TLS instead of UDP/TCP RFC 7858 (May 2016) Secure Private - easy to block since it uses a unique port (853) - typically done opportunistically - not widely used yet
  • 34. DoT vs DoH – what you really wanted to know System configured Controlled server Trivially blockable Not multiplexed Often no connection reuse DoTDoT DoHDoH User controlled Secured network path Hard to block Multiplexed (HTTP/2) Basically always connection reuse
  • 36. DNS privacy panel DNS room 11:55 Sunday February 3rd
  • 37. Wrap-up DoH is authenticated secure name resolves Easy to use Easy to serve Offers functionality related tech lacks It does not imply centralization Secure DNS is not completely solved yet