The document discusses the security features and implementation of DNS over HTTPS (DoH), highlighting its advantages over traditional DNS methods that use clear text communication. It covers various aspects such as enabling DoH in different browsers, the challenges related to user configuration, privacy, and centralization of DNS services. Additionally, it addresses other secure DNS protocols like DNS over TLS and their limitations, emphasizing that secure DNS is still an evolving area requiring ongoing exploration.

1. 1
DNS over HTTPS

2. Daniel Stenberg
@bagder

3. Daniel Stenberg
@bagder

4. Daniel Stenberg
@bagder

5. Daniel Stenberg
@bagder

6. Daniel Stenberg
@bagder

7. Daniel Stenberg
@bagder
Any DNS (over
HTTPS) provider

8. AgendaAgenda
The insecure DNSThe insecure DNS
DNS-over-HTTPS is secure DNSDNS-over-HTTPS is secure DNS
How to enable DNS-over-HTTPSHow to enable DNS-over-HTTPS
The resistanceThe resistance
We’re not done yet!We’re not done yet!
DNSSEC, DNScrypt and DNS-over-TLSDNSSEC, DNScrypt and DNS-over-TLS
Common secure-DNS challengesCommon secure-DNS challenges

9. Imagine you walk into a coffee shop
Or a huge room at a conference offering free wifi

10. DHCP
Anyone, is there a DNS server
around for me??!?!1!!
Sure, send all your
requests in clear text to
the server over there!

11. DHCP
Asking for a serverAsking for a server
In clear textIn clear text
Getting a response from an unverified sourceGetting a response from an unverified source
In clear textIn clear text
Suggesting we use another unverified sourceSuggesting we use another unverified source
To send sensitive data toTo send sensitive data to
In clear textIn clear text

12. DNS over UDP (or TCP)DNS over UDP (or TCP)
Asking for an name-to-address translation
in clear text
Getting a response from an unverified source
in clear text
That server might ask one or more other servers
in clear text

13. A lot of clear text

14. PhotobyAntonioMarínSegovia

15. What’s being done to secure DNS?

16. DNS over HTTPS
RFC 8484
Never over clear-text HTTP
HTTPS protection
RFC 1035 packets in HTTPS “payloads”
Privacy and security
Needs to be manually configured

17. Why HTTPS?
Applications can resolve names easily
Proxy friendly
Hard to block
Easy to implement
Easy connection re-use
HTTPS with HTTP/2 means
✔
Multiplexing
✔
Server push

18. How to enable DoH

19. DoH in Firefox
Added in 62/63
Multiple modes
Defaults to “soft-fail”

21. DoH in curl
$ curl --doh-url https://doh.example.com/
https://daniel.haxx.se/
Shipped in 7.62.0

22. DoH in libcurl
Shipped in 7.62.0
curl = curl_easy_init();
curl_easy_setopt(curl, CURLOPT_URL,
"https://curl.haxx.se/");
curl_easy_setopt(curl, CURLOPT_DOH_URL,
"https://doh.example.com/");
res = curl_easy_perform(curl);

23. DoH in Chrome
Code added in the repository
Unknown status
Bromite offers DoH support
Google runs an experimental DoH end-point

24. DoH in the server
Several public end-points
Google, quad9, Cloudflare, cleanbrowsing, Power-DNS, etc *
Many server implementations *
Proxy options makes it easy to run your own
I wrote my toy DoH server in hours
* = https://github.com/curl/curl/wiki/DNS-over-HTTPS

25. What’s considered less good

26. DNS over HTTPS – the resistance
A protocol layer violationA protocol layer violation
DNS centralization is wrongDNS centralization is wrong
Cl**dfl**e is evilCl**dfl**e is evil
GDPR will save all EuropeansGDPR will save all Europeans
HTTPS allows for more user-trackingHTTPS allows for more user-tracking

27. DNS over HTTPS – the resistance
User configuration is hardUser configuration is hard
Admins need to monitor usersAdmins need to monitor users
Name resolves can’t be unsupervisedName resolves can’t be unsupervised
““Debugging DNS issues is impossible”Debugging DNS issues is impossible”
““Split horizon” problemsSplit horizon” problems
Bad responses due to wrong geographyBad responses due to wrong geography

28. We’re not done yet

29. DoH - areas to explore further
No browser enables it by default
Discovery (draft-hoffman-resolver-
associated-doh)
More than one?
Trusted service operators?
“I run a service, ask me about my domains”
HTTP/3 (vs DNS over QUIC)

30. Some neighboring technologies and why they aren’t enough

31. ﾧﾧ
DNSSEC
By the IETF in 1999
Prevents fake responses and tampering
Still done over clear text – no privacy protection
Basically never used to the end user
15% of the world’s DNS resolvers verify
Should be used by the resolver you DoH/DoT
with

32. DNScryptDNScrypt
Traces back to 2008
Not done through IETF
TCP/UDP on port 443
No connection re-use
No multiplexing
“probably the most deployed encrypted DNS protocol
to date”

33. DNS over TLS
Uses TLS instead of UDP/TCP
RFC 7858 (May 2016)
Secure
Private
- easy to block since it uses a unique port (853)
- typically done opportunistically
- not widely used yet

34. DoT vs DoH – what you really wanted to know
System configured
Controlled server
Trivially blockable
Not multiplexed
Often no connection reuse
DoTDoT DoHDoH
User controlled
Secured network path
Hard to block
Multiplexed (HTTP/2)
Basically always connection reuse

35. Common secure-DNS challenges
Discovery
Probing
Opportunistic
Blocking forces downgrade
System vs users

36. DNS privacy panel
DNS room 11:55 Sunday February 3rd

37. Wrap-up
DoH is authenticated secure name resolves
Easy to use
Easy to serve
Offers functionality related tech lacks
It does not imply centralization
Secure DNS is not completely solved yet

38. Daniel Stenberg
@bagder
https://daniel.haxx.se/
Thank you!Thank you!
Questions?Questions?