SlideShare a Scribd company logo

Encrypted DNS - DNS over TLS / DNS over HTTPS

A
Alex Mayrhofer

Encryption is coming to mainstream DNS. This briefing discusses the history, protocols and architecture of encrypted DNS, specifically DNS over TLS and DNS over HTTPS. It also describes the impact of DoT and DoH on various operational models. This briefing was given during DNSheads Vienna #5 at the nic.at office in Vienna on Jan 30 2018.

Internet
1 of 38
Download to read offline
1 · www.nic.at DNSheads Vienna #5 · public Briefing „Encrypted DNS“ DNS over TLS / DNS over HTTPS DNSheads Vienna #5 · public 2019-01-30 · Alex Mayrhofer · Head of Research & Development
2 · www.nic.at DNSheads Vienna #5 · public Background Why DNS encryption was developed
3 · www.nic.at DNSheads Vienna #5 · public The DNS anno circa 2012 • Sensational Success Story  Age 25, and practically unmodified • Today: „Nothing goes“ without DNS • Clear text. Everything  „DNS is public anyways?“ • 99% UDP, 1% TCP „fallback“  Worst TCP support ever! • DNSSEC? Makes everything secure, doesn‘t it !!?!  Does only „sign“, not „encrypt“ • 2013: Snowden revelations  NSA: „Clear text PII data … mmmmm…“  IETF: „Ohh sheesh – we didn‘t expect *that* scale!“ Photo by Simone Acquaroli on Unsplash
4 · www.nic.at DNSheads Vienna #5 · public „Pervasive Monitoring is an Attack“ • RFC 7258 – „Pervasive Monitoring is a technical attack that should be mitigated in the design of IETF protocols, where possible“ • Consequence: Review of all important procotols • DNS – there‘s not even a standardized *option* for encryption • Worse – contains „privacy defeating“ mechanism  Unneccessarily transmits full QNAME in many cases  EDNS(0) Client Subnet • Leak of Meta-Data & Fingerprinting  Re-identification of individuals across networks But, but… ohhhhh… Photo by Kote Puerto on Unsplash
5 · www.nic.at DNSheads Vienna #5 · public „We need encryption“ But where to start?
6 · www.nic.at DNSheads Vienna #5 · public The DNS Protocol arena „Recursive DNS Server“ „Authoritative DNS Server“
7 · www.nic.at DNSheads Vienna #5 · public IETF DPRIVE* („PRIVate Exchange“) • 2014: „Let‘s deal with the stub resolver to recursor leg“  Most significant information leakage  1:few Relation – Authentication simple  „Don‘t attempt to boil the ocean“ • 2018: Re-Chartering: Includes „recursive to authoritative“  More complex: m:n connections (Authentication!)  Milestone for end of 2019 *https://datatracker.ietf.org/wg/dprive/about/
8 · www.nic.at DNSheads Vienna #5 · public DNS over (D)TLS IETF: DPRIVE / DNSOP / (TLS)
9 · www.nic.at DNSheads Vienna #5 · public Liste of relevant RFCs • RFC 7626 – DNS Privacy Considerations (DPRIVE) • RFC 7766 – TCP Transport for DNS (DNSOP) • RFC 7816 – QNAME Minimization (DNSOP) • RFC 7828 – EDNS keepalive (DNSOP) • RFC 7858 – DNS over TLS (DPRIVE) • RFC 8094 – DNS over DTLS (DPRIVE) • RFC 7830 (+RFC 8467) – DNS Padding (DPRIVE) • RFC 8310 – Usage Profiles • RFC 8446 – TLS 1.3 (TLS)
10 · www.nic.at DNSheads Vienna #5 · public RFC 7626 – DNS Privacy Considerations • Privacy aspects / issues in areas of the DNS:  In the DNS message (Query Name, IP Adresse)  On the server  On the Wire  Re-Identification based on patterns • Kills the „DNS is public anyways!“ argument  Website of „Alcoholics Anonymous“ is public  The fact that someone visits that website regularly is definitely privacy relevant! • Practical example (similar..)  drugstoremorningafterpillvienna16.at  (Browser search requests leaking to the DNS?)
11 · www.nic.at DNSheads Vienna #5 · public RFC 7766 – TCP Transport for DNS • Goal: Establish DNS over TCP als „first class citizen“ • Features  Persistent connections (Client supposed to close connections)  Connection re-use  Pipelining  Response Reordering  TCP Fast Open  Similar: „Happy Eyeballs“
12 · www.nic.at DNSheads Vienna #5 · public RFC 7816 – QNAME Minimization
13 · www.nic.at DNSheads Vienna #5 · public RFC 7828 – EDNS keepalive • EDNS Option for Session Management • For TCP only! • Clients: „Please leave connection open for X seconds“ • Server: „Ok, leave it open for X seconds“ or „Please close connection now!“
14 · www.nic.at DNSheads Vienna #5 · public RFC 7858 – DNS over TLS (DoT) • New Port 853 / TCP • „On the wire“ protocol is unmodified • Authentification: Certificates usw? -> RFC 8310  „Opportunistic“ vs. „Strict“  Chicken/Egg -> Bootstrapping des DoT Servers wie? • Does not change the „path“ of the DNS message  Existing Recursive Nameserver can simply offer an additional, encrypted channel
15 · www.nic.at DNSheads Vienna #5 · public RFC 8094 – DNS over DTLS • Port 853 / UDP • „Same Same but Different“ • Experimental!  Issues with fragmentation  DTLS is not widely implemented • Performance advantage of UDP?  Mostly because TCP implementation used to be so „lousy“.
16 · www.nic.at DNSheads Vienna #5 · public EDNS(0) Padding It‘s required for privacy – but, why?
17 · www.nic.at DNSheads Vienna #5 · public EDNS(0) Padding – why? • Encryption removes „direct“ access to the information  What‘s left for the Attacker? • „Pretty Bad Privacy – Pitfalls of DNS Encryption“*  Haya Shulman @ IETF 93  Applied Networking Research Price – IRTF • Side Channel information is key!  Countermeasures *https://www.ietf.org/proceedings/93/slides/slides-93-irtfopen-1.pdf
18 · www.nic.at DNSheads Vienna #5 · public Application Queries – it‘s a stream • A Pattern - Not just a single query/response pair
19 · www.nic.at DNSheads Vienna #5 · public Encrypted DNS • Streams still create size/timing „patterns“
20 · www.nic.at DNSheads Vienna #5 · public Size based Correlation • Compare with known clear text patterns • Even works with a subset of message sizes
21 · www.nic.at DNSheads Vienna #5 · public Introducing Padding • Obfuscates the size pattern -> Hampers correlation • More „hits“ -> less likely that identification is possible
22 · www.nic.at DNSheads Vienna #5 · public RFC 7830 – EDNS(0) Padding Option • EDNS Option code 12 https://tools.ietf.org/html/rfc7830
23 · www.nic.at DNSheads Vienna #5 · public DNS over HTTPS An alternative encryption scheme, driven by browser vendors
24 · www.nic.at DNSheads Vienna #5 · public Motivation – Browser Vendors • (a) Browsers do a lot of DNS these days  Websites + assets (JS, Ads, Statistics…), CDNs  Certificate Validation (OCSP), SafeBrowsing lists, updates, …  More direct control over the DNS API desired • (b) Timing and availability is critical  „Happy Eyeballs“ – Slow or lousy (local) DNS servers create bad user experience  „Bad Hotel WiFi“ is often „Bad Hotel DNS“… • (c) DNS is used for censorship  Circumventing local (censoring) DNS servers protects Freedom of Speech  Eg. Google Jigsaw ttps://dnsserver.example.net/dns-query{?dns}
25 · www.nic.at DNSheads Vienna #5 · public IETF DoH* (DNS over HTTPs) group • Founded 2017 • 2018: RFC 8484  GET or POST  URI Templates (https://dnsserver.example.net/dns- query{?dns})  Wire-Format: application/dns-message (identical zu „normal“ DNS), oder JSON  HTTP Response-Code always 2xx (if successful), no matter which DNS response code *https://datatracker.ietf.org/wg/doh/about/
26 · www.nic.at DNSheads Vienna #5 · public Effects of encrypted DNS The implications of typical operational models
27 · www.nic.at DNSheads Vienna #5 · public „Plain“ DNS
28 · www.nic.at DNSheads Vienna #5 · public DNS over TLS
29 · www.nic.at DNSheads Vienna #5 · public DNS over HTTPS (typical)
30 · www.nic.at DNSheads Vienna #5 · public Concerns regarding DoH • 4 Browser Vendors • Few big public recursor vendors (1.1.1.1, 8.8.8.8, 9.9.9.9) • Market concentration / Control?  Pre-configured public recursors  Example: Mozilla / Cloudflare discussion • Media echo (German only, sorry!)  https://Heise.de/-4203225.html („Die DNS Gruft gehört ausgelüftet“)  https://heise.de/-4205380.html („Vom DNS, aktuellen Hypes, Überwachung und Zensur“)
31 · www.nic.at DNSheads Vienna #5 · public Implementations Server, Clients, Tools
32 · www.nic.at DNSheads Vienna #5 · public DoT Clients https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implementation+Status
33 · www.nic.at DNSheads Vienna #5 · public DoT Server Software
34 · www.nic.at DNSheads Vienna #5 · public DoT (and DoH) public recursors • Google DNS (8.8.8.8) • Cloudflare (1.1.1.1) • Quad9 (9.9.9.9) • CleanBrowsing (various, with Filters)
35 · www.nic.at DNSheads Vienna #5 · public DoH • Clients  Mozilla Firefox  Google Chrome  (plus test tools) • Server Software  https://github.com/facebookexperimental/doh-proxy  https://github.com/curl/curl/wiki/DNS-over-HTTPS#doh-tools
36 · www.nic.at DNSheads Vienna #5 · public Android 9 – DNS over TLS by default • Uses DNS over TLS if available on local nameserver • Falls back to unencrypted DNS if unavailable
37 · www.nic.at DNSheads Vienna #5 · public Exec Summary • DNS can now be encrypted, either via TLS or HTTPS • DNS over HTTPs is more „disruptive“ than DNS over TLS • Public recursors have implemented either (or both)  But few local providers have implemented it (see below :-/) • Browser Vendors are implementing DNS over HTTPs  Ongoing policy discussions around pre-configuration of recursors • Android 9 implements DNS over TLS *by default*  Automatically uses it if available (see above :-/)  Google suggesting to configure „dns.google“ manually • Windows / MacOS – no „out of the box“ solutions – „Stubby“
38 · www.nic.at DNSheads Vienna #5 · public nic.at GmbH Jakob-Haringer-Str. 8/V · 5020 Salzburg · Austria T +43 662 4669 -34 · F -29 alexander.mayrhofer@nic.at · www.nic.at

Recommended

Deploying IPv6 on OpenStack
Deploying IPv6 on OpenStackDeploying IPv6 on OpenStack
Deploying IPv6 on OpenStackVietnam Open Infrastructure User Group
 
오픈소스 네트워킹
오픈소스 네트워킹오픈소스 네트워킹
오픈소스 네트워킹James Ahn
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentCloudOps2005
 
Securing k8s With Kubernetes Goat
Securing k8s With Kubernetes GoatSecuring k8s With Kubernetes Goat
Securing k8s With Kubernetes GoatMuhammad Yuga Nugraha
 
Ceph: Open Source Storage Software Optimizations on Intel® Architecture for C...
Ceph: Open Source Storage Software Optimizations on Intel® Architecture for C...Ceph: Open Source Storage Software Optimizations on Intel® Architecture for C...
Ceph: Open Source Storage Software Optimizations on Intel® Architecture for C...Odinot Stanislas
 
[24]안드로이드 웹뷰의 모든것
[24]안드로이드 웹뷰의 모든것[24]안드로이드 웹뷰의 모든것
[24]안드로이드 웹뷰의 모든것NAVER Engineering
 
Practical CephFS with nfs today using OpenStack Manila - Ceph Day Berlin - 12...
Practical CephFS with nfs today using OpenStack Manila - Ceph Day Berlin - 12...Practical CephFS with nfs today using OpenStack Manila - Ceph Day Berlin - 12...
Practical CephFS with nfs today using OpenStack Manila - Ceph Day Berlin - 12...TomBarron
 
MSA 전략 2: 마이크로서비스, 어떻게 구현할 것인가?
MSA 전략 2: 마이크로서비스, 어떻게 구현할 것인가?MSA 전략 2: 마이크로서비스, 어떻게 구현할 것인가?
MSA 전략 2: 마이크로서비스, 어떻게 구현할 것인가?VMware Tanzu Korea
 

Recommended

Deploying IPv6 on OpenStack
Deploying IPv6 on OpenStackDeploying IPv6 on OpenStack
Deploying IPv6 on OpenStackVietnam Open Infrastructure User Group
 
오픈소스 네트워킹
오픈소스 네트워킹오픈소스 네트워킹
오픈소스 네트워킹James Ahn
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentCloudOps2005
 
Securing k8s With Kubernetes Goat
Securing k8s With Kubernetes GoatSecuring k8s With Kubernetes Goat
Securing k8s With Kubernetes GoatMuhammad Yuga Nugraha
 
Ceph: Open Source Storage Software Optimizations on Intel® Architecture for C...
Ceph: Open Source Storage Software Optimizations on Intel® Architecture for C...Ceph: Open Source Storage Software Optimizations on Intel® Architecture for C...
Ceph: Open Source Storage Software Optimizations on Intel® Architecture for C...Odinot Stanislas
 
[24]안드로이드 웹뷰의 모든것
[24]안드로이드 웹뷰의 모든것[24]안드로이드 웹뷰의 모든것
[24]안드로이드 웹뷰의 모든것NAVER Engineering
 
Practical CephFS with nfs today using OpenStack Manila - Ceph Day Berlin - 12...
Practical CephFS with nfs today using OpenStack Manila - Ceph Day Berlin - 12...Practical CephFS with nfs today using OpenStack Manila - Ceph Day Berlin - 12...
Practical CephFS with nfs today using OpenStack Manila - Ceph Day Berlin - 12...TomBarron
 
MSA 전략 2: 마이크로서비스, 어떻게 구현할 것인가?
MSA 전략 2: 마이크로서비스, 어떻게 구현할 것인가?MSA 전략 2: 마이크로서비스, 어떻게 구현할 것인가?
MSA 전략 2: 마이크로서비스, 어떻게 구현할 것인가?VMware Tanzu Korea
 
오픈스택 멀티노드 설치 후기
오픈스택 멀티노드 설치 후기오픈스택 멀티노드 설치 후기
오픈스택 멀티노드 설치 후기영우 김
 
IPFS introduction
IPFS introductionIPFS introduction
IPFS introductionGenta M
 
락플레이스 OpenShift Q&A 토크쇼 발표자료
락플레이스 OpenShift Q&A 토크쇼 발표자료락플레이스 OpenShift Q&A 토크쇼 발표자료
락플레이스 OpenShift Q&A 토크쇼 발표자료rockplace
 
Snort
SnortSnort
SnortFadwa Gmiden
 
Inter-Process Communication in Microservices using gRPC
Inter-Process Communication in Microservices using gRPCInter-Process Communication in Microservices using gRPC
Inter-Process Communication in Microservices using gRPCShiju Varghese
 
Building Microservices with gRPC and NATS
Building Microservices with gRPC and NATSBuilding Microservices with gRPC and NATS
Building Microservices with gRPC and NATSShiju Varghese
 
[NDC18] 야생의 땅 듀랑고의 데이터 엔지니어링 이야기: 로그 시스템 구축 경험 공유 (2부)
[NDC18] 야생의 땅 듀랑고의 데이터 엔지니어링 이야기: 로그 시스템 구축 경험 공유 (2부)[NDC18] 야생의 땅 듀랑고의 데이터 엔지니어링 이야기: 로그 시스템 구축 경험 공유 (2부)
[NDC18] 야생의 땅 듀랑고의 데이터 엔지니어링 이야기: 로그 시스템 구축 경험 공유 (2부)Hyojun Jeon
 
Back to the future with C++ and Seastar
Back to the future with C++ and SeastarBack to the future with C++ and Seastar
Back to the future with C++ and SeastarTzach Livyatan
 
[OpenStack] 공개 소프트웨어 오픈스택 입문 & 파헤치기
[OpenStack] 공개 소프트웨어 오픈스택 입문 & 파헤치기[OpenStack] 공개 소프트웨어 오픈스택 입문 & 파헤치기
[OpenStack] 공개 소프트웨어 오픈스택 입문 & 파헤치기Ian Choi
 
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)Zain Asgar
 
OpenStack Neutron IPv6 Lessons
OpenStack Neutron IPv6 LessonsOpenStack Neutron IPv6 Lessons
OpenStack Neutron IPv6 LessonsAkihiro Motoki
 
Redecentralizing the Web: IPFS and Filecoin
Redecentralizing the Web: IPFS and FilecoinRedecentralizing the Web: IPFS and Filecoin
Redecentralizing the Web: IPFS and FilecoinFacultad de Informática UCM
 
[OpenInfra Days Korea 2018] (Track 4) - Grafana를 이용한 OpenStack 클라우드 성능 모니터링
[OpenInfra Days Korea 2018] (Track 4) - Grafana를 이용한 OpenStack 클라우드 성능 모니터링[OpenInfra Days Korea 2018] (Track 4) - Grafana를 이용한 OpenStack 클라우드 성능 모니터링
[OpenInfra Days Korea 2018] (Track 4) - Grafana를 이용한 OpenStack 클라우드 성능 모니터링OpenStack Korea Community
 
REST: From GET to HATEOAS
REST: From GET to HATEOASREST: From GET to HATEOAS
REST: From GET to HATEOASJos Dirksen
 
Ceph Day Beijing - Ceph All-Flash Array Design Based on NUMA Architecture
Ceph Day Beijing - Ceph All-Flash Array Design Based on NUMA ArchitectureCeph Day Beijing - Ceph All-Flash Array Design Based on NUMA Architecture
Ceph Day Beijing - Ceph All-Flash Array Design Based on NUMA ArchitectureDanielle Womboldt
 
[OpenStack Days Korea 2016] Track1 - Monasca를 이용한 Cloud 모니터링
[OpenStack Days Korea 2016] Track1 - Monasca를 이용한 Cloud 모니터링[OpenStack Days Korea 2016] Track1 - Monasca를 이용한 Cloud 모니터링
[OpenStack Days Korea 2016] Track1 - Monasca를 이용한 Cloud 모니터링OpenStack Korea Community
 
Hexagonify the World: The Theory and Applications of Uber H3
Hexagonify the World: The Theory and Applications of Uber H3Hexagonify the World: The Theory and Applications of Uber H3
Hexagonify the World: The Theory and Applications of Uber H3Safe Software
 
Build an High-Performance and High-Durable Block Storage Service Based on Ceph
Build an High-Performance and High-Durable Block Storage Service Based on CephBuild an High-Performance and High-Durable Block Storage Service Based on Ceph
Build an High-Performance and High-Durable Block Storage Service Based on CephRongze Zhu
 
Hadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby Node
Hadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby NodeHadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby Node
Hadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby NodeErik Krogen
 
Open Network OS Overview as of 2015/10/16
Open Network OS Overview as of 2015/10/16Open Network OS Overview as of 2015/10/16
Open Network OS Overview as of 2015/10/16Kentaro Ebisawa
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encryptedMen and Mice
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarMen and Mice
 

More Related Content

What's hot

오픈스택 멀티노드 설치 후기
오픈스택 멀티노드 설치 후기오픈스택 멀티노드 설치 후기
오픈스택 멀티노드 설치 후기영우 김
 
IPFS introduction
IPFS introductionIPFS introduction
IPFS introductionGenta M
 
락플레이스 OpenShift Q&A 토크쇼 발표자료
락플레이스 OpenShift Q&A 토크쇼 발표자료락플레이스 OpenShift Q&A 토크쇼 발표자료
락플레이스 OpenShift Q&A 토크쇼 발표자료rockplace
 
Inter-Process Communication in Microservices using gRPC
Inter-Process Communication in Microservices using gRPCInter-Process Communication in Microservices using gRPC
Inter-Process Communication in Microservices using gRPCShiju Varghese
 
Building Microservices with gRPC and NATS
Building Microservices with gRPC and NATSBuilding Microservices with gRPC and NATS
Building Microservices with gRPC and NATSShiju Varghese
 
[NDC18] 야생의 땅 듀랑고의 데이터 엔지니어링 이야기: 로그 시스템 구축 경험 공유 (2부)
[NDC18] 야생의 땅 듀랑고의 데이터 엔지니어링 이야기: 로그 시스템 구축 경험 공유 (2부)[NDC18] 야생의 땅 듀랑고의 데이터 엔지니어링 이야기: 로그 시스템 구축 경험 공유 (2부)
[NDC18] 야생의 땅 듀랑고의 데이터 엔지니어링 이야기: 로그 시스템 구축 경험 공유 (2부)Hyojun Jeon
 
Back to the future with C++ and Seastar
Back to the future with C++ and SeastarBack to the future with C++ and Seastar
Back to the future with C++ and SeastarTzach Livyatan
 
[OpenStack] 공개 소프트웨어 오픈스택 입문 & 파헤치기
[OpenStack] 공개 소프트웨어 오픈스택 입문 & 파헤치기[OpenStack] 공개 소프트웨어 오픈스택 입문 & 파헤치기
[OpenStack] 공개 소프트웨어 오픈스택 입문 & 파헤치기Ian Choi
 
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)Zain Asgar
 
OpenStack Neutron IPv6 Lessons
OpenStack Neutron IPv6 LessonsOpenStack Neutron IPv6 Lessons
OpenStack Neutron IPv6 LessonsAkihiro Motoki
 
[OpenInfra Days Korea 2018] (Track 4) - Grafana를 이용한 OpenStack 클라우드 성능 모니터링
[OpenInfra Days Korea 2018] (Track 4) - Grafana를 이용한 OpenStack 클라우드 성능 모니터링[OpenInfra Days Korea 2018] (Track 4) - Grafana를 이용한 OpenStack 클라우드 성능 모니터링
[OpenInfra Days Korea 2018] (Track 4) - Grafana를 이용한 OpenStack 클라우드 성능 모니터링OpenStack Korea Community
 
REST: From GET to HATEOAS
REST: From GET to HATEOASREST: From GET to HATEOAS
REST: From GET to HATEOASJos Dirksen
 
Ceph Day Beijing - Ceph All-Flash Array Design Based on NUMA Architecture
Ceph Day Beijing - Ceph All-Flash Array Design Based on NUMA ArchitectureCeph Day Beijing - Ceph All-Flash Array Design Based on NUMA Architecture
Ceph Day Beijing - Ceph All-Flash Array Design Based on NUMA ArchitectureDanielle Womboldt
 
[OpenStack Days Korea 2016] Track1 - Monasca를 이용한 Cloud 모니터링
[OpenStack Days Korea 2016] Track1 - Monasca를 이용한 Cloud 모니터링[OpenStack Days Korea 2016] Track1 - Monasca를 이용한 Cloud 모니터링
[OpenStack Days Korea 2016] Track1 - Monasca를 이용한 Cloud 모니터링OpenStack Korea Community
 
Hexagonify the World: The Theory and Applications of Uber H3
Hexagonify the World: The Theory and Applications of Uber H3Hexagonify the World: The Theory and Applications of Uber H3
Hexagonify the World: The Theory and Applications of Uber H3Safe Software
 
Build an High-Performance and High-Durable Block Storage Service Based on Ceph
Build an High-Performance and High-Durable Block Storage Service Based on CephBuild an High-Performance and High-Durable Block Storage Service Based on Ceph
Build an High-Performance and High-Durable Block Storage Service Based on CephRongze Zhu
 
Hadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby Node
Hadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby NodeHadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby Node
Hadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby NodeErik Krogen
 
Open Network OS Overview as of 2015/10/16
Open Network OS Overview as of 2015/10/16Open Network OS Overview as of 2015/10/16
Open Network OS Overview as of 2015/10/16Kentaro Ebisawa
 

What's hot (20)

오픈스택 멀티노드 설치 후기
오픈스택 멀티노드 설치 후기오픈스택 멀티노드 설치 후기
오픈스택 멀티노드 설치 후기
 
IPFS introduction
IPFS introductionIPFS introduction
IPFS introduction
 
락플레이스 OpenShift Q&A 토크쇼 발표자료
락플레이스 OpenShift Q&A 토크쇼 발표자료락플레이스 OpenShift Q&A 토크쇼 발표자료
락플레이스 OpenShift Q&A 토크쇼 발표자료
 
Snort
SnortSnort
Snort
 
Inter-Process Communication in Microservices using gRPC
Inter-Process Communication in Microservices using gRPCInter-Process Communication in Microservices using gRPC
Inter-Process Communication in Microservices using gRPC
 
Building Microservices with gRPC and NATS
Building Microservices with gRPC and NATSBuilding Microservices with gRPC and NATS
Building Microservices with gRPC and NATS
 
[NDC18] 야생의 땅 듀랑고의 데이터 엔지니어링 이야기: 로그 시스템 구축 경험 공유 (2부)
[NDC18] 야생의 땅 듀랑고의 데이터 엔지니어링 이야기: 로그 시스템 구축 경험 공유 (2부)[NDC18] 야생의 땅 듀랑고의 데이터 엔지니어링 이야기: 로그 시스템 구축 경험 공유 (2부)
[NDC18] 야생의 땅 듀랑고의 데이터 엔지니어링 이야기: 로그 시스템 구축 경험 공유 (2부)
 
Back to the future with C++ and Seastar
Back to the future with C++ and SeastarBack to the future with C++ and Seastar
Back to the future with C++ and Seastar
 
[OpenStack] 공개 소프트웨어 오픈스택 입문 & 파헤치기
[OpenStack] 공개 소프트웨어 오픈스택 입문 & 파헤치기[OpenStack] 공개 소프트웨어 오픈스택 입문 & 파헤치기
[OpenStack] 공개 소프트웨어 오픈스택 입문 & 파헤치기
 
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
 
OpenStack Neutron IPv6 Lessons
OpenStack Neutron IPv6 LessonsOpenStack Neutron IPv6 Lessons
OpenStack Neutron IPv6 Lessons
 
Redecentralizing the Web: IPFS and Filecoin
Redecentralizing the Web: IPFS and FilecoinRedecentralizing the Web: IPFS and Filecoin
Redecentralizing the Web: IPFS and Filecoin
 
[OpenInfra Days Korea 2018] (Track 4) - Grafana를 이용한 OpenStack 클라우드 성능 모니터링
[OpenInfra Days Korea 2018] (Track 4) - Grafana를 이용한 OpenStack 클라우드 성능 모니터링[OpenInfra Days Korea 2018] (Track 4) - Grafana를 이용한 OpenStack 클라우드 성능 모니터링
[OpenInfra Days Korea 2018] (Track 4) - Grafana를 이용한 OpenStack 클라우드 성능 모니터링
 
REST: From GET to HATEOAS
REST: From GET to HATEOASREST: From GET to HATEOAS
REST: From GET to HATEOAS
 
Ceph Day Beijing - Ceph All-Flash Array Design Based on NUMA Architecture
Ceph Day Beijing - Ceph All-Flash Array Design Based on NUMA ArchitectureCeph Day Beijing - Ceph All-Flash Array Design Based on NUMA Architecture
Ceph Day Beijing - Ceph All-Flash Array Design Based on NUMA Architecture
 
[OpenStack Days Korea 2016] Track1 - Monasca를 이용한 Cloud 모니터링
[OpenStack Days Korea 2016] Track1 - Monasca를 이용한 Cloud 모니터링[OpenStack Days Korea 2016] Track1 - Monasca를 이용한 Cloud 모니터링
[OpenStack Days Korea 2016] Track1 - Monasca를 이용한 Cloud 모니터링
 
Hexagonify the World: The Theory and Applications of Uber H3
Hexagonify the World: The Theory and Applications of Uber H3Hexagonify the World: The Theory and Applications of Uber H3
Hexagonify the World: The Theory and Applications of Uber H3
 
Build an High-Performance and High-Durable Block Storage Service Based on Ceph
Build an High-Performance and High-Durable Block Storage Service Based on CephBuild an High-Performance and High-Durable Block Storage Service Based on Ceph
Build an High-Performance and High-Durable Block Storage Service Based on Ceph
 
Hadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby Node
Hadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby NodeHadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby Node
Hadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby Node
 
Open Network OS Overview as of 2015/10/16
Open Network OS Overview as of 2015/10/16Open Network OS Overview as of 2015/10/16
Open Network OS Overview as of 2015/10/16
 

Similar to Encrypted DNS - DNS over TLS / DNS over HTTPS

How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encryptedMen and Mice
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarMen and Mice
 
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 HackathonDNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 HackathonDan York
 
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesInternet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesAPNIC
 
Qunog12-DNS暗号化
Qunog12-DNS暗号化Qunog12-DNS暗号化
Qunog12-DNS暗号化Manabu Sonoda
 
DNSSEC/DANE/TLS Testing in Go6Lab
DNSSEC/DANE/TLS Testing in Go6LabDNSSEC/DANE/TLS Testing in Go6Lab
DNSSEC/DANE/TLS Testing in Go6LabAPNIC
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 WebinarMen and Mice
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallGlenn McKnight
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOHAPNIC
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local NetworksMen and Mice
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECCarlos Martinez Cagnazzo
 
Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Alec Muffett
 

Similar to Encrypted DNS - DNS over TLS / DNS over HTTPS (20)

How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encrypted
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinar
 
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 HackathonDNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
 
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesInternet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
 
ION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLSION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLS
 
Qunog12-DNS暗号化
Qunog12-DNS暗号化Qunog12-DNS暗号化
Qunog12-DNS暗号化
 
ION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSEC
 
DNSTap Webinar
DNSTap WebinarDNSTap Webinar
DNSTap Webinar
 
Introduction To The DANE Protocol (DNSSEC)
Introduction To The DANE Protocol (DNSSEC)Introduction To The DANE Protocol (DNSSEC)
Introduction To The DANE Protocol (DNSSEC)
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
DNSSEC/DANE/TLS Testing in Go6Lab
DNSSEC/DANE/TLS Testing in Go6LabDNSSEC/DANE/TLS Testing in Go6Lab
DNSSEC/DANE/TLS Testing in Go6Lab
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
 
Understanding DNS Security
Understanding DNS SecurityUnderstanding DNS Security
Understanding DNS Security
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 Webinar
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael Casadevall
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOH
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local Networks
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSEC
 
Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5
 

More from Alex Mayrhofer

Die Registry als Kristallkugel - verrät uns das DNS etwas über die Zukunft?
Die Registry als Kristallkugel - verrät uns das DNS etwas über die Zukunft?Die Registry als Kristallkugel - verrät uns das DNS etwas über die Zukunft?
Die Registry als Kristallkugel - verrät uns das DNS etwas über die Zukunft?Alex Mayrhofer
 
RRDG Data Sharing Specifications
RRDG Data Sharing SpecificationsRRDG Data Sharing Specifications
RRDG Data Sharing SpecificationsAlex Mayrhofer
 
DNS Magnitude - DNSheads Vienna #6
DNS Magnitude - DNSheads Vienna #6DNS Magnitude - DNSheads Vienna #6
DNS Magnitude - DNSheads Vienna #6Alex Mayrhofer
 
Encrypted DNS research @ nic.at
Encrypted DNS research @ nic.atEncrypted DNS research @ nic.at
Encrypted DNS research @ nic.atAlex Mayrhofer
 

More from Alex Mayrhofer (7)

RDAP @ .at
RDAP @ .at RDAP @ .at
RDAP @ .at
 
Die Registry als Kristallkugel - verrät uns das DNS etwas über die Zukunft?
Die Registry als Kristallkugel - verrät uns das DNS etwas über die Zukunft?Die Registry als Kristallkugel - verrät uns das DNS etwas über die Zukunft?
Die Registry als Kristallkugel - verrät uns das DNS etwas über die Zukunft?
 
RRDG Data Sharing Specifications
RRDG Data Sharing SpecificationsRRDG Data Sharing Specifications
RRDG Data Sharing Specifications
 
DNS Magnitude - DNSheads Vienna #6
DNS Magnitude - DNSheads Vienna #6DNS Magnitude - DNSheads Vienna #6
DNS Magnitude - DNSheads Vienna #6
 
DNSheads Vienna #6
DNSheads Vienna #6DNSheads Vienna #6
DNSheads Vienna #6
 
Encrypted DNS research @ nic.at
Encrypted DNS research @ nic.atEncrypted DNS research @ nic.at
Encrypted DNS research @ nic.at
 
DNSheads Vienna #5
DNSheads Vienna #5DNSheads Vienna #5
DNSheads Vienna #5
 

Recently uploaded

VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Roomishabajaj13
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$kojalkojal131
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...aditipandeya
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Radiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsRadiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsstephieert
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneRussian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneCall girls in Ahmedabad High profile
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts servicesonalikaur4
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
 

Recently uploaded (20)

VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Radiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsRadiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girls
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneRussian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
 

Encrypted DNS - DNS over TLS / DNS over HTTPS

  • 1. 1 · www.nic.at DNSheads Vienna #5 · public Briefing „Encrypted DNS“ DNS over TLS / DNS over HTTPS DNSheads Vienna #5 · public 2019-01-30 · Alex Mayrhofer · Head of Research & Development
  • 2. 2 · www.nic.at DNSheads Vienna #5 · public Background Why DNS encryption was developed
  • 3. 3 · www.nic.at DNSheads Vienna #5 · public The DNS anno circa 2012 • Sensational Success Story  Age 25, and practically unmodified • Today: „Nothing goes“ without DNS • Clear text. Everything  „DNS is public anyways?“ • 99% UDP, 1% TCP „fallback“  Worst TCP support ever! • DNSSEC? Makes everything secure, doesn‘t it !!?!  Does only „sign“, not „encrypt“ • 2013: Snowden revelations  NSA: „Clear text PII data … mmmmm…“  IETF: „Ohh sheesh – we didn‘t expect *that* scale!“ Photo by Simone Acquaroli on Unsplash
  • 4. 4 · www.nic.at DNSheads Vienna #5 · public „Pervasive Monitoring is an Attack“ • RFC 7258 – „Pervasive Monitoring is a technical attack that should be mitigated in the design of IETF protocols, where possible“ • Consequence: Review of all important procotols • DNS – there‘s not even a standardized *option* for encryption • Worse – contains „privacy defeating“ mechanism  Unneccessarily transmits full QNAME in many cases  EDNS(0) Client Subnet • Leak of Meta-Data & Fingerprinting  Re-identification of individuals across networks But, but… ohhhhh… Photo by Kote Puerto on Unsplash
  • 5. 5 · www.nic.at DNSheads Vienna #5 · public „We need encryption“ But where to start?
  • 6. 6 · www.nic.at DNSheads Vienna #5 · public The DNS Protocol arena „Recursive DNS Server“ „Authoritative DNS Server“
  • 7. 7 · www.nic.at DNSheads Vienna #5 · public IETF DPRIVE* („PRIVate Exchange“) • 2014: „Let‘s deal with the stub resolver to recursor leg“  Most significant information leakage  1:few Relation – Authentication simple  „Don‘t attempt to boil the ocean“ • 2018: Re-Chartering: Includes „recursive to authoritative“  More complex: m:n connections (Authentication!)  Milestone for end of 2019 *https://datatracker.ietf.org/wg/dprive/about/
  • 8. 8 · www.nic.at DNSheads Vienna #5 · public DNS over (D)TLS IETF: DPRIVE / DNSOP / (TLS)
  • 9. 9 · www.nic.at DNSheads Vienna #5 · public Liste of relevant RFCs • RFC 7626 – DNS Privacy Considerations (DPRIVE) • RFC 7766 – TCP Transport for DNS (DNSOP) • RFC 7816 – QNAME Minimization (DNSOP) • RFC 7828 – EDNS keepalive (DNSOP) • RFC 7858 – DNS over TLS (DPRIVE) • RFC 8094 – DNS over DTLS (DPRIVE) • RFC 7830 (+RFC 8467) – DNS Padding (DPRIVE) • RFC 8310 – Usage Profiles • RFC 8446 – TLS 1.3 (TLS)
  • 10. 10 · www.nic.at DNSheads Vienna #5 · public RFC 7626 – DNS Privacy Considerations • Privacy aspects / issues in areas of the DNS:  In the DNS message (Query Name, IP Adresse)  On the server  On the Wire  Re-Identification based on patterns • Kills the „DNS is public anyways!“ argument  Website of „Alcoholics Anonymous“ is public  The fact that someone visits that website regularly is definitely privacy relevant! • Practical example (similar..)  drugstoremorningafterpillvienna16.at  (Browser search requests leaking to the DNS?)
  • 11. 11 · www.nic.at DNSheads Vienna #5 · public RFC 7766 – TCP Transport for DNS • Goal: Establish DNS over TCP als „first class citizen“ • Features  Persistent connections (Client supposed to close connections)  Connection re-use  Pipelining  Response Reordering  TCP Fast Open  Similar: „Happy Eyeballs“
  • 12. 12 · www.nic.at DNSheads Vienna #5 · public RFC 7816 – QNAME Minimization
  • 13. 13 · www.nic.at DNSheads Vienna #5 · public RFC 7828 – EDNS keepalive • EDNS Option for Session Management • For TCP only! • Clients: „Please leave connection open for X seconds“ • Server: „Ok, leave it open for X seconds“ or „Please close connection now!“
  • 14. 14 · www.nic.at DNSheads Vienna #5 · public RFC 7858 – DNS over TLS (DoT) • New Port 853 / TCP • „On the wire“ protocol is unmodified • Authentification: Certificates usw? -> RFC 8310  „Opportunistic“ vs. „Strict“  Chicken/Egg -> Bootstrapping des DoT Servers wie? • Does not change the „path“ of the DNS message  Existing Recursive Nameserver can simply offer an additional, encrypted channel
  • 15. 15 · www.nic.at DNSheads Vienna #5 · public RFC 8094 – DNS over DTLS • Port 853 / UDP • „Same Same but Different“ • Experimental!  Issues with fragmentation  DTLS is not widely implemented • Performance advantage of UDP?  Mostly because TCP implementation used to be so „lousy“.
  • 16. 16 · www.nic.at DNSheads Vienna #5 · public EDNS(0) Padding It‘s required for privacy – but, why?
  • 17. 17 · www.nic.at DNSheads Vienna #5 · public EDNS(0) Padding – why? • Encryption removes „direct“ access to the information  What‘s left for the Attacker? • „Pretty Bad Privacy – Pitfalls of DNS Encryption“*  Haya Shulman @ IETF 93  Applied Networking Research Price – IRTF • Side Channel information is key!  Countermeasures *https://www.ietf.org/proceedings/93/slides/slides-93-irtfopen-1.pdf
  • 18. 18 · www.nic.at DNSheads Vienna #5 · public Application Queries – it‘s a stream • A Pattern - Not just a single query/response pair
  • 19. 19 · www.nic.at DNSheads Vienna #5 · public Encrypted DNS • Streams still create size/timing „patterns“
  • 20. 20 · www.nic.at DNSheads Vienna #5 · public Size based Correlation • Compare with known clear text patterns • Even works with a subset of message sizes
  • 21. 21 · www.nic.at DNSheads Vienna #5 · public Introducing Padding • Obfuscates the size pattern -> Hampers correlation • More „hits“ -> less likely that identification is possible
  • 22. 22 · www.nic.at DNSheads Vienna #5 · public RFC 7830 – EDNS(0) Padding Option • EDNS Option code 12 https://tools.ietf.org/html/rfc7830
  • 23. 23 · www.nic.at DNSheads Vienna #5 · public DNS over HTTPS An alternative encryption scheme, driven by browser vendors
  • 24. 24 · www.nic.at DNSheads Vienna #5 · public Motivation – Browser Vendors • (a) Browsers do a lot of DNS these days  Websites + assets (JS, Ads, Statistics…), CDNs  Certificate Validation (OCSP), SafeBrowsing lists, updates, …  More direct control over the DNS API desired • (b) Timing and availability is critical  „Happy Eyeballs“ – Slow or lousy (local) DNS servers create bad user experience  „Bad Hotel WiFi“ is often „Bad Hotel DNS“… • (c) DNS is used for censorship  Circumventing local (censoring) DNS servers protects Freedom of Speech  Eg. Google Jigsaw ttps://dnsserver.example.net/dns-query{?dns}
  • 25. 25 · www.nic.at DNSheads Vienna #5 · public IETF DoH* (DNS over HTTPs) group • Founded 2017 • 2018: RFC 8484  GET or POST  URI Templates (https://dnsserver.example.net/dns- query{?dns})  Wire-Format: application/dns-message (identical zu „normal“ DNS), oder JSON  HTTP Response-Code always 2xx (if successful), no matter which DNS response code *https://datatracker.ietf.org/wg/doh/about/
  • 26. 26 · www.nic.at DNSheads Vienna #5 · public Effects of encrypted DNS The implications of typical operational models
  • 27. 27 · www.nic.at DNSheads Vienna #5 · public „Plain“ DNS
  • 28. 28 · www.nic.at DNSheads Vienna #5 · public DNS over TLS
  • 29. 29 · www.nic.at DNSheads Vienna #5 · public DNS over HTTPS (typical)
  • 30. 30 · www.nic.at DNSheads Vienna #5 · public Concerns regarding DoH • 4 Browser Vendors • Few big public recursor vendors (1.1.1.1, 8.8.8.8, 9.9.9.9) • Market concentration / Control?  Pre-configured public recursors  Example: Mozilla / Cloudflare discussion • Media echo (German only, sorry!)  https://Heise.de/-4203225.html („Die DNS Gruft gehört ausgelüftet“)  https://heise.de/-4205380.html („Vom DNS, aktuellen Hypes, Überwachung und Zensur“)
  • 31. 31 · www.nic.at DNSheads Vienna #5 · public Implementations Server, Clients, Tools
  • 32. 32 · www.nic.at DNSheads Vienna #5 · public DoT Clients https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implementation+Status
  • 33. 33 · www.nic.at DNSheads Vienna #5 · public DoT Server Software
  • 34. 34 · www.nic.at DNSheads Vienna #5 · public DoT (and DoH) public recursors • Google DNS (8.8.8.8) • Cloudflare (1.1.1.1) • Quad9 (9.9.9.9) • CleanBrowsing (various, with Filters)
  • 35. 35 · www.nic.at DNSheads Vienna #5 · public DoH • Clients  Mozilla Firefox  Google Chrome  (plus test tools) • Server Software  https://github.com/facebookexperimental/doh-proxy  https://github.com/curl/curl/wiki/DNS-over-HTTPS#doh-tools
  • 36. 36 · www.nic.at DNSheads Vienna #5 · public Android 9 – DNS over TLS by default • Uses DNS over TLS if available on local nameserver • Falls back to unencrypted DNS if unavailable
  • 37. 37 · www.nic.at DNSheads Vienna #5 · public Exec Summary • DNS can now be encrypted, either via TLS or HTTPS • DNS over HTTPs is more „disruptive“ than DNS over TLS • Public recursors have implemented either (or both)  But few local providers have implemented it (see below :-/) • Browser Vendors are implementing DNS over HTTPs  Ongoing policy discussions around pre-configuration of recursors • Android 9 implements DNS over TLS *by default*  Automatically uses it if available (see above :-/)  Google suggesting to configure „dns.google“ manually • Windows / MacOS – no „out of the box“ solutions – „Stubby“
  • 38. 38 · www.nic.at DNSheads Vienna #5 · public nic.at GmbH Jakob-Haringer-Str. 8/V · 5020 Salzburg · Austria T +43 662 4669 -34 · F -29 alexander.mayrhofer@nic.at · www.nic.at