Survey of the (Open Source) DNS Privacy Landscape© Men & Mice DNS privacy software • new DNS...

RIPE78 ReykjavikCarsten Strotmann

Survey of the (Open Source) DNS Privacy Landscape

DNS privacy software

• new DNS privacy protocols sparked a large number of new software projects

•and much debate in the IETF and the larger DNS community

DNS privacy software

•this talk will visit the software side of these new protocols

•comparison of the start of new software projects in comparison to the new standards

•number of projects for DNS-over-HTTPS vs. DNS-over-TLS

•programming languages used to implement the new protocols

DNS Privacy Protocols - a short refresher

• DNS queries and responses are used to spy on users

• DNS traffic is being altered "on the transport"

• DNS queries are blocked to implement censorship

DNS Privacy Protocols - a short refresher

•two new protocols have been developed in the IETF

•DNS-over-TLS (RFC 7858)

•DNS-over-HTTPS (RFC 8484)

DoT - DNS over TLS

•RFC 7858 "Specification for DNS over Transport Layer Security (TLS)"

•DNS wireformat over TLS over TCP

•Port 853 (TCP)

•Encryption and authentication

https://tools.ietf.org/html/rfc7858

DoH - DNS over HTTP(S)

• RFC 8484 "DNS Queries over HTTPS (DoH)"

•DNS HTTP-Format over HTTPS over TCP, Port 443 (HTTP/2)

•Port 443 (TCP)

•Encryption and authentication

https://tools.ietf.org/html/rfc8484

classic DNS via UDP/TCP9

DNS via DoH/DoT (current state)10

DNS via DoH/DoT (current state)11

DoT vs DoH

•differences between DoT and DoH

•DoT is running on an dedicated port (853), can be easily blocked

•DoH is made to look like normal HTTPS traffic, selective blocking of DoH is difficult

•existing HTTPS library functions in programming languages give DoH an implementation advantage

•DoH enables developers to do DNS name resolution on an application level, which some people think is bad

the survey

•informal survey, looking at 46 DoT/DoH open source software projects on Github and Gitlab

•in May 2019

•only software projects, no composition projects (Docker Container etc)

•full list: https://doh.defaultroutes.de/implementations.html

DoH and DoT

Years of DoH/DoT implementation

Implementation languages

Project liveliness

Project activity in the last 6 month?

Applications

• Firefox

• Chrome

• curl

• Tenta-Browser (Android)

• Bromite Browser (Android)

System Resolver

• systemd-resolved (Systemd-based Linux)

• unwind (OpenBSD) : next talk!

• resolver module for Linux glib (nsswitch.conf)

Client Proxy

• sdns

• dnscrypt-proxy2

• veild

• stubby

• unbound

• cloudflared

• Dohnut

• dns-over-https

some client proxies have additional functions, like ad-blocking or load-balancing across multiple

upstream server

Server Proxy

• rust-doh

• dnsdist

• dns-over-https

• dnss

server proxies add DoT or DoHto traditional DNS server

(BIND 9, Microsoft DNS, NSD …)

Dot/DoH Server

• unbound

• Knot

• sdns

DNS server with DoT or DoH "build in"

Whats missing

• DANE - check of TLS x509 certificates via DNS

• Witness checks for client proxies

•query multiple upstream DNS resolver and compare the data, protect against rogue server operators

• code security audits

Conclusion

•there is a rich software ecosystem for DoH and DoT

•users can find applications and client proxy systems

•operators can find server proxies or DoH/DoT server

ISPs: start offering DoH/DoT now, else your customers DNS traffic will

move to the cloud!

Questions!

(please don't discuss the political issues around DoT and DoH here)

Survey of the (Open Source) DNS Privacy Landscape© Men & Mice DNS privacy software • new DNS...

Documents

Perceptions of ICT Practitioners Regarding Software Privacy

Privacy Policy - Muddy Boots Software Ltd

UNIT – 6 PRIVACY AND SECURITY. Software Complexity

Privacy-Preserving DNS: Analysis of Broadcast, Range

Securing DNS Environments - fusionlayer.com · security principles, which have been incorporated in our DNS software appliance, FusionLayer DNS. Figure 2 represents the basic architecture

dnsprivacy · DNS ecosystem (no privacy in design) • Rebuts “alleged public nature of DNS data” • The data may be public, but a DNS ‘transaction’ is not/should not be

Privacy Research Paradigms Privacy Engineering and the ...jhh/isp-2016/gurses.pdf · privacy research getting privacy engineering right? software engineering practice Wednesday, July

DNS and DNSSEC - econinfosec.org · DNS and DNSSEC Samuel Weiler ... Domain Name System (DNS) ... – DNS Resolver Software BIND and Unbound (java), both open source

Privacy Engineering Meets Software Engineering. On the

Dynamic DNS Support for Cisco IOS Software · Dynamic DNS Support for Cisco IOS Software TheDynamicDNSSupportforCiscoIOSSoftwarefeatureenablesCiscoIOSsoftwaredevicestoperform DynamicDomainNameSystem(DDNS

DNS Software Overview

RIPE76 DNS Privacy measurements · DNS WG @ RIPE76 DNS Privacy Measurements Latest Measurements on DNS Privacy Sinodun ... Unbound . DNS WG @ RIPE76 DNS Privacy Measurements Test

VitalQIP DNS/DHCP & IP Address Management Software and Appliance

Measuring Data Privacy and Protection in Software

OARC 27 DNS Privacy clients · DNS Privacy Clients @ OARC 27 Sep 2017, San Jose Command line tools 9 Features getdns_query kdig delv (dig) (dig) drill DNS ECS privacy 9.12 (drill)

Model-Driven Software Engineering in Practice: Privacy ... · Model-Driven Software Engineering in Practice: Privacy-Enhanced ... Model-driven engineering ... in Practice: Privacy-Enhanced

Improving DNS Privacy - NLnet Labs€¦ · Today • Who am I: • Principal Scientist at NLnet Labs-- not for proﬁt developing open source software for core Internet protocols

Privacy for DNS Queries Oblivious DNS: Practical · 2019. 7. 22. · encryption/decryption is lightweight. ODNS Crypto Overhead Roughly ~1-2 ms for crypto operations using standard

Catalyst 2950 Desktop Switch Software Configuration · PDF fileCatalyst 2950 Desktop Switch Software Configuration Guide 78-11380-04 Understanding DNS 7-48 Default DNS Configuration

PRIVACY OF DNS-OVER-HTTPS: REQUIEM FOR A DREAM?