Hey Kid, Wanna Try Some DoH?

Transcript

1. Hey Kid, Wanna Try Some DoH?

2. $ whoami

3. Moment of Respect • Paul Vixie • Bert Hubert •

   Dan Bernstein • Tim Morgan

4. DNS over HTTPS (it’s good for your privacy, we promise)

5. 1998-2015 DNSSEC • Context: encryption is heavy lifting, hard on

   muh computes. ◦ Gov: “ALSO BAD” • Complex: 1k pages, so you know it’s gotta be good • Accomplishments: Data integrity at the expense of privacy ◦ Does securebank.com exist? • No, but dont-publish-this.securebank.com exists

6. 2009 DNSCURVE/DNSCRYPTO • True transport encryption of DNS • Super

   light, secure, and fast • But very Dan Bernstein ◦ (his software is still very good though) • Had this been adopted, we likely wouldn’t have this talk

7. 2015 (Still not done yet) DNS over TLS • “Simple”

   encrypted DNS • TLS still kind of slow at this point • Port 853 ◦ SysAdmins: NEW ACL rules?!? • “Maybe next FY, kid.”

8. “Woe! 20 years of plaintext DNS queries. Who will save

   my data from being exposed?”

9. Modern Chivalry A multinational conglomerate and couple of CDNs decided

   that our privacy needed to be improved and offered to be the chauffeur for our data through the spooky interwebs. (how nice of them)

10. 2018 DoH • Encrypted DNS transport • No one blocks

    443 • “Trusted Recursive Resolvers” • Comparatively gaining the most steam • All over HTTPS

11. Wait, HTTPS?!

12. DNS Metadata

13. So what, it’s just DNS metadata • Your IoT ◦

    Watch, fridge, dishwasher, home cameras, lights • Your Phone ◦ Every place your phone has been • Your computers ◦ Every site your computer navigates to

14. “The past 24 hours of resolved domain names from a

    random audience member are on the next slide”

15. Metadata 1: Default to HTTP

16. Metadata 2: DNS Lookup Itself

17. Metadata 3: eSNI Plaintext: “I want to setup a super

    secret connection with badsite.com”

18. Metadata 4: OCSP/CRL

19. Metadata 5: TLS Session Resumption • Session IDs and Session

    tickets can last literal days. ◦ Which in turn means you can have a continuous, unambiguous record tracing you from one physical location to another. ◦ Device and mobility (network sense) become literal agent tracking

20. TCP-based solutions may also seek performance through the use of

    TCP Fast Open [RFC7413]. The cookies used in TCP Fast Open allow servers to correlate TCP sessions.[1] [1] https://tools.ietf.org/html/rfc8484

21. Sidenote: Tracking and UDP • Ever try to trace a

    DNS request coming from a NAT’d device? • Session Resumption can’t exist over vanilla DNS because it’s over UDP.

22. 2020++: It gets better from here (it doesn’t) • DNS

    over cloud ◦ Browser talks straight to CDN, bypassing your OS’s network, trust and security settings

23. “All of your DNS are belong to u$.” -Your friends

    in the taskbar

24. good solution

25. VPN “If you’re not paying for the product, you are

    the product[1]” [1] Subject to terms of use, FISA and privacy policy. Whichever one breaks first.

26. better solution

27. BYO Restricted DoH Resolver Ben Tasker at it again[1] [1]https://www.bentasker.co.uk/documentation/linux/407-building-and-running-your-own-dns-over-ht

    tps-server

28. better-er solution

29. Examine Claims to Benevolence: “We aren’t going to do anything

    with your data” != “We aren’t going to do anything ever with your data”

30. Final Considerations • Decisions made in Austin have worldwide implications

    ◦ In July 2019, Business Insider labeled us as the fastest growing tech hub in the nation. • Turkish/Russian/Chinese/Korean freedom fighters depend on privacy as a matter of day-to-day living.