Slide 1
Slide 1 text
DNS Related Stuff @
IETF105
sylph01 (Ryo Kajiwara)
DNS-Onsen 6
Slide 2
Slide 2 text
୭ʁ
ֿݪ ཾ(sylph01)
Twitter: @s01
҉߸ͱ͔Ͱ͖·͢
TLSΑΓ্ͷ
DNS·ΔͰΘ͔ΒΜ
Slide 3
Slide 3 text
એ
"DNSDNS Resolution" ͳΔຊΛॻ͍ٕͯ
ज़ॻయ6(ࠓͷ4݄)ʹ൦͠·ͨ͠
DNSʹର͢Δ߈ܸɺDNSϒϩοΩϯάɺ
DNSSECɺDNS over TLS/HTTPS͋ͨΓ
ͷɺDNSͷηΩϡϦςΟɾϓϥΠόγʔ
ʹؔΘΔτϐοΫΛѻ͍ͬͯ·͢
ཧ൛ച͠·͕ͨ͠ݟຊ͖࣋ͬͯ
ͯ·͢ɻిࢠ൛ܧଓͯ͠൦த
ϚαΧϦ͓͍ͪͯ͠·͢
Slide 4
Slide 4 text
એͦͷ2
ಉٕ͘͡ज़ॻయ4(ࡢ)ʹͯ "Dark Depths
of SMTP" ͳΔຊΛग़͠·ͨ͠
ຊޠͷۀͷSMTPͷຊ5Ҏ্ग़ͯ
ͳ͍ϋζͳͷͰ͜ͷͷوॏͳup-to-
dateͳຊͰ͢
SPF, DKIM, DMARCવΧόʔ͍ͯ͠
·͢
ͪ͜Βཧ൛ചɺిࢠ൛Λܧଓ͠
ͯ൦த
ͳ͓౦ํཁૉදࢴ͚ͩͰ͢
Slide 5
Slide 5 text
https:/
/
cryptic-
command.net
Slide 6
Slide 6 text
No content
Slide 7
Slide 7 text
ͱ͍͏Θ͚Ͱ
IETF105
(7/20-26)
ߦ͖ͬͯ·ͨ͠
(ࠓճॳࢀՃ)
Slide 8
Slide 8 text
ߦͬͨओͳతͰ͋Δͱ͜Ζͷ
Messaging Layer Securityͷผͷ
ͱ͜ΖͰ͠ΌͬͨͷͰҎԼࢀর
https://bit.ly/2LuvrAv
Slide 9
Slide 9 text
No content
Slide 10
Slide 10 text
ANRW
(Applied Network Research
Workshop)
Slide 11
Slide 11 text
Who Is Answering My Queries:
Understanding and Characterizing
Interception of the DNS Resolution
Path
ύϒϦοΫDNSαʔόʔͱͷ௨৴Λinterceptͯ͠ҟͳΔIPΞυϨε
Λฦ͍ͯ͠Δon-path deviceͷଘࡏͱͦͷಛΛେنଌఆʹΑΓ
໌Β͔ʹͨ͠ɺͱ͍͏ݚڀɻ
શੈքͰ7.36%ɺதࠃࠃͰ17.13%ͷAS͕͜ͷΑ͏ͳinterceptionΛ
ߦ͍ͬͯΔͱͷ͜ͱɻ
Slide 12
Slide 12 text
Who Is Answering My Queries(ry
Կ͕ى͜Δ͔ https:/
/labs.ripe.net/Members/babak_farrokhi/is-
your-isp-hijacking-your-dns-traffic ͷهड़͕Θ͔Γ͍͢ɻ
http:/
/whatismydnsresolver.com/ Ͱࣗͷڥʹ͍ͭͯΔ͜ͱ͕
Ͱ͖Δʢ͜ΕݚڀνʔϜ͕༻ҙͨ͠ͷʣɻ
Slide 13
Slide 13 text
Who Is Answering My Queries(ry
• Global analysis: TCP SOCKSΛͬͨproxy networkͰଟͷIPΞυ
Ϩε͔Βͷ௨৴ΛࢼΈΔ
• ϞόΠϧϢʔβʔ͚ͷωοτϫʔΫσόοάπʔϧΛ։ൃ͠
͍ͯΔձࣾͱڞಉݚڀɺ͜ΕʹΑͬͯUDPͰͷDNS௨৴ଌఆ
Մೳʹ
Slide 14
Slide 14 text
Oblivious DNS: Practical Privacy for
DNS Queries
ݱߦͷDNSͰrecursive resolver͕ϢʔβʔͷϓϥΠόγʔʹؔΘ
Δใͷଟ͘ΛऩूͰ͖ΔɻύϒϦοΫDNSτϥετΛ൴Βʹ
ҕͶΔ͚ͩͰղܾʹͳ͍ͬͯͳ͍ɻ
͜ͷఏҊͰݱߦͷΠϯϑϥͱޓੑͷ͋Δํ๏ͰϢʔβʔͷݸ
ਓಛఆใΛΫΤϦ༰͔Β͢Δɺͱ͍͏͜ͱΛࢼΈ͍ͯ
Δɻ
Slide 15
Slide 15 text
Oblivious DNS
ʮDNSͰDNSΛτϯωϦϯά͢Δʯํ๏ΛऔΔɻ
• ελϒϦκϧόʔυϝΠϯΛ҉߸Խͨ͠ϑΥʔϚοτʹม
• recursive resolverͰΫΤϦͷ࣮ࡍͷதݟΕͳ͍
• ϢʔβʔͷidentityݟΕΔ
• ODNS authoritative server͕࣮ࡍͷrecursive resolverͷׂΛՌͨ
͢
• ͜͏͢ΔͱODNSͰϢʔβʔͷidentityݟΕͳ͍
Slide 16
Slide 16 text
No content
Slide 17
Slide 17 text
No content
Slide 18
Slide 18 text
Oblivious DNS
ύϑΥʔϚϯεͲ͏ͳΔͷʁ
• ҉߸ԽͷΦʔόʔϔουରশ伴҉߸ͳͷͰ1-2ms
• ODNS resolverͷϨΠςϯγ͕֤ΫΤϦͰՃ͞ΕΔ
• CDNΛͬͯanycastͰେنʹσϓϩΠ͢Δ͜ͱͰWANϨΠ
ςϯγΛݮͰ͖Δ
• ͨͩ͠anycastͰͬͯ͠·͏ͱ҉߸伴ͷ͕ൃੜ͢Δ
• Ωϟογϡ͕ޮ͖ʹ͍͘ͱ͍͏ى͜Δ
Slide 19
Slide 19 text
Analyzing the Costs (and Benefits) of
DNS, DoT, and DoH for the Modern
Web
DoH͕Do53ΑΓ͍͜ͱ͕͋ΔɻͳΜͰʁ
• DNS wire formatͷHTTP cachingʹΑΔޮՌ
• lossy networkͰTCPͷ࠶ૹ੍ޚͷ͓͔͛ͰDoT/DoH > Do53
Slide 20
Slide 20 text
What Can You Learn from an IP?
(Measurement and Optimisation͔Β)
DNSΫΤϦͷϦΫΤετ/ϨεϙϯεDoH/DoTɺSNIEncrypted
SNIɺαʔόʔূ໌ॻTLS 1.3Ͱ҉߸Խ͞ΕΔΑ͏ʹͳͬͨɻ߈ܸ
ऀ͕ݟΕΔͷIPͷΈɻͰIP߈ܸऀʹϢʔβʔಛఆͷͨΊͷ͍
͔ͳΔใΛఏڙ͢Δͷ͔ʁ
-> ͚ͬ͜͏͍ΖΜͳ͜ͱ͕Θ͔Δɻ
rDNSͰେͨ͠ใ͕ಘΒΕͳ͍ͷͰɺେنΫϩʔϦϯάͰIP
→ υϝΠϯͷϚοϐϯάΛ࡞Δɻ
Slide 21
Slide 21 text
What Can You Learn from an IP?
• 47.6%ͷIPanonimity set(1 IPʹର͍͍ͯͭͯ͠ΔυϝΠϯͷू
߹)ͷαΠζ͕1
• ࠷େͷanonimity setͷαΠζ16000+
• αΠτϢχʔΫͳIPΞυϨε68%
• ϖʔδϩʔυ࣌ʹಡΈࠐΉIPΞυϨεͷηοτΛऔಘ͢Δ͜ͱ
Ͱ͞ΒʹಛఆΛਐΊΒΕΔ
• ରࡦ: ϗεςΟϯάΠϯϑϥͷมߋɻCDNͷIPΞυϨεͷϥϯμ
ϜԽͳͲɻ
Slide 22
Slide 22 text
What Can You Learn from an IP?
ݸਓతʹڵຯਂ͍ͱࢥͬͨ͜ͱʮIPv4ރׇରࡦͷͨΊʹIPv6ɺ
SNIཁΒͳ͍ʯΛશྗͰਪ͠ਐΊΔͱAnonimity Set 1ͷIPΞυϨε
ͩΒ͚ʹͳͬͯ͠·͍ɺIPΞυϨεͰͷfingerprinting͕༰қʹͳͬ
ͯ͠·͏͜ͱɺ·ͨͦͷͨΊSNIͷॏཁੑIPv4ރׇରࡦΑΓϓ
ϥΠόγʔʹγϑτ͍ͯ͠ΔՄೳੑ͕͋Δɺͱ͍͏͜ͱɻ
Slide 23
Slide 23 text
No content
Slide 24
Slide 24 text
dnsop
Slide 25
Slide 25 text
interoperable dns server
cookies
https:/
/datatracker.ietf.org/doc/draft-sury-toorop-dnsop-server-
cookies/
DNS Server CookiesʢݶఆతͰ͋Δ͕ʣ૿෯߈ܸɺύε֎ͷ
ΩϟογϡϙΠζχϯάͳͲʹରͯ͠ରࡦΛఏڙ͢ΔΈɻຊ
ʹ༗༻ʹͳΔͨΊʹଟ͘ͷαʔόʔ͕ಋೖ͢Δඞཁ͕͋Δɻ
Αͬͯ͜ΕΛαʔόʔؒͰinteroperableʹ͍ͨ͠ɻ
Slide 26
Slide 26 text
ANAME
https:/
/datatracker.ietf.org/doc/draft-ietf-dnsop-aname/
"CNAME on apex"ͱͯ࢝͠·͕ͬͨɺ"Address-specific DNS
aliases"ͱ͍͏υϥϑτ໊ɻapexυϝΠϯ໊ΛaliasʹͰ͖Δɻ
CNAMEͱҟͳΓଞͷϨίʔυλΠϓͱڞଘՄೳɻ
httpssvcͱׂͷΈ͚ΛͪΌΜͱ্ͨ͠Ͱsimplifyɺͦͷ্Ͱ
WGLCɻ
Slide 27
Slide 27 text
HTTPSSVC
HTTPSଓͷࡍʹඞཁͳใΛͻͱ·ͱΊʹͨ͠Ϩίʔυ͕ཉ͠
͍
• Encrypted SNIͷͨΊͷ伴 (-> ESNI DNSϨίʔυ)
• HTTP/2͋Δ͍HTTP/3Ͱ௨৴ՄೳͰ͋Δͱ͍͏͜ͱΛࣔ͢Alt-
svc (-> HTTPϨεϙϯεϔομʹؚ·ΕΔ)
• ...
Slide 28
Slide 28 text
HTTPSSVC
example.com. 2H IN HTTPSSVC 0 0 svc.example.net.
svc.example.net. 2H IN HTTPSSVC 1 2 svc3.example.net. "hq=\":8003\" \
esnikeys=\"...\""
svc.example.net. 2H IN HTTPSSVC 1 3 svc2.example.net. "h2=\":8002\" \
esnikeys=\"...\""
(subtyping͋Δͷ্࣮໘ͳͷͰ…ʁ৽͍͠ϑΥʔϚοτ͕
ՃͰ͖Δͱ͍ͬͯઈରʹαϙʔτ͞Εͳ͍ɻྫͱͯ͠
DNSKEY)
Slide 29
Slide 29 text
RDBD
https:/
/datatracker.ietf.org/doc/draft-brotman-rdbd/
related domains by dns
υϝΠϯͷؔ࿈ͷ༗ແΛࣔ͢
dnssec-likeͳsignature
RDBD RRtype
Slide 30
Slide 30 text
DNS Resolver Information
Self-Publication
https:/
/datatracker.ietf.org/doc/draft-ietf-dnsop-resolver-information/
looking for WG adoption -> WGʹadopt͞Εͨɻ
DoHΤϯυϙΠϯτ͕ͲͷΑ͏ʹৼΔ͏͔Λࣔ͢ใΛඪ४త
ͳํ๏ͰΓ͍ͨɻDNS Resolver͕ͦͷใΛࣗΒࠂͰ͖Δɻ
Slide 31
Slide 31 text
Avoid Fragmentation
https:/
/datatracker.ietf.org/doc/draft-fujiwara-dnsop-avoid-
fragmentation/
JPRSͷ౻ݪઌੜΑΓɻΑΓϑϥάϝϯςʔγϣϯʹڧ͍TCP͕͑
ͳ͍߹ɺEDNS0ͷUDPϖΠϩʔυαΠζΛ1220(= RFC 4035ͷ࠷
)ʹͯ͠ϑϥάϝϯςʔγϣϯ͕ى͖ͳ͍Α͏ʹ͠Ζɺͱ͍͏
༰ɻ
Slide 32
Slide 32 text
draft-krecicki-dns-covert-00
"Domain Name System (DNS) Resource Record types for transferring
covert information from primary to secondaries"
ΫΤϦ͞ΕΔ͖Ͱͳ͍ใ(nsec5 keys, zsk for inline signing, ...)Λ
primary͔Βsecondaryʹzone transfer͢ΔͨΊͷํ๏ͷఏҊɻυϝ
ΠϯϨίʔυͷಋೖΛఏҊ͍ͯ͠Δ͕ɺͿͬͪΌ͚DNS RRͰΔ
ͳɺͱ͍͏ҙݟ͕ڧ͍ɻ
Slide 33
Slide 33 text
No content
Slide 34
Slide 34 text
add (Applications Doing DNS)
DoH/DoTʹؔ͢Δ͍Ζ͍ΖͳBoFɺͿͬͪΌ͚ͱͬࢄΒ͔ͬͯͨɻ
• DoHͷσϓϩΠͲ͏͖͢ʁBCP࡞Δʁ
• Ͳͷάϧʔϓ͕͜ͷΜΔͷʁ
• DNSOPͰΕɺ͚ͩͲ͜Εͬͯ"ops"͚ͩͬͨͬ
• DNSOP͕࣮࣭DNS WGͱԽͯ͠ΔͷͰϦϑΝΫλϦϯά͕ඞ
ཁͳͷͰ
Slide 35
Slide 35 text
No content
Slide 36
Slide 36 text
͓·͚: ඇٕज़ύʔτ
Slide 37
Slide 37 text
No content
Slide 38
Slide 38 text
No content
Slide 39
Slide 39 text
No content
Slide 40
Slide 40 text
No content
Slide 41
Slide 41 text
No content
Slide 42
Slide 42 text
No content
Slide 43
Slide 43 text
No content
Slide 44
Slide 44 text
No content
Slide 45
Slide 45 text
No content