Slide 1
Slide 1 text
DNS҉߸Խͱͦͷ
sylph01 / Ryo Kajiwara
@ DNSԹઘ൪֎ฤ in େࡕ,
2020/12/19
Slide 2
Slide 2 text
୭ʁ
ֿݪ ཾ(sylph01)
Twitter: @s01
ੜͷϓϩάϥϚ
҉߸ͱ͔Ͱ͖·͢
TLSΑΓ্ͷ
DNS·ΔͰΘ͔ΒΜ
Slide 3
Slide 3 text
એ
"DNSDNS Resolution" ͳΔຊΛॻ͍ٕͯ
ज़ॻయ6(2019/4)Ͱ൦͠·ͨ͠
DNSʹର͢Δ߈ܸɺDNSϒϩοΩϯάɺ
DNSSECɺDNS over TLS/HTTPS͋ͨΓ
ͷɺDNSͷηΩϡϦςΟɾϓϥΠόγʔ
ʹؔΘΔτϐοΫΛѻ͍ͬͯ·͢
ࠓѻ͏DNS҉߸Խͷѻ͍ͬͯ·͢
૿ิ൛Ͱ͋Δ"append mix"ΛBOOTHʹͯ
൦த
Slide 4
Slide 4 text
No content
Slide 5
Slide 5 text
preface
DNSSECͷͰͳ͍ɻ DNSSECॺ໊Ͱ͋ͬͯ҉߸ԽͰͳ͍ɻ
DNS queryͷ౪ௌʹΑͬͯݸਓͷᅂɾࢥʹؔ͢ΔใΛऩू͢
Δ͜ͱ͕Մೳɺ͋Δ͍ϒϩοΩϯάΛߦ͏͜ͱ͕Մೳɻͦͷର
ࡦͱͯ͠ͷDNS҉߸Խɻ
DNS҉߸ԽΠϯλʔωοτ҉߸ԽͷϥετϫϯϚΠϧɻ
Slide 6
Slide 6 text
࣌ؒతʹද໘ͳͧΔͩ
͚Ͱ͢
Slide 7
Slide 7 text
Pervasive Monitoring is
an Attack
RFC 7258
2014/5
Slide 8
Slide 8 text
DNS Privacy
Considerations
RFC 7626
2015/8
Slide 9
Slide 9 text
No content
Slide 10
Slide 10 text
DNS over TLS (DoT)
RFC 7858
2016/5
Slide 11
Slide 11 text
DNS Queries over
HTTPS (DoH)
RFC 8484
2018/10
Slide 12
Slide 12 text
DoT vs DoH
• DoTport 853Λ͏ɺDoHHTTPSͱಉ༷port 443Λ͏
• DoTport 853ͷϒϩοΩϯάͰՄೳ
• DoHport 443Λར༻͢ΔͷͰ௨ৗͷHTTPSϦΫΤετͱ۠ผ
Ͱ͖ͳ͍
• ҰํͰΑ͘ΒΕ͍ͯΔDoHରԠαʔόʔͷIPϒϩοΩ
ϯάΛߦ͑Մೳ
Slide 13
Slide 13 text
Oblivious DNS over
HTTPS
draft-pauly-dprive-oblivious-doh
-00 @ 2020/10, -03 @ 2020/12
Slide 14
Slide 14 text
No content
Slide 15
Slide 15 text
No content
Slide 16
Slide 16 text
DNS over QUIC
https:/
/adguard.com/ja/blog/dns-
over-quic.html
Slide 17
Slide 17 text
DNSCrypt, DNSCurve
…ଘࡏ͢Δ͚ͲIETFͰඪ४Խ͞Εͯ
ͳ͍ͷͰུ
Slide 18
Slide 18 text
No content
Slide 19
Slide 19 text
Slide 20
Slide 20 text
:
චऀ҉߸ԽਪਐدΓ
Ͱ͢
Slide 21
Slide 21 text
DoT/DoH/ODoH
ωοτϫʔΫཧऀʹ
ͱͬͯ߹͕ѱ͍
Slide 22
Slide 22 text
ͦΕ
༷Ͱ͢
Slide 23
Slide 23 text
DNS҉߸Խsysadminʹ
߹͕ѱ͍
• ॾʑͷࣄ
• DNSΛͬͯad-blocking, parental controlΛ͍ͨ͠
• DNSΛͬͯϗϞάϥϑ߈ܸtyposquatting͔ΒӴ͍ͨ͠
• nextdns.io ͱ͍͏αʔϏε͕ࣄ࣮ଘࡏ͢Δ
• ͿͬͪΌ͚ ৗ࣌HTTPSԽE2EEsysadminʹ߹͕ѱ͍
Slide 24
Slide 24 text
DNS҉߸Խsysadminʹ
߹͕ѱ͍
• ͔͠͠DoT/DoH/ODoHωοτϫʔΫཧऀ͕ѱҙΛ͍࣋ͬͯ
ΔέʔεΛఆͯ͠σβΠϯ͞Ε͍ͯΔ
• ϓϩόΠμ͕σʔλΛऩू͍ͯ͠Δέʔε
• ϓϩόΠμͱ݁ୗͯ͠ػ͕ؔσʔλΛऩू͢Δέʔε
• "Pervasive Monitoring is an Attack"
Slide 25
Slide 25 text
stub-recursive, recursive-
authoritative͚ؒͩ҉߸Խ͢Δ͜ͱ
Ͱ͖Δ͔ʁ
• pervasive monitoringͷରࡦʹͳΔɺrecursive͕ѱҙͷ͋Δέʔ
εҙຯͳ͍
• IPΞυϨεূ໌ॻͷऔಘͷϋʔυϧ͕ߴ͘ଓઌೝূ͕ࠔ
• ଓઌೝূΛͤͣ҉߸Խ͚ͩ͢Δ͜ͱΛ͢Εpervasive
monitoringͷରࡦՄೳ
Slide 26
Slide 26 text
PKIΛͬͨTLSཱ͕
͢ΔͷׂͱDNSͷ͓
͔͛Έ͍ͨͳͱ͜Ζ͕
͋Δ
Slide 27
Slide 27 text
DNSϒϩοΩϯάͱ
ʮΠϯλʔωοτΛڊ
େͳΠϯτϥωοτͱ
Έͳͯ͠ཧ͍ͨ͠ʯ
ͱ͍͏͜ͱʹ૬
Slide 28
Slide 28 text
DoT/DoHΠϯλʔωοτͷ
தԝूݖԽΛଅ͢
• DoT/DoHαʔόʔͲ͏ͬͯબ͞ΕΔͷʁ
• ৴༻Ͱ͖ΔDoT/DoHαʔόʔͱʁ
• DoT/DoH৴༻ͷΛωοτϫʔΫࣄۀऀ͔ΒDoT/DoHαʔ
όʔӡ༻ऀʹԡ͚͍ͯ͠Δ͚ͩͰͳ͍͔ʁ
• DoT/DoHαʔόʔࣄۀऀ͕ѱତͪͨ͠Βʁ
Slide 29
Slide 29 text
No content
Slide 30
Slide 30 text
·ͱΊ
• DNS queryͷ౪ௌ͕ࠔΔͷͰDNS҉߸Խ͕ੜ·ΕͨΑ
• DNS over TLS (DoT), DNS Queries over HTTPS (DoH)ͱ͍͏ͷ͕ओͳ
ख๏ͩΑ
• ҉߸Խ͞ΕΔͱsysadminʹ߹͕ѱ͍ɺ͚Ͳ༷ͩΑ
• ৴༻ͬͯԿͩΖ͏
Slide 31
Slide 31 text
Questions?
send to @s01 on Twitter