Debugging DDR for Encrypted DNS with Ruby Taketo Takashima (@taketo1113) 

About me Taketo Takashima @taketo1113 (GitHub/X) Web Application Engineer Co-founder of fukui.rb A member of ShowNet NOC Team 

✦ Traditional DNS name resolution uses UDP port 53 (Do53) ✦ Encryption mechanisms have emerged for privacy and security ✦ Protocols ✦ DNS over HTTPS (DoH) ✦ DNS over TLS (DoT) ✦ DNS over QUIC (DoQ) Encrypted DNS Client DNS Resolver Encrypted (HTTPS/TLS/QUIC) 

✦ No con fi guration needed ✦ (if using the RubyKaigi network or a Public DNS) ✦ The web browser or OS automatically upgrades to an encrypted DNS resolver using DDR ✦ Or Manual con fi guration via browser or OS settings How to Use Encrypted DNS? 

Discovery of Designated Resolvers (DDR) 

About Discovery of Designated Resolvers (DDR) ✦ A set of mechanisms for DNS clients to use DNS records to discover a resolver's encrypted DNS con fi guration. ✦ RFC 9462 ✦ https://www.rfc-editor.org/ rfc/rfc9462.html 

✦ (1) Discovery Using Resolver IP Addresses ✦ DNS Query: SVCB _dns.resolver.arpa. (UDP/53) ✦ (2) Veri fi ed Discovery ✦ Certi fi cation Path Validation ✦ Subject Alternative Name (SAN) ✦ (3) Use of Designated Resolvers ✦ Encrypted DNS: DoH(h1.1, h2, h3), DoT, or DoQ How DDR Works _dns.resolver.arpa. SVCB 1 dns.example.com. alpn="h2,h3" dohpath="/dns-query{?dns}" _dns.resolver.arpa. SVCB 2 dns.example.com. alpn="dot" Client DNS Resolver (1) Encrypted DNS Resolver (3) (2) 

✦ Di ffi cult to verify due to the wide variety of possible combinations Challenges in Verifying DDR (1) DNS Service Type (DoH/DoT/DoQ) Resolver IP Addresses (IPv4/IPv6) Verified Discovery × × DoH(h1.1) DoH(h2) DoH(h3) DoT DoQ 203.0.113.1 203.0.113.2 2001:db8::1 2001:db8::2 Example: dns.example.com × = 20 patterns 

Challenges in Verifying DDR (2) ✦ Unclear which resolver/ service is used from the application side (e.g., web browser) ✦ Encrypted tra ffi c makes packet capture analysis di ffi cult Which protocol is being used for name resolution? UDP/53, DoH/1.1, DoH/2, DoH/3, DoT or DoQ Web developer tools (Firefox v137) 

Implementing a DDR Debugging Tool 

✦ DDR client / DNS client ✦ Output of a list of resolvers/protocols distributed by DDR, as well as name resolution with each resolver. ✦ https://github.com/taketo1113/ddig ddig gem 

✦ List of Designated Resolvers and Veri fi cation Results Usage $ ddig --ddr dot: dns.google:853 (8.8.4.4), unencrypted_resolver: 8.8.8.8, verify cert: true dot: dns.google:853 (8.8.8.8), unencrypted_resolver: 8.8.8.8, verify cert: true h2: dns.google:443 (8.8.8.8), path: /dns-query{?dns}, unencrypted_resolver: 8.8.8.8, verify cert: true h2: dns.google:443 (8.8.4.4), path: /dns-query{?dns}, unencrypted_resolver: 8.8.8.8, verify cert: true h3: dns.google:443 (8.8.4.4), path: /dns-query{?dns}, unencrypted_resolver: 8.8.8.8, verify cert: true h3: dns.google:443 (8.8.8.8), path: /dns-query{?dns}, unencrypted_resolver: 8.8.8.8, verify cert: true # SERVER: 8.8.8.8 

✦ Name Resolution Results from All Designated Resolvers ✦ Supported Protocols ✦ UDP(Do53) ✦ DoH(h1.1) ✦ DoT ✦ DoH(h2/h3) and DoQ ✦ Not yet implemented Usage $ ddig rubykaigi.org # Do53 (IPv4) rubykaigi.org A 3.165.11.52 rubykaigi.org A 3.165.11.86 ... rubykaigi.org AAAA 2600:9000:26ef:3000:7:104e:1d80:93a1 rubykaigi.org AAAA 2600:9000:26ef:3600:7:104e:1d80:93a1 ... # SERVER: 8.8.8.8 # DDR ## DDR (#0) - dot: dns.google:853 (8.8.8.8), unencrypted_resolver: 8.8.8.8, verify cert: true rubykaigi.org A 3.165.11.36 rubykaigi.org A 3.165.11.52 ... rubykaigi.org AAAA 2600:9000:26ef:e600:7:104e:1d80:93a1 rubykaigi.org AAAA 2600:9000:26ef:9000:7:104e:1d80:93a1 ... # SERVER(Address): 8.8.8.8 # PORT: 853 ## DDR (#2) - h2: dns.google:443 (8.8.8.8), path: /dns-query{?dns}, unencrypted_resolver: 8.8.8.8, verify cert: true rubykaigi.org A 3.165.11.52 rubykaigi.org A 3.165.11.36 ... rubykaigi.org AAAA 2600:9000:26ef:600:7:104e:1d80:93a1 rubykaigi.org AAAA 2600:9000:26ef:3000:7:104e:1d80:93a1 ... # SERVER(Hostname): 8.8.8.8 # SERVER(Path): /dns-query{?dns} # PORT: 443 …(skip) 

Troubleshooting DDR Deployment at ShowNet 2024 

✦ The largest annual exhibition of Internet Technologies in Japan ✦ Over 200 booths and about 120,000 visitors for 3 days ✦ About 270 sessions in the exhibition and Interop conference ✦ Interop Tokyo 

✦ The Live Demonstration Network built at Interop Tokyo ✦ Conducting interoperability tests and demonstrations of the latest networking technologies every year ✦ Providing internet connectivity for Interop exhibitors and visitors ✦ Deploying DDR in the DNS service provided at ShowNet 2024 ShowNet 

✦ DDR enabled, but name resolution via DoH doesn't work ✦ Typo: DoH server name :-) ✦ Certi fi cate veri fi cation error: server certi fi cate not properly deployed ✦ DDR worked fi ne in production at ShowNet 2024! Troubles Encountered During Setup $ ddig --ddr h2: cache.svc.inteorp-tokyo.net:443 (45.0.194.14), path: /dns-query{?dns}, verify cert: false h3: cache.svc.interop-tokyo.net:443 (45.0.194.14), path: /dns-query{?dns}, verify cert: false dot: cache.svc.interop-tokyo.net:853 (45.0.194.14), verify cert: true 

Conclusion Developed a Debugging DDR Tool Successfully provided DDR as a service at ShowNet 2024 Try DDR in action over the RubyKaigi Wi-Fi! 

✦ RubyKaigi NOC Team ✦ Provided the Wi-Fi network that enables DDR ✦ Debugging the DDR Debugging Tool at RubyKaigi 2024 & 2025 Special Thanks