本日のお題 • 今回調査の経緯 • DNS Queries over HTTPS (ietf-doh) • Google Public DNS の DNS over HTTPS • DNS over TLS (RFC7858) • DNS over DTLS (RFC8094) • DNS over dedicated QUIC connections • まとめ 5
dohの狙い ✓End-to-end の通信を暗号化する事により、DNS通信における プライバシー問題を解決すること ➢DNSの通信はしばしば end-to-end の接続性に問題が生じる が、HTTPS なら大概通る ➢ここらへんの記述に後述のDNSoTLSとか使われ辛いんだろ うなぁという悩みを感じる DNS queries sometimes experience problems with end to end connectivity at times and places where HTTPS flows freely. 15
dohの HTTP request ✓投げ先のURI ➢02まではこう書いてありましたが ➢03でこうなりました Configuration and discovery of the URI is done out of band from this protocol. A client can be configured with a DNS API URI, or it can discover the URI. This document defines a well-known URI path of "/.well-known/ dns-query" so that a discovery process that produces a domain name or domain name and port can be used to construct the DNS API URI. 24
doh server の discovery ✓まだ出来てない。ここの認証も考えないと意味ない気がする。 [[ From the WG charter: The working group may define mechanisms for discovery of DOH servers similar to existing mechanisms for discovering other DNS servers if the chairs determine that there is both sufficient interest and working group consensus. ]] 30
✓やっぱり、クライアント〜キャッシュDNSサーバ間 ✓明示的にキャッシュDNSサーバ〜権威DNSサーバ間は out of scope と記述 ✓DPRIVE の scope がそうであれば doh も同じか・・・ DNS over TLSのスコープ The protocol described here works for queries and responses between stub clients and recursive servers. It might work equally between recursive clients and authoritative servers, but this application of the protocol is out of scope for the DNS PRIVate Exchange (DPRIVE) Working Group per its current charter. 42
おまけ) DNS PRIVE WG のチャーター 43 The primary focus of this Working Group is to develop mechanisms that provide confidentiality between DNS Clients and Iterative Resolvers, but it may also later consider mechanisms that provide confidentiality between Iterative Resolvers and Authoritative Servers, or provide end-to-end confidentiality of DNS transactions. ✓DPRIVE の scope がそうであれば doh も DNSoTLS も同じか、 という感じ https://datatracker.ietf.org/wg/dprive/about/
✓いかにTLSセッションを確立する際のコストを減らすかだがコレ。 ✓張ったセッションのライフサイクル管理を含むレゾルバライブラリ の実装を考慮しなくちゃいけない、よね。。 TLS のセッション確立コスト問題 For DNS clients that use library functions such as "getaddrinfo()" and "gethostbyname()", current implementations are known to open and close TCP connections for each DNS query. 44
✓TLS確立時間を含むレイテンシ ✓TLS/TCPのセッション管理 ✓TLSの暗号処理コスト ✓同時接続数(クライアントの数) 等、考慮事項はあるが だそうです。 DNS over TLS の性能問題 A full performance evaluation is outside the scope of this specification. A more detailed analysis of the performance implications of DNS over TLS (and DNS over TCP) is discussed in [TDNS] and [RFC7766]. 47
✓TLSはTCP、DTLSはUDP ✓UDP port 853 を利用 ✓PMTUD問題がつきまとう ✓まじかー。。。 DNS over DTLS DNS over DTLS alone cannot provide privacy for DNS messages in all circumstances, specifically when the DTLS record size is larger than the path MTU. In such situations, the DNS server will respond with a truncated response (see Section 5). 50