DNS暗号化とその論点 @ DNS温泉番外編 in 大阪
DNS҉߸Խͱͦͷsylph01 / Ryo Kajiwara@ DNSԹઘ൪֎ฤ in େࡕ,2020/12/19
View Slide
୭ʁֿݪ ཾ(sylph01)Twitter: @s01ੜͷϓϩάϥϚ҉߸ͱ͔Ͱ͖·͢TLSΑΓ্ͷDNS·ΔͰΘ͔ΒΜ
એ"DNSDNS Resolution" ͳΔຊΛॻ͍ٕͯज़ॻయ6(2019/4)Ͱ൦͠·ͨ͠DNSʹର͢Δ߈ܸɺDNSϒϩοΩϯάɺDNSSECɺDNS over TLS/HTTPS͋ͨΓͷɺDNSͷηΩϡϦςΟɾϓϥΠόγʔʹؔΘΔτϐοΫΛѻ͍ͬͯ·͢ࠓѻ͏DNS҉߸Խͷѻ͍ͬͯ·͢૿ิ൛Ͱ͋Δ"append mix"ΛBOOTHʹͯ൦த
prefaceDNSSECͷͰͳ͍ɻ DNSSECॺ໊Ͱ͋ͬͯ҉߸ԽͰͳ͍ɻDNS queryͷ౪ௌʹΑͬͯݸਓͷᅂɾࢥʹؔ͢ΔใΛऩू͢Δ͜ͱ͕Մೳɺ͋Δ͍ϒϩοΩϯάΛߦ͏͜ͱ͕Մೳɻͦͷରࡦͱͯ͠ͷDNS҉߸ԽɻDNS҉߸ԽΠϯλʔωοτ҉߸ԽͷϥετϫϯϚΠϧɻ
࣌ؒతʹද໘ͳͧΔ͚ͩͰ͢
Pervasive Monitoring isan AttackRFC 72582014/5
DNS PrivacyConsiderationsRFC 76262015/8
DNS over TLS (DoT)RFC 78582016/5
DNS Queries overHTTPS (DoH)RFC 84842018/10
DoT vs DoH• DoTport 853Λ͏ɺDoHHTTPSͱಉ༷port 443Λ͏• DoTport 853ͷϒϩοΩϯάͰՄೳ• DoHport 443Λར༻͢ΔͷͰ௨ৗͷHTTPSϦΫΤετͱ۠ผͰ͖ͳ͍• ҰํͰΑ͘ΒΕ͍ͯΔDoHରԠαʔόʔͷIPϒϩοΩϯάΛߦ͑Մೳ
Oblivious DNS overHTTPSdraft-pauly-dprive-oblivious-doh-00 @ 2020/10, -03 @ 2020/12
DNS over QUIChttps://adguard.com/ja/blog/dns-over-quic.html
DNSCrypt, DNSCurve…ଘࡏ͢Δ͚ͲIETFͰඪ४Խ͞Εͯͳ͍ͷͰུ
:චऀ҉߸ԽਪਐدΓͰ͢
DoT/DoH/ODoHωοτϫʔΫཧऀʹͱͬͯ߹͕ѱ͍
ͦΕ༷Ͱ͢
DNS҉߸Խsysadminʹ߹͕ѱ͍• ॾʑͷࣄ• DNSΛͬͯad-blocking, parental controlΛ͍ͨ͠• DNSΛͬͯϗϞάϥϑ߈ܸtyposquatting͔ΒӴ͍ͨ͠• nextdns.io ͱ͍͏αʔϏε͕ࣄ࣮ଘࡏ͢Δ• ͿͬͪΌ͚ ৗ࣌HTTPSԽE2EEsysadminʹ߹͕ѱ͍
DNS҉߸Խsysadminʹ߹͕ѱ͍• ͔͠͠DoT/DoH/ODoHωοτϫʔΫཧऀ͕ѱҙΛ͍࣋ͬͯΔέʔεΛఆͯ͠σβΠϯ͞Ε͍ͯΔ• ϓϩόΠμ͕σʔλΛऩू͍ͯ͠Δέʔε• ϓϩόΠμͱ݁ୗͯ͠ػ͕ؔσʔλΛऩू͢Δέʔε• "Pervasive Monitoring is an Attack"
stub-recursive, recursive-authoritative͚ؒͩ҉߸Խ͢Δ͜ͱͰ͖Δ͔ʁ• pervasive monitoringͷରࡦʹͳΔɺrecursive͕ѱҙͷ͋Δέʔεҙຯͳ͍• IPΞυϨεূ໌ॻͷऔಘͷϋʔυϧ͕ߴ͘ଓઌೝূ͕ࠔ• ଓઌೝূΛͤͣ҉߸Խ͚ͩ͢Δ͜ͱΛ͢ΕpervasivemonitoringͷରࡦՄೳ
PKIΛͬͨTLSཱ͕͢ΔͷׂͱDNSͷ͓͔͛Έ͍ͨͳͱ͜Ζ͕͋Δ
DNSϒϩοΩϯάͱʮΠϯλʔωοτΛڊେͳΠϯτϥωοτͱΈͳͯ͠ཧ͍ͨ͠ʯͱ͍͏͜ͱʹ૬
DoT/DoHΠϯλʔωοτͷதԝूݖԽΛଅ͢• DoT/DoHαʔόʔͲ͏ͬͯબ͞ΕΔͷʁ• ৴༻Ͱ͖ΔDoT/DoHαʔόʔͱʁ• DoT/DoH৴༻ͷΛωοτϫʔΫࣄۀऀ͔ΒDoT/DoHαʔόʔӡ༻ऀʹԡ͚͍ͯ͠Δ͚ͩͰͳ͍͔ʁ• DoT/DoHαʔόʔࣄۀऀ͕ѱତͪͨ͠Βʁ
·ͱΊ• DNS queryͷ౪ௌ͕ࠔΔͷͰDNS҉߸Խ͕ੜ·ΕͨΑ• DNS over TLS (DoT), DNS Queries over HTTPS (DoH)ͱ͍͏ͷ͕ओͳख๏ͩΑ• ҉߸Խ͞ΕΔͱsysadminʹ߹͕ѱ͍ɺ͚Ͳ༷ͩΑ• ৴༻ͬͯԿͩΖ͏
Questions?send to @s01 on Twitter