Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
DNS Encryption and Its Controversies
Search
sylph01
December 19, 2020
Technology
0
650
DNS Encryption and Its Controversies
DNS暗号化とその論点 @ DNS温泉番外編 in 大阪
sylph01
December 19, 2020
Tweet
Share
More Decks by sylph01
See All by sylph01
Adding Security to Microcontroller Ruby
sylph01
2
2.8k
Secure Messaging at IETF 118
sylph01
0
47
Adventures in the Dungeons of OpenSSL
sylph01
0
350
Community & RubyKaigi Showcase @ Ehime.rb Reboot Meetup
sylph01
0
220
Build and Learn Rails Authentication
sylph01
8
1.9k
Email, Messaging, and Self-Sovereign Identity (2021/05/28 edition)
sylph01
0
210
Email, Messaging, and SSI/DID (再放送)
sylph01
0
1.3k
Action Mailbox in Action
sylph01
1
3.1k
Keebs-n-Kaigi
sylph01
1
260
Other Decks in Technology
See All in Technology
技術負債による事業の失敗はなぜ起こるのか / Why do business failures due to technical debt occur?
i35_267
0
190
楽しくGoを学び合う、LayerXの勉強会文化 / LayerX's study culture of having fun and learning Go together
ar_tama
2
350
「単なる OAuth 2.0 を認証に使うと、車が通れるほどのどでかいセキュリティー・ホールができる」のか検証してみた
terara
0
380
さらに高品質・高速化を目指すAI時代のテスト設計支援と、めざす先 / AI Test Lab vol.1
shift_evolve
0
190
Azure AI ことはじめ
tsubakimoto_s
0
130
AWSでRAGを作る法方
sonoda_mj
1
140
テストケースの自動生成に生成AIの導入を試みた話と生成AIによる今後の期待
shift_evolve
0
180
AWSで”最小権限の原則”を実現するための考え方 /20240722-ssmjp-aws-least-privilege
opelab
10
4.3k
エンジニアリングマネージャーはどう学んでいくのか #devsumi / How Do Engineering Managers Continue to Learn and Grow?
expajp
4
1.3k
20240717_イケコパ代表Copilot_in_Teams会社でこう使ってます
ponponmikankan
2
430
ここがすごいよ! AWS Systems Manager!
saichan11
0
1.8k
データベース研修 DB基礎【MIXI 24新卒技術研修】
mixi_engineers
PRO
0
210
Featured
See All Featured
Stop Working from a Prison Cell
hatefulcrawdad
266
20k
Design by the Numbers
sachag
277
18k
Facilitating Awesome Meetings
lara
46
5.8k
Faster Mobile Websites
deanohume
303
30k
What’s in a name? Adding method to the madness
productmarketing
PRO
21
2.9k
Designing on Purpose - Digital PM Summit 2013
jponch
113
6.6k
Automating Front-end Workflow
addyosmani
1362
200k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
16
1.6k
A Modern Web Designer's Workflow
chriscoyier
689
190k
How to name files
jennybc
67
96k
What's in a price? How to price your products and services
michaelherold
239
11k
Atom: Resistance is Futile
akmur
261
25k
Transcript
DNS҉߸Խͱͦͷ sylph01 / Ryo Kajiwara @ DNSԹઘ൪֎ฤ in େࡕ, 2020/12/19
୭ʁ ֿݪ ཾ(sylph01) Twitter: @s01 ੜͷϓϩάϥϚ ҉߸ͱ͔Ͱ͖·͢ TLSΑΓ্ͷ DNS·ΔͰΘ͔ΒΜ
એ "DNSDNS Resolution" ͳΔຊΛॻ͍ٕͯ ज़ॻయ6(2019/4)Ͱ൦͠·ͨ͠ DNSʹର͢Δ߈ܸɺDNSϒϩοΩϯάɺ DNSSECɺDNS over TLS/HTTPS͋ͨΓ ͷɺDNSͷηΩϡϦςΟɾϓϥΠόγʔ
ʹؔΘΔτϐοΫΛѻ͍ͬͯ·͢ ࠓѻ͏DNS҉߸Խͷѻ͍ͬͯ·͢ ૿ิ൛Ͱ͋Δ"append mix"ΛBOOTHʹͯ ൦த
None
preface DNSSECͷͰͳ͍ɻ DNSSECॺ໊Ͱ͋ͬͯ҉߸ԽͰͳ͍ɻ DNS queryͷ౪ௌʹΑͬͯݸਓͷᅂɾࢥʹؔ͢ΔใΛऩू͢ Δ͜ͱ͕Մೳɺ͋Δ͍ϒϩοΩϯάΛߦ͏͜ͱ͕Մೳɻͦͷର ࡦͱͯ͠ͷDNS҉߸Խɻ DNS҉߸ԽΠϯλʔωοτ҉߸ԽͷϥετϫϯϚΠϧɻ
࣌ؒతʹද໘ͳͧΔͩ ͚Ͱ͢
Pervasive Monitoring is an Attack RFC 7258 2014/5
DNS Privacy Considerations RFC 7626 2015/8
None
DNS over TLS (DoT) RFC 7858 2016/5
DNS Queries over HTTPS (DoH) RFC 8484 2018/10
DoT vs DoH • DoTport 853Λ͏ɺDoHHTTPSͱಉ༷port 443Λ͏ • DoTport 853ͷϒϩοΩϯάͰՄೳ
• DoHport 443Λར༻͢ΔͷͰ௨ৗͷHTTPSϦΫΤετͱ۠ผ Ͱ͖ͳ͍ • ҰํͰΑ͘ΒΕ͍ͯΔDoHରԠαʔόʔͷIPϒϩοΩ ϯάΛߦ͑Մೳ
Oblivious DNS over HTTPS draft-pauly-dprive-oblivious-doh -00 @ 2020/10, -03 @
2020/12
None
None
DNS over QUIC https:/ /adguard.com/ja/blog/dns- over-quic.html
DNSCrypt, DNSCurve …ଘࡏ͢Δ͚ͲIETFͰඪ४Խ͞Εͯ ͳ͍ͷͰུ
None
: චऀ҉߸ԽਪਐدΓ Ͱ͢
DoT/DoH/ODoH ωοτϫʔΫཧऀʹ ͱͬͯ߹͕ѱ͍
ͦΕ ༷Ͱ͢
DNS҉߸Խsysadminʹ ߹͕ѱ͍ • ॾʑͷࣄ • DNSΛͬͯad-blocking, parental controlΛ͍ͨ͠ • DNSΛͬͯϗϞάϥϑ߈ܸtyposquatting͔ΒӴ͍ͨ͠
• nextdns.io ͱ͍͏αʔϏε͕ࣄ࣮ଘࡏ͢Δ • ͿͬͪΌ͚ ৗ࣌HTTPSԽE2EEsysadminʹ߹͕ѱ͍
DNS҉߸Խsysadminʹ ߹͕ѱ͍ • ͔͠͠DoT/DoH/ODoHωοτϫʔΫཧऀ͕ѱҙΛ͍࣋ͬͯ ΔέʔεΛఆͯ͠σβΠϯ͞Ε͍ͯΔ • ϓϩόΠμ͕σʔλΛऩू͍ͯ͠Δέʔε • ϓϩόΠμͱ݁ୗͯ͠ػ͕ؔσʔλΛऩू͢Δέʔε •
"Pervasive Monitoring is an Attack"
stub-recursive, recursive- authoritative͚ؒͩ҉߸Խ͢Δ͜ͱ Ͱ͖Δ͔ʁ • pervasive monitoringͷରࡦʹͳΔɺrecursive͕ѱҙͷ͋Δέʔ εҙຯͳ͍ • IPΞυϨεূ໌ॻͷऔಘͷϋʔυϧ͕ߴ͘ଓઌೝূ͕ࠔ
• ଓઌೝূΛͤͣ҉߸Խ͚ͩ͢Δ͜ͱΛ͢Εpervasive monitoringͷରࡦՄೳ
PKIΛͬͨTLSཱ͕ ͢ΔͷׂͱDNSͷ͓ ͔͛Έ͍ͨͳͱ͜Ζ͕ ͋Δ
DNSϒϩοΩϯάͱ ʮΠϯλʔωοτΛڊ େͳΠϯτϥωοτͱ Έͳͯ͠ཧ͍ͨ͠ʯ ͱ͍͏͜ͱʹ૬
DoT/DoHΠϯλʔωοτͷ தԝूݖԽΛଅ͢ • DoT/DoHαʔόʔͲ͏ͬͯબ͞ΕΔͷʁ • ৴༻Ͱ͖ΔDoT/DoHαʔόʔͱʁ • DoT/DoH৴༻ͷΛωοτϫʔΫࣄۀऀ͔ΒDoT/DoHαʔ όʔӡ༻ऀʹԡ͚͍ͯ͠Δ͚ͩͰͳ͍͔ʁ •
DoT/DoHαʔόʔࣄۀऀ͕ѱତͪͨ͠Βʁ
None
·ͱΊ • DNS queryͷ౪ௌ͕ࠔΔͷͰDNS҉߸Խ͕ੜ·ΕͨΑ • DNS over TLS (DoT), DNS
Queries over HTTPS (DoH)ͱ͍͏ͷ͕ओͳ ख๏ͩΑ • ҉߸Խ͞ΕΔͱsysadminʹ߹͕ѱ͍ɺ͚Ͳ༷ͩΑ • ৴༻ͬͯԿͩΖ͏
Questions? send to @s01 on Twitter