Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DNS Encryption and Its Controversies

sylph01
December 19, 2020
Technology
0
720

DNS Encryption and Its Controversies

DNS暗号化とその論点 @ DNS温泉番外編 in 大阪

sylph01

December 19, 2020
Tweet

More Decks by sylph01

See All by sylph01
"Actual" Security in Microcontroller Ruby!?
sylph01
0
66
Everyone Now Understands AuthZ/AuthN and Encryption Perfectly and I'm Gonna Lose My Job
sylph01
1
12
Updates on PicoRuby Networking, HPKE (and maybe more)
sylph01
1
200
Adding Security to Microcontroller Ruby
sylph01
2
3.2k
Secure Messaging at IETF 118
sylph01
0
73
Adventures in the Dungeons of OpenSSL
sylph01
0
480
Community & RubyKaigi Showcase @ Ehime.rb Reboot Meetup
sylph01
0
300
Build and Learn Rails Authentication
sylph01
8
2k
Email, Messaging, and Self-Sovereign Identity (2021/05/28 edition)
sylph01
0
280

Other Decks in Technology

See All in Technology
alecthomas/kong はいいぞ / kamakura.go#7
fujiwara3
1
300
NW-JAWS #14 re:Invent 2024(予選落ち含)で 発表された推しアップデートについて
nagisa53
0
250
フロントエンド設計にモブ設計を導入してみた / 20241212_cloudsign_TechFrontMeetup
bengo4com
0
1.9k
WACATE2024冬セッション資料(ユーザビリティ)
scarletplover
0
190
AWS re:Invent 2024で発表された コードを書く開発者向け機能について
maruto
0
190
LINEヤフーのフロントエンド組織・体制の紹介【24年12月】
lycorp_recruit_jp
0
530
新機能VPCリソースエンドポイント機能検証から得られた考察
duelist2020jp
0
210
複雑性の高いオブジェクト編集に向き合う: プラガブルなReactフォーム設計
righttouch
PRO
0
110
10分で学ぶKubernetesコンテナセキュリティ/10min-k8s-container-sec
mochizuki875
3
330
Oracle Cloud Infrastructure:2024年12月度サービス・アップデート
oracle4engineer
PRO
0
170
watsonx.ai Dojo #5 ファインチューニングとInstructLAB
oniak3ibm
PRO
0
160
マルチプロダクト開発の現場でAWS Security Hubを1年以上運用して得た教訓
muziyoshiz
2
2.2k

Featured

See All Featured
Writing Fast Ruby
sferik
628
61k
Done Done
chrislema
181
16k
A Philosophy of Restraint
colly
203
16k
Docker and Python
trallard
42
3.1k
Building Better People: How to give real-time feedback that sticks.
wjessup
365
19k
Testing 201, or: Great Expectations
jmmastey
40
7.1k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
The Cult of Friendly URLs
andyhume
78
6.1k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
2
290
How STYLIGHT went responsive
nonsquared
95
5.2k
Site-Speed That Sticks
csswizardry
2
190
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.2k

Transcript

  1. DNS҉߸Խͱͦͷ࿦఺ sylph01 / Ryo Kajiwara @ DNSԹઘ൪֎ฤ in େࡕ, 2020/12/19

  2. ୭ʁ ֿݪ ཾ(sylph01) Twitter: @s01 ໺ੜͷϓϩάϥϚ ҉߸ͱ͔Ͱ͖·͢ TLSΑΓ্ͷ૚ DNS·ΔͰΘ͔ΒΜ

  3. એ఻ "DNSDNS Resolution" ͳΔຊΛॻ͍ٕͯ ज़ॻయ6(2019/4)Ͱ൦෍͠·ͨ͠ DNSʹର͢Δ߈ܸɺDNSϒϩοΩϯάɺ DNSSECɺDNS over TLS/HTTPS͋ͨΓ ͷɺDNSͷηΩϡϦςΟɾϓϥΠόγʔ

    ʹؔΘΔτϐοΫΛѻ͍ͬͯ·͢ ࠓ೔ѻ͏DNS҉߸Խͷ࿩΋ѻ͍ͬͯ·͢ ૿ิ൛Ͱ͋Δ"append mix"ΛBOOTHʹͯ ൦෍த
  4. None

  5. preface DNSSECͷ࿩Ͱ͸ͳ͍ɻ DNSSEC͸ॺ໊Ͱ͋ͬͯ҉߸ԽͰ͸ͳ͍ɻ DNS queryͷ౪ௌʹΑͬͯݸਓͷᅂ޷ɾࢥ૝ʹؔ͢Δ৘ใΛऩू͢ Δ͜ͱ͕Մೳɺ͋Δ͍͸ϒϩοΩϯάΛߦ͏͜ͱ͕Մೳɻͦͷର ࡦͱͯ͠ͷDNS҉߸Խɻ DNS҉߸Խ͸Πϯλʔωοτ҉߸ԽͷϥετϫϯϚΠϧɻ

  6. ࣌ؒతʹද໘ͳͧΔͩ ͚Ͱ͢

  7. Pervasive Monitoring is an Attack RFC 7258 2014/5

  8. DNS Privacy Considerations RFC 7626 2015/8

  9. None

  10. DNS over TLS (DoT) RFC 7858 2016/5

  11. DNS Queries over HTTPS (DoH) RFC 8484 2018/10

  12. DoT vs DoH • DoT͸port 853Λ࢖͏ɺDoH͸HTTPSͱಉ༷port 443Λ࢖͏ • DoT͸port 853ͷϒϩοΩϯάͰ๦֐Մೳ

    • DoH͸port 443Λར༻͢ΔͷͰ௨ৗͷHTTPSϦΫΤετͱ۠ผ Ͱ͖ͳ͍ • ҰํͰΑ͘஌ΒΕ͍ͯΔDoHରԠαʔόʔ΁ͷIPϒϩοΩ ϯάΛߦ͑͹๦֐Մೳ

  13. Oblivious DNS over HTTPS draft-pauly-dprive-oblivious-doh -00 @ 2020/10, -03 @

    2020/12
  14. None
  15. None

  16. DNS over QUIC https:/ /adguard.com/ja/blog/dns- over-quic.html

  17. DNSCrypt, DNSCurve …͸ଘࡏ͢Δ͚ͲIETFͰඪ४Խ͞Εͯ ͳ͍ͷͰུ

  18. None

  19. ࿦఺

  20. ஫: චऀ͸҉߸ԽਪਐدΓ Ͱ͢

  21. DoT/DoH/ODoH͸ ωοτϫʔΫ؅ཧऀʹ ͱͬͯ౎߹͕ѱ͍

  22. ͦΕ͸ ࢓༷Ͱ͢

  23. DNS҉߸Խ͸sysadminʹ౎ ߹͕ѱ͍ • ॾʑͷࣄ৘ • DNSΛ࢖ͬͯad-blocking, parental controlΛ͍ͨ͠ • DNSΛ࢖ͬͯϗϞάϥϑ߈ܸ΍typosquatting͔Β๷Ӵ͍ͨ͠

    • nextdns.io ͱ͍͏αʔϏε͕ࣄ࣮ଘࡏ͢Δ • ͿͬͪΌ͚ ৗ࣌HTTPSԽ΍E2EE΋sysadminʹ౎߹͕ѱ͍

  24. DNS҉߸Խ͸sysadminʹ౎ ߹͕ѱ͍ • ͔͠͠DoT/DoH/ODoH͸ωοτϫʔΫ؅ཧऀ͕ѱҙΛ͍࣋ͬͯ ΔέʔεΛ૝ఆͯ͠σβΠϯ͞Ε͍ͯΔ • ϓϩόΠμ͕σʔλΛऩू͍ͯ͠Δέʔε • ϓϩόΠμͱ݁ୗͯ͠੓෎ػ͕ؔσʔλΛऩू͢Δέʔε •

    "Pervasive Monitoring is an Attack"

  25. stub-recursive, recursive- authoritative͚ؒͩ҉߸Խ͢Δ͜ͱ ͸Ͱ͖Δ͔ʁ • pervasive monitoringͷରࡦʹ͸ͳΔɺrecursive͕ѱҙͷ͋Δέʔ ε͸ҙຯͳ͍ • IPΞυϨεূ໌ॻͷऔಘͷϋʔυϧ͕ߴ͘઀ଓઌೝূ͕ࠔ೉

    • ઀ଓઌೝূΛͤͣ҉߸Խ͚ͩ͢Δ͜ͱΛ͢Ε͹pervasive monitoringͷରࡦ͸Մೳ

  26. PKIΛ࢖ͬͨTLS͕੒ཱ ͢Δͷ΋ׂͱDNSͷ͓ ͔͛Έ͍ͨͳͱ͜Ζ͕ ͋Δ

  27. DNSϒϩοΩϯάͱ͸ ʮΠϯλʔωοτΛڊ େͳΠϯτϥωοτͱ Έͳͯ͠؅ཧ͍ͨ͠ʯ ͱ͍͏͜ͱʹ૬౰

  28. DoT/DoH͸Πϯλʔωοτͷ தԝूݖԽΛଅ͢ • DoT/DoHαʔόʔ͸Ͳ͏΍ͬͯબ୒͞ΕΔͷʁ • ৴༻Ͱ͖ΔDoT/DoHαʔόʔͱ͸ʁ • DoT/DoH͸৴༻ͷ໰୊ΛωοτϫʔΫࣄۀऀ͔ΒDoT/DoHαʔ όʔӡ༻ऀʹԡ͠෇͚͍ͯΔ͚ͩͰ͸ͳ͍͔ʁ •

    DoT/DoHαʔόʔࣄۀऀ͕ѱତͪͨ͠Βʁ
  29. None

  30. ·ͱΊ • DNS queryͷ౪ௌ͕ࠔΔͷͰDNS҉߸Խ͕ੜ·ΕͨΑ • DNS over TLS (DoT), DNS

    Queries over HTTPS (DoH)ͱ͍͏ͷ͕ओͳ ख๏ͩΑ • ҉߸Խ͞ΕΔͱsysadminʹ౎߹͕ѱ͍ɺ͚Ͳ࢓༷ͩΑ • ৴༻ͬͯԿͩΖ͏

  31. Questions? send to @s01 on Twitter