$30 off During Our Annual Pro Sale. View Details »

DNS Encryption and Its Controversies

sylph01
December 19, 2020

DNS Encryption and Its Controversies

DNS暗号化とその論点 @ DNS温泉番外編 in 大阪

sylph01

December 19, 2020
Tweet

More Decks by sylph01

Other Decks in Technology

Transcript

  1. DNS҉߸Խͱͦͷ࿦఺
    sylph01 / Ryo Kajiwara
    @ DNSԹઘ൪֎ฤ in େࡕ,
    2020/12/19

    View Slide

  2. ୭ʁ
    ֿݪ ཾ(sylph01)
    Twitter: @s01
    ໺ੜͷϓϩάϥϚ
    ҉߸ͱ͔Ͱ͖·͢
    TLSΑΓ্ͷ૚
    DNS·ΔͰΘ͔ΒΜ

    View Slide

  3. એ఻
    "DNSDNS Resolution" ͳΔຊΛॻ͍ٕͯ
    ज़ॻయ6(2019/4)Ͱ൦෍͠·ͨ͠
    DNSʹର͢Δ߈ܸɺDNSϒϩοΩϯάɺ
    DNSSECɺDNS over TLS/HTTPS͋ͨΓ
    ͷɺDNSͷηΩϡϦςΟɾϓϥΠόγʔ
    ʹؔΘΔτϐοΫΛѻ͍ͬͯ·͢
    ࠓ೔ѻ͏DNS҉߸Խͷ࿩΋ѻ͍ͬͯ·͢
    ૿ิ൛Ͱ͋Δ"append mix"ΛBOOTHʹͯ
    ൦෍த

    View Slide

  4. View Slide

  5. preface
    DNSSECͷ࿩Ͱ͸ͳ͍ɻ DNSSEC͸ॺ໊Ͱ͋ͬͯ҉߸ԽͰ͸ͳ͍ɻ
    DNS queryͷ౪ௌʹΑͬͯݸਓͷᅂ޷ɾࢥ૝ʹؔ͢Δ৘ใΛऩू͢
    Δ͜ͱ͕Մೳɺ͋Δ͍͸ϒϩοΩϯάΛߦ͏͜ͱ͕Մೳɻͦͷର
    ࡦͱͯ͠ͷDNS҉߸Խɻ
    DNS҉߸Խ͸Πϯλʔωοτ҉߸ԽͷϥετϫϯϚΠϧɻ

    View Slide

  6. ࣌ؒతʹද໘ͳͧΔͩ
    ͚Ͱ͢

    View Slide

  7. Pervasive Monitoring is
    an Attack
    RFC 7258
    2014/5

    View Slide

  8. DNS Privacy
    Considerations
    RFC 7626
    2015/8

    View Slide

  9. View Slide

  10. DNS over TLS (DoT)
    RFC 7858
    2016/5

    View Slide

  11. DNS Queries over
    HTTPS (DoH)
    RFC 8484
    2018/10

    View Slide

  12. DoT vs DoH
    • DoT͸port 853Λ࢖͏ɺDoH͸HTTPSͱಉ༷port 443Λ࢖͏
    • DoT͸port 853ͷϒϩοΩϯάͰ๦֐Մೳ
    • DoH͸port 443Λར༻͢ΔͷͰ௨ৗͷHTTPSϦΫΤετͱ۠ผ
    Ͱ͖ͳ͍
    • ҰํͰΑ͘஌ΒΕ͍ͯΔDoHରԠαʔόʔ΁ͷIPϒϩοΩ
    ϯάΛߦ͑͹๦֐Մೳ

    View Slide

  13. Oblivious DNS over
    HTTPS
    draft-pauly-dprive-oblivious-doh
    -00 @ 2020/10, -03 @ 2020/12

    View Slide

  14. View Slide

  15. View Slide

  16. DNS over QUIC
    https:/
    /adguard.com/ja/blog/dns-
    over-quic.html

    View Slide

  17. DNSCrypt, DNSCurve
    …͸ଘࡏ͢Δ͚ͲIETFͰඪ४Խ͞Εͯ
    ͳ͍ͷͰུ

    View Slide

  18. View Slide

  19. ࿦఺

    View Slide

  20. ஫:
    චऀ͸҉߸ԽਪਐدΓ
    Ͱ͢

    View Slide

  21. DoT/DoH/ODoH͸
    ωοτϫʔΫ؅ཧऀʹ
    ͱͬͯ౎߹͕ѱ͍

    View Slide

  22. ͦΕ͸
    ࢓༷Ͱ͢

    View Slide

  23. DNS҉߸Խ͸sysadminʹ౎
    ߹͕ѱ͍
    • ॾʑͷࣄ৘
    • DNSΛ࢖ͬͯad-blocking, parental controlΛ͍ͨ͠
    • DNSΛ࢖ͬͯϗϞάϥϑ߈ܸ΍typosquatting͔Β๷Ӵ͍ͨ͠
    • nextdns.io ͱ͍͏αʔϏε͕ࣄ࣮ଘࡏ͢Δ
    • ͿͬͪΌ͚ ৗ࣌HTTPSԽ΍E2EE΋sysadminʹ౎߹͕ѱ͍

    View Slide

  24. DNS҉߸Խ͸sysadminʹ౎
    ߹͕ѱ͍
    • ͔͠͠DoT/DoH/ODoH͸ωοτϫʔΫ؅ཧऀ͕ѱҙΛ͍࣋ͬͯ
    ΔέʔεΛ૝ఆͯ͠σβΠϯ͞Ε͍ͯΔ
    • ϓϩόΠμ͕σʔλΛऩू͍ͯ͠Δέʔε
    • ϓϩόΠμͱ݁ୗͯ͠੓෎ػ͕ؔσʔλΛऩू͢Δέʔε
    • "Pervasive Monitoring is an Attack"

    View Slide

  25. stub-recursive, recursive-
    authoritative͚ؒͩ҉߸Խ͢Δ͜ͱ
    ͸Ͱ͖Δ͔ʁ
    • pervasive monitoringͷରࡦʹ͸ͳΔɺrecursive͕ѱҙͷ͋Δέʔ
    ε͸ҙຯͳ͍
    • IPΞυϨεূ໌ॻͷऔಘͷϋʔυϧ͕ߴ͘઀ଓઌೝূ͕ࠔ೉
    • ઀ଓઌೝূΛͤͣ҉߸Խ͚ͩ͢Δ͜ͱΛ͢Ε͹pervasive
    monitoringͷରࡦ͸Մೳ

    View Slide

  26. PKIΛ࢖ͬͨTLS͕੒ཱ
    ͢Δͷ΋ׂͱDNSͷ͓
    ͔͛Έ͍ͨͳͱ͜Ζ͕
    ͋Δ

    View Slide

  27. DNSϒϩοΩϯάͱ͸
    ʮΠϯλʔωοτΛڊ
    େͳΠϯτϥωοτͱ
    Έͳͯ͠؅ཧ͍ͨ͠ʯ
    ͱ͍͏͜ͱʹ૬౰

    View Slide

  28. DoT/DoH͸Πϯλʔωοτͷ
    தԝूݖԽΛଅ͢
    • DoT/DoHαʔόʔ͸Ͳ͏΍ͬͯબ୒͞ΕΔͷʁ
    • ৴༻Ͱ͖ΔDoT/DoHαʔόʔͱ͸ʁ
    • DoT/DoH͸৴༻ͷ໰୊ΛωοτϫʔΫࣄۀऀ͔ΒDoT/DoHαʔ
    όʔӡ༻ऀʹԡ͠෇͚͍ͯΔ͚ͩͰ͸ͳ͍͔ʁ
    • DoT/DoHαʔόʔࣄۀऀ͕ѱତͪͨ͠Βʁ

    View Slide

  29. View Slide

  30. ·ͱΊ
    • DNS queryͷ౪ௌ͕ࠔΔͷͰDNS҉߸Խ͕ੜ·ΕͨΑ
    • DNS over TLS (DoT), DNS Queries over HTTPS (DoH)ͱ͍͏ͷ͕ओͳ
    ख๏ͩΑ
    • ҉߸Խ͞ΕΔͱsysadminʹ౎߹͕ѱ͍ɺ͚Ͳ࢓༷ͩΑ
    • ৴༻ͬͯԿͩΖ͏

    View Slide

  31. Questions?
    send to @s01 on Twitter

    View Slide