$30 off During Our Annual Pro Sale. View Details »

DNS Encryption and Its Controversies

sylph01
December 19, 2020
Technology
0
580

DNS Encryption and Its Controversies

DNS暗号化とその論点 @ DNS温泉番外編 in 大阪

sylph01

December 19, 2020
Tweet

More Decks by sylph01

See All by sylph01
Community & RubyKaigi Showcase @ Ehime.rb Reboot Meetup
sylph01
0
170
Build and Learn Rails Authentication
sylph01
8
1.6k
Email, Messaging, and Self-Sovereign Identity (2021/05/28 edition)
sylph01
0
96
Email, Messaging, and SSI/DID (再放送)
sylph01
0
1.1k
Action Mailbox in Action
sylph01
1
2.8k
Keebs-n-Kaigi
sylph01
1
220
Email, Messaging, and SSI/DID
sylph01
0
760
IETF 107 Report Session: OAuth/TxAuth
sylph01
0
73
OAuth, Transactional Authorization @ IETF106
sylph01
1
540

Other Decks in Technology

See All in Technology
dbt Coreとdbt-athenaによるAWS上のdbt環境構築ナレッジ
nayuts
0
150
3つの⽴場で考える技術的負債への組織的アプローチ
sansantech
PRO
16
4.9k
CPOが開発する覚悟 〜コンパウンドスタートアップにおける、爆速の新規プロダクト開発スタイル〜
mosa_siru
7
5.5k
コロプラ_SRE_LCE_ゲームバックエンド_性能との戦い
colopl
0
130
技術的負債あるある早く言いたい〜/RookiesLT-link-and-motivation
lmi
0
2k
スタートアップにおける、チーム拡大を見据えたコンポーネント分割の取り組み
rynsuke
2
790
DMMプラットフォームにおける GKE を利用した プラットフォームエンジニアリングへの 取り組み
pospome
1
170
Autonomous Database - Dedicated 技術詳細 / adb-d_technical_detail_jp
oracle4engineer
PRO
2
3.9k
サービスの1等地ホーム画面改善と効果的なステークホルダーマネジメント / Improvement of Prime Location Home Screen for Services and Effective Stakeholder Management
rilmayer
0
150
LLMエンジニアリングを加速させるソフトウェアアーキテクチャ
tkikuchi1002
0
400
231116 あつまれ入力デバイスの沼 Ryu.Cyberさん
comucal
PRO
0
160
噂の Amazon Bedrock を Java から使ってみる #javado
tacck
1
140

Featured

See All Featured
A Tale of Four Properties
chriscoyier
150
22k
Practical Orchestrator
shlominoach
179
9.4k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
Atom: Resistance is Futile
akmur
257
24k
Designing with Data
zakiwarfel
93
4.6k
Code Reviewing Like a Champion
maltzj
511
38k
Fontdeck: Realign not Redesign
paulrobertlloyd
74
4.7k
Typedesign – Prime Four
hannesfritz
35
1.8k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
1
890
How GitHub Uses GitHub to Build GitHub
holman
467
280k
Being A Developer After 40
akosma
52
580k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
271
12k

Transcript

  1. DNS҉߸Խͱͦͷ࿦఺
    sylph01 / Ryo Kajiwara
    @ DNSԹઘ൪֎ฤ in େࡕ,
    2020/12/19

    View Slide

  2. ୭ʁ
    ֿݪ ཾ(sylph01)
    Twitter: @s01
    ໺ੜͷϓϩάϥϚ
    ҉߸ͱ͔Ͱ͖·͢
    TLSΑΓ্ͷ૚
    DNS·ΔͰΘ͔ΒΜ

    View Slide

  3. એ఻
    "DNSDNS Resolution" ͳΔຊΛॻ͍ٕͯ
    ज़ॻయ6(2019/4)Ͱ൦෍͠·ͨ͠
    DNSʹର͢Δ߈ܸɺDNSϒϩοΩϯάɺ
    DNSSECɺDNS over TLS/HTTPS͋ͨΓ
    ͷɺDNSͷηΩϡϦςΟɾϓϥΠόγʔ
    ʹؔΘΔτϐοΫΛѻ͍ͬͯ·͢
    ࠓ೔ѻ͏DNS҉߸Խͷ࿩΋ѻ͍ͬͯ·͢
    ૿ิ൛Ͱ͋Δ"append mix"ΛBOOTHʹͯ
    ൦෍த

    View Slide

  4. View Slide

  5. preface
    DNSSECͷ࿩Ͱ͸ͳ͍ɻ DNSSEC͸ॺ໊Ͱ͋ͬͯ҉߸ԽͰ͸ͳ͍ɻ
    DNS queryͷ౪ௌʹΑͬͯݸਓͷᅂ޷ɾࢥ૝ʹؔ͢Δ৘ใΛऩू͢
    Δ͜ͱ͕Մೳɺ͋Δ͍͸ϒϩοΩϯάΛߦ͏͜ͱ͕Մೳɻͦͷର
    ࡦͱͯ͠ͷDNS҉߸Խɻ
    DNS҉߸Խ͸Πϯλʔωοτ҉߸ԽͷϥετϫϯϚΠϧɻ

    View Slide

  6. ࣌ؒతʹද໘ͳͧΔͩ
    ͚Ͱ͢

    View Slide

  7. Pervasive Monitoring is
    an Attack
    RFC 7258
    2014/5

    View Slide

  8. DNS Privacy
    Considerations
    RFC 7626
    2015/8

    View Slide

  9. View Slide

  10. DNS over TLS (DoT)
    RFC 7858
    2016/5

    View Slide

  11. DNS Queries over
    HTTPS (DoH)
    RFC 8484
    2018/10

    View Slide

  12. DoT vs DoH
    • DoT͸port 853Λ࢖͏ɺDoH͸HTTPSͱಉ༷port 443Λ࢖͏
    • DoT͸port 853ͷϒϩοΩϯάͰ๦֐Մೳ
    • DoH͸port 443Λར༻͢ΔͷͰ௨ৗͷHTTPSϦΫΤετͱ۠ผ
    Ͱ͖ͳ͍
    • ҰํͰΑ͘஌ΒΕ͍ͯΔDoHରԠαʔόʔ΁ͷIPϒϩοΩ
    ϯάΛߦ͑͹๦֐Մೳ

    View Slide

  13. Oblivious DNS over
    HTTPS
    draft-pauly-dprive-oblivious-doh
    -00 @ 2020/10, -03 @ 2020/12

    View Slide

  14. View Slide

  15. View Slide

  16. DNS over QUIC
    https:/
    /adguard.com/ja/blog/dns-
    over-quic.html

    View Slide

  17. DNSCrypt, DNSCurve
    …͸ଘࡏ͢Δ͚ͲIETFͰඪ४Խ͞Εͯ
    ͳ͍ͷͰུ

    View Slide

  18. View Slide

  19. ࿦఺

    View Slide

  20. ஫:
    චऀ͸҉߸ԽਪਐدΓ
    Ͱ͢

    View Slide

  21. DoT/DoH/ODoH͸
    ωοτϫʔΫ؅ཧऀʹ
    ͱͬͯ౎߹͕ѱ͍

    View Slide

  22. ͦΕ͸
    ࢓༷Ͱ͢

    View Slide

  23. DNS҉߸Խ͸sysadminʹ౎
    ߹͕ѱ͍
    • ॾʑͷࣄ৘
    • DNSΛ࢖ͬͯad-blocking, parental controlΛ͍ͨ͠
    • DNSΛ࢖ͬͯϗϞάϥϑ߈ܸ΍typosquatting͔Β๷Ӵ͍ͨ͠
    • nextdns.io ͱ͍͏αʔϏε͕ࣄ࣮ଘࡏ͢Δ
    • ͿͬͪΌ͚ ৗ࣌HTTPSԽ΍E2EE΋sysadminʹ౎߹͕ѱ͍

    View Slide

  24. DNS҉߸Խ͸sysadminʹ౎
    ߹͕ѱ͍
    • ͔͠͠DoT/DoH/ODoH͸ωοτϫʔΫ؅ཧऀ͕ѱҙΛ͍࣋ͬͯ
    ΔέʔεΛ૝ఆͯ͠σβΠϯ͞Ε͍ͯΔ
    • ϓϩόΠμ͕σʔλΛऩू͍ͯ͠Δέʔε
    • ϓϩόΠμͱ݁ୗͯ͠੓෎ػ͕ؔσʔλΛऩू͢Δέʔε
    • "Pervasive Monitoring is an Attack"

    View Slide

  25. stub-recursive, recursive-
    authoritative͚ؒͩ҉߸Խ͢Δ͜ͱ
    ͸Ͱ͖Δ͔ʁ
    • pervasive monitoringͷରࡦʹ͸ͳΔɺrecursive͕ѱҙͷ͋Δέʔ
    ε͸ҙຯͳ͍
    • IPΞυϨεূ໌ॻͷऔಘͷϋʔυϧ͕ߴ͘઀ଓઌೝূ͕ࠔ೉
    • ઀ଓઌೝূΛͤͣ҉߸Խ͚ͩ͢Δ͜ͱΛ͢Ε͹pervasive
    monitoringͷରࡦ͸Մೳ

    View Slide

  26. PKIΛ࢖ͬͨTLS͕੒ཱ
    ͢Δͷ΋ׂͱDNSͷ͓
    ͔͛Έ͍ͨͳͱ͜Ζ͕
    ͋Δ

    View Slide

  27. DNSϒϩοΩϯάͱ͸
    ʮΠϯλʔωοτΛڊ
    େͳΠϯτϥωοτͱ
    Έͳͯ͠؅ཧ͍ͨ͠ʯ
    ͱ͍͏͜ͱʹ૬౰

    View Slide

  28. DoT/DoH͸Πϯλʔωοτͷ
    தԝूݖԽΛଅ͢
    • DoT/DoHαʔόʔ͸Ͳ͏΍ͬͯબ୒͞ΕΔͷʁ
    • ৴༻Ͱ͖ΔDoT/DoHαʔόʔͱ͸ʁ
    • DoT/DoH͸৴༻ͷ໰୊ΛωοτϫʔΫࣄۀऀ͔ΒDoT/DoHαʔ
    όʔӡ༻ऀʹԡ͠෇͚͍ͯΔ͚ͩͰ͸ͳ͍͔ʁ
    • DoT/DoHαʔόʔࣄۀऀ͕ѱତͪͨ͠Βʁ

    View Slide

  29. View Slide

  30. ·ͱΊ
    • DNS queryͷ౪ௌ͕ࠔΔͷͰDNS҉߸Խ͕ੜ·ΕͨΑ
    • DNS over TLS (DoT), DNS Queries over HTTPS (DoH)ͱ͍͏ͷ͕ओͳ
    ख๏ͩΑ
    • ҉߸Խ͞ΕΔͱsysadminʹ౎߹͕ѱ͍ɺ͚Ͳ࢓༷ͩΑ
    • ৴༻ͬͯԿͩΖ͏

    View Slide

  31. Questions?
    send to @s01 on Twitter

    View Slide