DNS Encryption and Its Controversies

Transcript

1. DNS҉߸Խͱͦͷ࿦఺ sylph01 / Ryo Kajiwara @ DNSԹઘ൪֎ฤ in େࡕ, 2020/12/19

2. ୭ʁ ֿݪ ཾ(sylph01) Twitter: @s01 ໺ੜͷϓϩάϥϚ ҉߸ͱ͔Ͱ͖·͢ TLSΑΓ্ͷ૚ DNS·ΔͰΘ͔ΒΜ

3. એ఻ "DNSDNS Resolution" ͳΔຊΛॻ͍ٕͯ ज़ॻయ6(2019/4)Ͱ൦෍͠·ͨ͠ DNSʹର͢Δ߈ܸɺDNSϒϩοΩϯάɺ DNSSECɺDNS over TLS/HTTPS͋ͨΓ ͷɺDNSͷηΩϡϦςΟɾϓϥΠόγʔ

   ʹؔΘΔτϐοΫΛѻ͍ͬͯ·͢ ࠓ೔ѻ͏DNS҉߸Խͷ࿩΋ѻ͍ͬͯ·͢ ૿ิ൛Ͱ͋Δ"append mix"ΛBOOTHʹͯ ൦෍த
4. None

5. preface DNSSECͷ࿩Ͱ͸ͳ͍ɻ DNSSEC͸ॺ໊Ͱ͋ͬͯ҉߸ԽͰ͸ͳ͍ɻ DNS queryͷ౪ௌʹΑͬͯݸਓͷᅂ޷ɾࢥ૝ʹؔ͢Δ৘ใΛऩू͢ Δ͜ͱ͕Մೳɺ͋Δ͍͸ϒϩοΩϯάΛߦ͏͜ͱ͕Մೳɻͦͷର ࡦͱͯ͠ͷDNS҉߸Խɻ DNS҉߸Խ͸Πϯλʔωοτ҉߸ԽͷϥετϫϯϚΠϧɻ

6. ࣌ؒతʹද໘ͳͧΔͩ ͚Ͱ͢

7. Pervasive Monitoring is an Attack RFC 7258 2014/5

8. DNS Privacy Considerations RFC 7626 2015/8

9. None

10. DNS over TLS (DoT) RFC 7858 2016/5

11. DNS Queries over HTTPS (DoH) RFC 8484 2018/10

12. DoT vs DoH • DoT͸port 853Λ࢖͏ɺDoH͸HTTPSͱಉ༷port 443Λ࢖͏ • DoT͸port 853ͷϒϩοΩϯάͰ๦֐Մೳ

    • DoH͸port 443Λར༻͢ΔͷͰ௨ৗͷHTTPSϦΫΤετͱ۠ผ Ͱ͖ͳ͍ • ҰํͰΑ͘஌ΒΕ͍ͯΔDoHରԠαʔόʔ΁ͷIPϒϩοΩ ϯάΛߦ͑͹๦֐Մೳ

13. Oblivious DNS over HTTPS draft-pauly-dprive-oblivious-doh -00 @ 2020/10, -03 @

    2020/12
14. None
15. None

16. DNS over QUIC https:/ /adguard.com/ja/blog/dns- over-quic.html

17. DNSCrypt, DNSCurve …͸ଘࡏ͢Δ͚ͲIETFͰඪ४Խ͞Εͯ ͳ͍ͷͰུ

18. None

19. ࿦఺

20. ஫: චऀ͸҉߸ԽਪਐدΓ Ͱ͢

21. DoT/DoH/ODoH͸ ωοτϫʔΫ؅ཧऀʹ ͱͬͯ౎߹͕ѱ͍

22. ͦΕ͸ ࢓༷Ͱ͢

23. DNS҉߸Խ͸sysadminʹ౎ ߹͕ѱ͍ • ॾʑͷࣄ৘ • DNSΛ࢖ͬͯad-blocking, parental controlΛ͍ͨ͠ • DNSΛ࢖ͬͯϗϞάϥϑ߈ܸ΍typosquatting͔Β๷Ӵ͍ͨ͠

    • nextdns.io ͱ͍͏αʔϏε͕ࣄ࣮ଘࡏ͢Δ • ͿͬͪΌ͚ ৗ࣌HTTPSԽ΍E2EE΋sysadminʹ౎߹͕ѱ͍

24. DNS҉߸Խ͸sysadminʹ౎ ߹͕ѱ͍ • ͔͠͠DoT/DoH/ODoH͸ωοτϫʔΫ؅ཧऀ͕ѱҙΛ͍࣋ͬͯ ΔέʔεΛ૝ఆͯ͠σβΠϯ͞Ε͍ͯΔ • ϓϩόΠμ͕σʔλΛऩू͍ͯ͠Δέʔε • ϓϩόΠμͱ݁ୗͯ͠੓෎ػ͕ؔσʔλΛऩू͢Δέʔε •

    "Pervasive Monitoring is an Attack"

25. stub-recursive, recursive- authoritative͚ؒͩ҉߸Խ͢Δ͜ͱ ͸Ͱ͖Δ͔ʁ • pervasive monitoringͷରࡦʹ͸ͳΔɺrecursive͕ѱҙͷ͋Δέʔ ε͸ҙຯͳ͍ • IPΞυϨεূ໌ॻͷऔಘͷϋʔυϧ͕ߴ͘઀ଓઌೝূ͕ࠔ೉

    • ઀ଓઌೝূΛͤͣ҉߸Խ͚ͩ͢Δ͜ͱΛ͢Ε͹pervasive monitoringͷରࡦ͸Մೳ

26. PKIΛ࢖ͬͨTLS͕੒ཱ ͢Δͷ΋ׂͱDNSͷ͓ ͔͛Έ͍ͨͳͱ͜Ζ͕ ͋Δ

27. DNSϒϩοΩϯάͱ͸ ʮΠϯλʔωοτΛڊ େͳΠϯτϥωοτͱ Έͳͯ͠؅ཧ͍ͨ͠ʯ ͱ͍͏͜ͱʹ૬౰

28. DoT/DoH͸Πϯλʔωοτͷ தԝूݖԽΛଅ͢ • DoT/DoHαʔόʔ͸Ͳ͏΍ͬͯબ୒͞ΕΔͷʁ • ৴༻Ͱ͖ΔDoT/DoHαʔόʔͱ͸ʁ • DoT/DoH͸৴༻ͷ໰୊ΛωοτϫʔΫࣄۀऀ͔ΒDoT/DoHαʔ όʔӡ༻ऀʹԡ͠෇͚͍ͯΔ͚ͩͰ͸ͳ͍͔ʁ •

    DoT/DoHαʔόʔࣄۀऀ͕ѱତͪͨ͠Βʁ
29. None

30. ·ͱΊ • DNS queryͷ౪ௌ͕ࠔΔͷͰDNS҉߸Խ͕ੜ·ΕͨΑ • DNS over TLS (DoT), DNS

    Queries over HTTPS (DoH)ͱ͍͏ͷ͕ओͳ ख๏ͩΑ • ҉߸Խ͞ΕΔͱsysadminʹ౎߹͕ѱ͍ɺ͚Ͳ࢓༷ͩΑ • ৴༻ͬͯԿͩΖ͏

31. Questions? send to @s01 on Twitter