Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DNS Encryption and Its Controversies

sylph01
December 19, 2020
Technology
0
510

DNS Encryption and Its Controversies

DNS暗号化とその論点 @ DNS温泉番外編 in 大阪

sylph01

December 19, 2020
Tweet

More Decks by sylph01

See All by sylph01
Community & RubyKaigi Showcase @ Ehime.rb Reboot Meetup
sylph01
0
92
Build and Learn Rails Authentication
sylph01
8
1.4k
Email, Messaging, and SSI/DID (再放送)
sylph01
0
1k
Action Mailbox in Action
sylph01
1
2.6k
Keebs-n-Kaigi
sylph01
1
140
Email, Messaging, and SSI/DID
sylph01
0
700
IETF 107 Report Session: OAuth/TxAuth
sylph01
0
64
OAuth, Transactional Authorization @ IETF106
sylph01
1
460
Email in Rails (and/or introduction to "Dark Depths of Email")
sylph01
0
780

Other Decks in Technology

See All in Technology
Swift 開発が楽になる道具たち
megabitsenmzq
1
310
Software Craftsmanship against Nova Era
koic
0
310
ChatGPTをプロダクトに入れる開発が"毎日がAfter GPT"だった件/ChatGPT LT Link and Motivation
lmi
1
3k
PHP で学ぶ Cache の距離の話 / study_cache_with_php
hanhan1978
3
790
AstroNvim を使おう!
ybrliiu
0
160
大規模レガシーテストを 倒すための CI基盤の作り方 / #CICD2023
udzura
4
1.5k
未来の開発者へ負債を残さないために取り組んだこと
hayatokudou
0
250
『登記所備付地図XMLデータ』に触れてみよう〜法務省が公開した大規模オープンデータとは一体何なのか〜 / What is moj map xml
sakaik
0
140
自分のデータは自分で守る - あなたのCI/CDパイプラインをセキュアにする処方箋
jacopen
4
460
試して分かった!AWS を使った PLCのデータ収集と分析基盤の実践ノウハウ #FA設備技術勉強会#13
ganota
1
270
開幕LT
makamaka
0
360
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
10
24k

Featured

See All Featured
A Philosophy of Restraint
colly
194
15k
Three Pipe Problems
jasonvnalue
89
9k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
14
5.6k
We Have a Design System, Now What?
morganepeng
37
6k
Designing for Performance
lara
600
65k
GraphQLとの向き合い方2022年版
quramy
22
10k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
109
16k
StorybookのUI Testing Handbookを読んだ
zakiyama
8
3.4k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
6
920
Gamification - CAS2011
davidbonilla
75
4.2k
Put a Button on it: Removing Barriers to Going Fast.
kastner
56
2.6k
Agile that works and the tools we love
rasmusluckow
321
20k

Transcript

  1. DNS҉߸Խͱͦͷ࿦఺
    sylph01 / Ryo Kajiwara
    @ DNSԹઘ൪֎ฤ in େࡕ,
    2020/12/19

    View Slide

  2. ୭ʁ
    ֿݪ ཾ(sylph01)
    Twitter: @s01
    ໺ੜͷϓϩάϥϚ
    ҉߸ͱ͔Ͱ͖·͢
    TLSΑΓ্ͷ૚
    DNS·ΔͰΘ͔ΒΜ

    View Slide

  3. એ఻
    "DNSDNS Resolution" ͳΔຊΛॻ͍ٕͯ
    ज़ॻయ6(2019/4)Ͱ൦෍͠·ͨ͠
    DNSʹର͢Δ߈ܸɺDNSϒϩοΩϯάɺ
    DNSSECɺDNS over TLS/HTTPS͋ͨΓ
    ͷɺDNSͷηΩϡϦςΟɾϓϥΠόγʔ
    ʹؔΘΔτϐοΫΛѻ͍ͬͯ·͢
    ࠓ೔ѻ͏DNS҉߸Խͷ࿩΋ѻ͍ͬͯ·͢
    ૿ิ൛Ͱ͋Δ"append mix"ΛBOOTHʹͯ
    ൦෍த

    View Slide

  4. View Slide

  5. preface
    DNSSECͷ࿩Ͱ͸ͳ͍ɻ DNSSEC͸ॺ໊Ͱ͋ͬͯ҉߸ԽͰ͸ͳ͍ɻ
    DNS queryͷ౪ௌʹΑͬͯݸਓͷᅂ޷ɾࢥ૝ʹؔ͢Δ৘ใΛऩू͢
    Δ͜ͱ͕Մೳɺ͋Δ͍͸ϒϩοΩϯάΛߦ͏͜ͱ͕Մೳɻͦͷର
    ࡦͱͯ͠ͷDNS҉߸Խɻ
    DNS҉߸Խ͸Πϯλʔωοτ҉߸ԽͷϥετϫϯϚΠϧɻ

    View Slide

  6. ࣌ؒతʹද໘ͳͧΔͩ
    ͚Ͱ͢

    View Slide

  7. Pervasive Monitoring is
    an Attack
    RFC 7258
    2014/5

    View Slide

  8. DNS Privacy
    Considerations
    RFC 7626
    2015/8

    View Slide

  9. View Slide

  10. DNS over TLS (DoT)
    RFC 7858
    2016/5

    View Slide

  11. DNS Queries over
    HTTPS (DoH)
    RFC 8484
    2018/10

    View Slide

  12. DoT vs DoH
    • DoT͸port 853Λ࢖͏ɺDoH͸HTTPSͱಉ༷port 443Λ࢖͏
    • DoT͸port 853ͷϒϩοΩϯάͰ๦֐Մೳ
    • DoH͸port 443Λར༻͢ΔͷͰ௨ৗͷHTTPSϦΫΤετͱ۠ผ
    Ͱ͖ͳ͍
    • ҰํͰΑ͘஌ΒΕ͍ͯΔDoHରԠαʔόʔ΁ͷIPϒϩοΩ
    ϯάΛߦ͑͹๦֐Մೳ

    View Slide

  13. Oblivious DNS over
    HTTPS
    draft-pauly-dprive-oblivious-doh
    -00 @ 2020/10, -03 @ 2020/12

    View Slide

  14. View Slide

  15. View Slide

  16. DNS over QUIC
    https:/
    /adguard.com/ja/blog/dns-
    over-quic.html

    View Slide

  17. DNSCrypt, DNSCurve
    …͸ଘࡏ͢Δ͚ͲIETFͰඪ४Խ͞Εͯ
    ͳ͍ͷͰུ

    View Slide

  18. View Slide

  19. ࿦఺

    View Slide

  20. ஫:
    චऀ͸҉߸ԽਪਐدΓ
    Ͱ͢

    View Slide

  21. DoT/DoH/ODoH͸
    ωοτϫʔΫ؅ཧऀʹ
    ͱͬͯ౎߹͕ѱ͍

    View Slide

  22. ͦΕ͸
    ࢓༷Ͱ͢

    View Slide

  23. DNS҉߸Խ͸sysadminʹ౎
    ߹͕ѱ͍
    • ॾʑͷࣄ৘
    • DNSΛ࢖ͬͯad-blocking, parental controlΛ͍ͨ͠
    • DNSΛ࢖ͬͯϗϞάϥϑ߈ܸ΍typosquatting͔Β๷Ӵ͍ͨ͠
    • nextdns.io ͱ͍͏αʔϏε͕ࣄ࣮ଘࡏ͢Δ
    • ͿͬͪΌ͚ ৗ࣌HTTPSԽ΍E2EE΋sysadminʹ౎߹͕ѱ͍

    View Slide

  24. DNS҉߸Խ͸sysadminʹ౎
    ߹͕ѱ͍
    • ͔͠͠DoT/DoH/ODoH͸ωοτϫʔΫ؅ཧऀ͕ѱҙΛ͍࣋ͬͯ
    ΔέʔεΛ૝ఆͯ͠σβΠϯ͞Ε͍ͯΔ
    • ϓϩόΠμ͕σʔλΛऩू͍ͯ͠Δέʔε
    • ϓϩόΠμͱ݁ୗͯ͠੓෎ػ͕ؔσʔλΛऩू͢Δέʔε
    • "Pervasive Monitoring is an Attack"

    View Slide

  25. stub-recursive, recursive-
    authoritative͚ؒͩ҉߸Խ͢Δ͜ͱ
    ͸Ͱ͖Δ͔ʁ
    • pervasive monitoringͷରࡦʹ͸ͳΔɺrecursive͕ѱҙͷ͋Δέʔ
    ε͸ҙຯͳ͍
    • IPΞυϨεূ໌ॻͷऔಘͷϋʔυϧ͕ߴ͘઀ଓઌೝূ͕ࠔ೉
    • ઀ଓઌೝূΛͤͣ҉߸Խ͚ͩ͢Δ͜ͱΛ͢Ε͹pervasive
    monitoringͷରࡦ͸Մೳ

    View Slide

  26. PKIΛ࢖ͬͨTLS͕੒ཱ
    ͢Δͷ΋ׂͱDNSͷ͓
    ͔͛Έ͍ͨͳͱ͜Ζ͕
    ͋Δ

    View Slide

  27. DNSϒϩοΩϯάͱ͸
    ʮΠϯλʔωοτΛڊ
    େͳΠϯτϥωοτͱ
    Έͳͯ͠؅ཧ͍ͨ͠ʯ
    ͱ͍͏͜ͱʹ૬౰

    View Slide

  28. DoT/DoH͸Πϯλʔωοτͷ
    தԝूݖԽΛଅ͢
    • DoT/DoHαʔόʔ͸Ͳ͏΍ͬͯબ୒͞ΕΔͷʁ
    • ৴༻Ͱ͖ΔDoT/DoHαʔόʔͱ͸ʁ
    • DoT/DoH͸৴༻ͷ໰୊ΛωοτϫʔΫࣄۀऀ͔ΒDoT/DoHαʔ
    όʔӡ༻ऀʹԡ͠෇͚͍ͯΔ͚ͩͰ͸ͳ͍͔ʁ
    • DoT/DoHαʔόʔࣄۀऀ͕ѱତͪͨ͠Βʁ

    View Slide

  29. View Slide

  30. ·ͱΊ
    • DNS queryͷ౪ௌ͕ࠔΔͷͰDNS҉߸Խ͕ੜ·ΕͨΑ
    • DNS over TLS (DoT), DNS Queries over HTTPS (DoH)ͱ͍͏ͷ͕ओͳ
    ख๏ͩΑ
    • ҉߸Խ͞ΕΔͱsysadminʹ౎߹͕ѱ͍ɺ͚Ͳ࢓༷ͩΑ
    • ৴༻ͬͯԿͩΖ͏

    View Slide

  31. Questions?
    send to @s01 on Twitter

    View Slide