Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
DNS Encryption and Its Controversies
Search
sylph01
December 19, 2020
Technology
0
800
DNS Encryption and Its Controversies
DNS暗号化とその論点 @ DNS温泉番外編 in 大阪
sylph01
December 19, 2020
Tweet
Share
More Decks by sylph01
See All by sylph01
Updates on MLS on Ruby (and maybe more)
sylph01
1
190
End-to-End Encryption Saves Lives. You Can Start Saving Lives With Ruby, Too (RubyConf Taiwan 2025 ver.)
sylph01
1
95
PicoRuby's Networking is Incomplete
sylph01
1
44
The Definitive? Guide To Locally Organizing RubyKaigi
sylph01
6
1.7k
End-to-End Encryption Saves Lives. You Can Start Saving Lives With Ruby, Too
sylph01
1
130
End-to-End Encryption Saves Lives. You Can Start Saving Lives With Ruby, Too (JP subtitles)
sylph01
2
640
Introduction to C Extensions
sylph01
3
210
"Actual" Security in Microcontroller Ruby!?
sylph01
0
160
Everyone Now Understands AuthZ/AuthN and Encryption Perfectly and I'm Gonna Lose My Job
sylph01
1
75
Other Decks in Technology
See All in Technology
Azure Well-Architected Framework入門
tomokusaba
0
280
Geospatialの世界最前線を探る [2025年版]
dayjournal
3
490
生成AIとM5Stack / M5 Japan Tour 2025 Autumn 東京
you
PRO
0
200
Function calling機能をPLaMo2に実装するには / PFN LLMセミナー
pfn
PRO
0
910
stupid jj tricks
indirect
0
7.9k
KMP の Swift export
kokihirokawa
0
330
Goにおける 生成AIによるコード生成の ベンチマーク評価入門
daisuketakeda
2
100
PLaMoの事後学習を支える技術 / PFN LLMセミナー
pfn
PRO
9
3.8k
Pythonによる契約プログラミング入門 / PyCon JP 2025
7pairs
5
2.5k
いま注目しているデータエンジニアリングの論点
ikkimiyazaki
0
590
From Prompt to Product @ How to Web 2025, Bucharest, Romania
janwerner
0
120
バイブコーディングと継続的デプロイメント
nwiizo
2
410
Featured
See All Featured
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
162
15k
The World Runs on Bad Software
bkeepers
PRO
71
11k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
4k
Rails Girls Zürich Keynote
gr2m
95
14k
Build your cross-platform service in a week with App Engine
jlugia
232
18k
What’s in a name? Adding method to the madness
productmarketing
PRO
23
3.7k
[RailsConf 2023] Rails as a piece of cake
palkan
57
5.9k
Building Applications with DynamoDB
mza
96
6.6k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
23
1.5k
Fantastic passwords and where to find them - at NoRuKo
philnash
52
3.4k
How to train your dragon (web standard)
notwaldorf
96
6.3k
A designer walks into a library…
pauljervisheath
209
24k
Transcript
DNS҉߸Խͱͦͷ sylph01 / Ryo Kajiwara @ DNSԹઘ൪֎ฤ in େࡕ, 2020/12/19
୭ʁ ֿݪ ཾ(sylph01) Twitter: @s01 ੜͷϓϩάϥϚ ҉߸ͱ͔Ͱ͖·͢ TLSΑΓ্ͷ DNS·ΔͰΘ͔ΒΜ
એ "DNSDNS Resolution" ͳΔຊΛॻ͍ٕͯ ज़ॻయ6(2019/4)Ͱ൦͠·ͨ͠ DNSʹର͢Δ߈ܸɺDNSϒϩοΩϯάɺ DNSSECɺDNS over TLS/HTTPS͋ͨΓ ͷɺDNSͷηΩϡϦςΟɾϓϥΠόγʔ
ʹؔΘΔτϐοΫΛѻ͍ͬͯ·͢ ࠓѻ͏DNS҉߸Խͷѻ͍ͬͯ·͢ ૿ิ൛Ͱ͋Δ"append mix"ΛBOOTHʹͯ ൦த
None
preface DNSSECͷͰͳ͍ɻ DNSSECॺ໊Ͱ͋ͬͯ҉߸ԽͰͳ͍ɻ DNS queryͷ౪ௌʹΑͬͯݸਓͷᅂɾࢥʹؔ͢ΔใΛऩू͢ Δ͜ͱ͕Մೳɺ͋Δ͍ϒϩοΩϯάΛߦ͏͜ͱ͕Մೳɻͦͷର ࡦͱͯ͠ͷDNS҉߸Խɻ DNS҉߸ԽΠϯλʔωοτ҉߸ԽͷϥετϫϯϚΠϧɻ
࣌ؒతʹද໘ͳͧΔͩ ͚Ͱ͢
Pervasive Monitoring is an Attack RFC 7258 2014/5
DNS Privacy Considerations RFC 7626 2015/8
None
DNS over TLS (DoT) RFC 7858 2016/5
DNS Queries over HTTPS (DoH) RFC 8484 2018/10
DoT vs DoH • DoTport 853Λ͏ɺDoHHTTPSͱಉ༷port 443Λ͏ • DoTport 853ͷϒϩοΩϯάͰՄೳ
• DoHport 443Λར༻͢ΔͷͰ௨ৗͷHTTPSϦΫΤετͱ۠ผ Ͱ͖ͳ͍ • ҰํͰΑ͘ΒΕ͍ͯΔDoHରԠαʔόʔͷIPϒϩοΩ ϯάΛߦ͑Մೳ
Oblivious DNS over HTTPS draft-pauly-dprive-oblivious-doh -00 @ 2020/10, -03 @
2020/12
None
None
DNS over QUIC https:/ /adguard.com/ja/blog/dns- over-quic.html
DNSCrypt, DNSCurve …ଘࡏ͢Δ͚ͲIETFͰඪ४Խ͞Εͯ ͳ͍ͷͰུ
None
: චऀ҉߸ԽਪਐدΓ Ͱ͢
DoT/DoH/ODoH ωοτϫʔΫཧऀʹ ͱͬͯ߹͕ѱ͍
ͦΕ ༷Ͱ͢
DNS҉߸Խsysadminʹ ߹͕ѱ͍ • ॾʑͷࣄ • DNSΛͬͯad-blocking, parental controlΛ͍ͨ͠ • DNSΛͬͯϗϞάϥϑ߈ܸtyposquatting͔ΒӴ͍ͨ͠
• nextdns.io ͱ͍͏αʔϏε͕ࣄ࣮ଘࡏ͢Δ • ͿͬͪΌ͚ ৗ࣌HTTPSԽE2EEsysadminʹ߹͕ѱ͍
DNS҉߸Խsysadminʹ ߹͕ѱ͍ • ͔͠͠DoT/DoH/ODoHωοτϫʔΫཧऀ͕ѱҙΛ͍࣋ͬͯ ΔέʔεΛఆͯ͠σβΠϯ͞Ε͍ͯΔ • ϓϩόΠμ͕σʔλΛऩू͍ͯ͠Δέʔε • ϓϩόΠμͱ݁ୗͯ͠ػ͕ؔσʔλΛऩू͢Δέʔε •
"Pervasive Monitoring is an Attack"
stub-recursive, recursive- authoritative͚ؒͩ҉߸Խ͢Δ͜ͱ Ͱ͖Δ͔ʁ • pervasive monitoringͷରࡦʹͳΔɺrecursive͕ѱҙͷ͋Δέʔ εҙຯͳ͍ • IPΞυϨεূ໌ॻͷऔಘͷϋʔυϧ͕ߴ͘ଓઌೝূ͕ࠔ
• ଓઌೝূΛͤͣ҉߸Խ͚ͩ͢Δ͜ͱΛ͢Εpervasive monitoringͷରࡦՄೳ
PKIΛͬͨTLSཱ͕ ͢ΔͷׂͱDNSͷ͓ ͔͛Έ͍ͨͳͱ͜Ζ͕ ͋Δ
DNSϒϩοΩϯάͱ ʮΠϯλʔωοτΛڊ େͳΠϯτϥωοτͱ Έͳͯ͠ཧ͍ͨ͠ʯ ͱ͍͏͜ͱʹ૬
DoT/DoHΠϯλʔωοτͷ தԝूݖԽΛଅ͢ • DoT/DoHαʔόʔͲ͏ͬͯબ͞ΕΔͷʁ • ৴༻Ͱ͖ΔDoT/DoHαʔόʔͱʁ • DoT/DoH৴༻ͷΛωοτϫʔΫࣄۀऀ͔ΒDoT/DoHαʔ όʔӡ༻ऀʹԡ͚͍ͯ͠Δ͚ͩͰͳ͍͔ʁ •
DoT/DoHαʔόʔࣄۀऀ͕ѱତͪͨ͠Βʁ
None
·ͱΊ • DNS queryͷ౪ௌ͕ࠔΔͷͰDNS҉߸Խ͕ੜ·ΕͨΑ • DNS over TLS (DoT), DNS
Queries over HTTPS (DoH)ͱ͍͏ͷ͕ओͳ ख๏ͩΑ • ҉߸Խ͞ΕΔͱsysadminʹ߹͕ѱ͍ɺ͚Ͳ༷ͩΑ • ৴༻ͬͯԿͩΖ͏
Questions? send to @s01 on Twitter
sylph01
tomokusaba
dayjournal
you
pfn
indirect
kokihirokawa
daisuketakeda
7pairs
ikkimiyazaki
janwerner
nwiizo
sstephenson
bkeepers
kastner
gr2m
jlugia
productmarketing
palkan
mza
honnibal
philnash
notwaldorf
pauljervisheath
