Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DNS Encryption and Its Controversies

sylph01
December 19, 2020
Technology
0
740

DNS Encryption and Its Controversies

DNS暗号化とその論点 @ DNS温泉番外編 in 大阪

sylph01

December 19, 2020
Tweet

More Decks by sylph01

See All by sylph01
"Actual" Security in Microcontroller Ruby!?
sylph01
0
91
Everyone Now Understands AuthZ/AuthN and Encryption Perfectly and I'm Gonna Lose My Job
sylph01
1
31
Updates on PicoRuby Networking, HPKE (and maybe more)
sylph01
1
250
Adding Security to Microcontroller Ruby
sylph01
2
3.3k
Secure Messaging at IETF 118
sylph01
0
84
Adventures in the Dungeons of OpenSSL
sylph01
0
530
Community & RubyKaigi Showcase @ Ehime.rb Reboot Meetup
sylph01
0
330
Build and Learn Rails Authentication
sylph01
8
2.1k
Email, Messaging, and Self-Sovereign Identity (2021/05/28 edition)
sylph01
0
310

Other Decks in Technology

See All in Technology
LINEギフトにおけるバックエンド開発
lycorptech_jp
PRO
0
240
AIエージェント入門
minorun365
PRO
30
17k
「正しく」失敗できる チームの作り方 〜リアルな事例から紐解く失敗を恐れない組織とは〜 / A team that can fail correctly
i35_267
4
830
4th place solution Eedi - Mining Misconceptions in Mathematics
rist
0
140
ABWG2024採択者が語るエンジニアとしての自分自身の見つけ方〜発信して、つながって、世界を広げていく〜
maimyyym
1
100
日経のデータベース事業とElasticsearch
hinatades
PRO
0
210
エンジニアリング価値を黒字化する バリューベース戦略を用いた 技術戦略策定の道のり
kzkmaeda
6
2.4k
LINE NEWSにおけるバックエンド開発
lycorptech_jp
PRO
0
200
分解して理解する Aspire
nenonaninu
2
990
アジャイルな開発チームでテスト戦略の話は誰がする? / Who Talks About Test Strategy?
ak1210
1
450
生成AI×財務経理:PoCで挑むSlack AI Bot開発と現場巻き込みのリアル
pohdccoe
1
580
NFV基盤のOpenStack更新 ~9世代バージョンアップへの挑戦~
vtj
0
340

Featured

See All Featured
Why Our Code Smells
bkeepers
PRO
336
57k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
7
640
Measuring & Analyzing Core Web Vitals
bluesmoon
6
250
How STYLIGHT went responsive
nonsquared
98
5.4k
Bash Introduction
62gerente
611
210k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
120k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.3k
Side Projects
sachag
452
42k
Building an army of robots
kneath
303
45k
Site-Speed That Sticks
csswizardry
4
400
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
21
2.5k

Transcript

  1. DNS҉߸Խͱͦͷ࿦఺ sylph01 / Ryo Kajiwara @ DNSԹઘ൪֎ฤ in େࡕ, 2020/12/19

  2. ୭ʁ ֿݪ ཾ(sylph01) Twitter: @s01 ໺ੜͷϓϩάϥϚ ҉߸ͱ͔Ͱ͖·͢ TLSΑΓ্ͷ૚ DNS·ΔͰΘ͔ΒΜ

  3. એ఻ "DNSDNS Resolution" ͳΔຊΛॻ͍ٕͯ ज़ॻయ6(2019/4)Ͱ൦෍͠·ͨ͠ DNSʹର͢Δ߈ܸɺDNSϒϩοΩϯάɺ DNSSECɺDNS over TLS/HTTPS͋ͨΓ ͷɺDNSͷηΩϡϦςΟɾϓϥΠόγʔ

    ʹؔΘΔτϐοΫΛѻ͍ͬͯ·͢ ࠓ೔ѻ͏DNS҉߸Խͷ࿩΋ѻ͍ͬͯ·͢ ૿ิ൛Ͱ͋Δ"append mix"ΛBOOTHʹͯ ൦෍த
  4. None

  5. preface DNSSECͷ࿩Ͱ͸ͳ͍ɻ DNSSEC͸ॺ໊Ͱ͋ͬͯ҉߸ԽͰ͸ͳ͍ɻ DNS queryͷ౪ௌʹΑͬͯݸਓͷᅂ޷ɾࢥ૝ʹؔ͢Δ৘ใΛऩू͢ Δ͜ͱ͕Մೳɺ͋Δ͍͸ϒϩοΩϯάΛߦ͏͜ͱ͕Մೳɻͦͷର ࡦͱͯ͠ͷDNS҉߸Խɻ DNS҉߸Խ͸Πϯλʔωοτ҉߸ԽͷϥετϫϯϚΠϧɻ

  6. ࣌ؒతʹද໘ͳͧΔͩ ͚Ͱ͢

  7. Pervasive Monitoring is an Attack RFC 7258 2014/5

  8. DNS Privacy Considerations RFC 7626 2015/8

  9. None

  10. DNS over TLS (DoT) RFC 7858 2016/5

  11. DNS Queries over HTTPS (DoH) RFC 8484 2018/10

  12. DoT vs DoH • DoT͸port 853Λ࢖͏ɺDoH͸HTTPSͱಉ༷port 443Λ࢖͏ • DoT͸port 853ͷϒϩοΩϯάͰ๦֐Մೳ

    • DoH͸port 443Λར༻͢ΔͷͰ௨ৗͷHTTPSϦΫΤετͱ۠ผ Ͱ͖ͳ͍ • ҰํͰΑ͘஌ΒΕ͍ͯΔDoHରԠαʔόʔ΁ͷIPϒϩοΩ ϯάΛߦ͑͹๦֐Մೳ

  13. Oblivious DNS over HTTPS draft-pauly-dprive-oblivious-doh -00 @ 2020/10, -03 @

    2020/12
  14. None
  15. None

  16. DNS over QUIC https:/ /adguard.com/ja/blog/dns- over-quic.html

  17. DNSCrypt, DNSCurve …͸ଘࡏ͢Δ͚ͲIETFͰඪ४Խ͞Εͯ ͳ͍ͷͰུ

  18. None

  19. ࿦఺

  20. ஫: චऀ͸҉߸ԽਪਐدΓ Ͱ͢

  21. DoT/DoH/ODoH͸ ωοτϫʔΫ؅ཧऀʹ ͱͬͯ౎߹͕ѱ͍

  22. ͦΕ͸ ࢓༷Ͱ͢

  23. DNS҉߸Խ͸sysadminʹ౎ ߹͕ѱ͍ • ॾʑͷࣄ৘ • DNSΛ࢖ͬͯad-blocking, parental controlΛ͍ͨ͠ • DNSΛ࢖ͬͯϗϞάϥϑ߈ܸ΍typosquatting͔Β๷Ӵ͍ͨ͠

    • nextdns.io ͱ͍͏αʔϏε͕ࣄ࣮ଘࡏ͢Δ • ͿͬͪΌ͚ ৗ࣌HTTPSԽ΍E2EE΋sysadminʹ౎߹͕ѱ͍

  24. DNS҉߸Խ͸sysadminʹ౎ ߹͕ѱ͍ • ͔͠͠DoT/DoH/ODoH͸ωοτϫʔΫ؅ཧऀ͕ѱҙΛ͍࣋ͬͯ ΔέʔεΛ૝ఆͯ͠σβΠϯ͞Ε͍ͯΔ • ϓϩόΠμ͕σʔλΛऩू͍ͯ͠Δέʔε • ϓϩόΠμͱ݁ୗͯ͠੓෎ػ͕ؔσʔλΛऩू͢Δέʔε •

    "Pervasive Monitoring is an Attack"

  25. stub-recursive, recursive- authoritative͚ؒͩ҉߸Խ͢Δ͜ͱ ͸Ͱ͖Δ͔ʁ • pervasive monitoringͷରࡦʹ͸ͳΔɺrecursive͕ѱҙͷ͋Δέʔ ε͸ҙຯͳ͍ • IPΞυϨεূ໌ॻͷऔಘͷϋʔυϧ͕ߴ͘઀ଓઌೝূ͕ࠔ೉

    • ઀ଓઌೝূΛͤͣ҉߸Խ͚ͩ͢Δ͜ͱΛ͢Ε͹pervasive monitoringͷରࡦ͸Մೳ

  26. PKIΛ࢖ͬͨTLS͕੒ཱ ͢Δͷ΋ׂͱDNSͷ͓ ͔͛Έ͍ͨͳͱ͜Ζ͕ ͋Δ

  27. DNSϒϩοΩϯάͱ͸ ʮΠϯλʔωοτΛڊ େͳΠϯτϥωοτͱ Έͳͯ͠؅ཧ͍ͨ͠ʯ ͱ͍͏͜ͱʹ૬౰

  28. DoT/DoH͸Πϯλʔωοτͷ தԝूݖԽΛଅ͢ • DoT/DoHαʔόʔ͸Ͳ͏΍ͬͯબ୒͞ΕΔͷʁ • ৴༻Ͱ͖ΔDoT/DoHαʔόʔͱ͸ʁ • DoT/DoH͸৴༻ͷ໰୊ΛωοτϫʔΫࣄۀऀ͔ΒDoT/DoHαʔ όʔӡ༻ऀʹԡ͠෇͚͍ͯΔ͚ͩͰ͸ͳ͍͔ʁ •

    DoT/DoHαʔόʔࣄۀऀ͕ѱତͪͨ͠Βʁ
  29. None

  30. ·ͱΊ • DNS queryͷ౪ௌ͕ࠔΔͷͰDNS҉߸Խ͕ੜ·ΕͨΑ • DNS over TLS (DoT), DNS

    Queries over HTTPS (DoH)ͱ͍͏ͷ͕ओͳ ख๏ͩΑ • ҉߸Խ͞ΕΔͱsysadminʹ౎߹͕ѱ͍ɺ͚Ͳ࢓༷ͩΑ • ৴༻ͬͯԿͩΖ͏

  31. Questions? send to @s01 on Twitter