Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DNS Encryption and Its Controversies

Avatar for sylph01 sylph01
December 19, 2020
Technology
0
810

DNS Encryption and Its Controversies

DNS暗号化とその論点 @ DNS温泉番外編 in 大阪

Avatar for sylph01

sylph01

December 19, 2020
Tweet

More Decks by sylph01

See All by sylph01
Updates on MLS on Ruby (and maybe more)
Avatar for sylph01 sylph01
1
200
End-to-End Encryption Saves Lives. You Can Start Saving Lives With Ruby, Too (RubyConf Taiwan 2025 ver.)
Avatar for sylph01 sylph01
1
100
PicoRuby's Networking is Incomplete
Avatar for sylph01 sylph01
1
81
The Definitive? Guide To Locally Organizing RubyKaigi
Avatar for sylph01 sylph01
6
1.8k
End-to-End Encryption Saves Lives. You Can Start Saving Lives With Ruby, Too
Avatar for sylph01 sylph01
1
150
End-to-End Encryption Saves Lives. You Can Start Saving Lives With Ruby, Too (JP subtitles)
Avatar for sylph01 sylph01
2
730
Introduction to C Extensions
Avatar for sylph01 sylph01
3
230
"Actual" Security in Microcontroller Ruby!?
Avatar for sylph01 sylph01
0
170
Everyone Now Understands AuthZ/AuthN and Encryption Perfectly and I'm Gonna Lose My Job
Avatar for sylph01 sylph01
1
82

Other Decks in Technology

See All in Technology
単一Kubernetesクラスタで実現する AI/ML 向けクラウドサービス
Avatar for Preferred Networks pfn
PRO
1
230
なぜインフラコードのモジュール化は難しいのか - アプリケーションコードとの本質的な違いから考える
Avatar for Gosuke Miyashita mizzy
55
19k
Service Monitoring Platformについて
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
0
300
Flutterにしてよかった?出前館アプリを2年運用して気づいたことを全部話します
Avatar for 株式会社出前館 demaecan
0
230
Redux → Recoil → Zustand → useSyncExternalStore: 状態管理の10年とReact本来の姿
Avatar for ZOZO Developers zozotech
PRO
18
8.7k
LINEギフト・LINEコマース領域の開発
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
0
320
re:Invent2025 事前勉強会 歴史と愉しみ方10分LT編
Avatar for T.Atsumi toshi_atsumi
0
150
なぜブラウザで帳票を生成したいのか どのようにブラウザで帳票を生成するのか
Avatar for yagisan-reports yagisanreports
0
140
Error.prototype.stack の今と未来
Avatar for Shunsuke Mano progfay
1
180
仕様は“書く”より“語る” - 分断を超えたチーム開発の実践 / 20251115 Naoki Takahashi
Avatar for SHIFT EVOLVE shift_evolve
PRO
1
1k
AI エージェントを評価するための温故知新と Spec Driven Evaluation
Avatar for Takahiro Kubo icoxfog417
PRO
2
260
JavaScript パーサーに using 対応をする過程で与えたエコシステムへの影響
Avatar for Yuichiro Yamashita baseballyama
1
110

Featured

See All Featured
Keith and Marios Guide to Fast Websites
Avatar for Keith Pitt keithpitt
413
23k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
Avatar for Michelle Schulp Hunt marktimemedia
31
2.6k
The Pragmatic Product Professional
Avatar for Laura Van Doore lauravandoore
36
7k
Helping Users Find Their Own Way: Creating Modern Search Experiences
Avatar for Dan Newman danielanewman
31
2.9k
Building an army of robots
Avatar for Kyle Neath kneath
306
46k
GraphQLの誤解/rethinking-graphql
Avatar for sonatard sonatard
73
11k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
Avatar for Stéphanie Walter stephaniewalter
285
14k
Embracing the Ebb and Flow
Avatar for Simon Collison colly
88
4.9k
Improving Core Web Vitals using Speculation Rules API
Avatar for Sergey Chernyshev sergeychernyshev
21
1.3k
How to Ace a Technical Interview
Avatar for Jacob Kaplan-Moss jacobian
280
24k
Producing Creativity
Avatar for Steve Smith orderedlist
PRO
348
40k
Making the Leap to Tech Lead
Avatar for Ryan Cromwell cromwellryan
135
9.6k

Transcript

  1. DNS҉߸Խͱͦͷ࿦఺ sylph01 / Ryo Kajiwara @ DNSԹઘ൪֎ฤ in େࡕ, 2020/12/19

  2. ୭ʁ ֿݪ ཾ(sylph01) Twitter: @s01 ໺ੜͷϓϩάϥϚ ҉߸ͱ͔Ͱ͖·͢ TLSΑΓ্ͷ૚ DNS·ΔͰΘ͔ΒΜ

  3. એ఻ "DNSDNS Resolution" ͳΔຊΛॻ͍ٕͯ ज़ॻయ6(2019/4)Ͱ൦෍͠·ͨ͠ DNSʹର͢Δ߈ܸɺDNSϒϩοΩϯάɺ DNSSECɺDNS over TLS/HTTPS͋ͨΓ ͷɺDNSͷηΩϡϦςΟɾϓϥΠόγʔ

    ʹؔΘΔτϐοΫΛѻ͍ͬͯ·͢ ࠓ೔ѻ͏DNS҉߸Խͷ࿩΋ѻ͍ͬͯ·͢ ૿ิ൛Ͱ͋Δ"append mix"ΛBOOTHʹͯ ൦෍த
  4. None

  5. preface DNSSECͷ࿩Ͱ͸ͳ͍ɻ DNSSEC͸ॺ໊Ͱ͋ͬͯ҉߸ԽͰ͸ͳ͍ɻ DNS queryͷ౪ௌʹΑͬͯݸਓͷᅂ޷ɾࢥ૝ʹؔ͢Δ৘ใΛऩू͢ Δ͜ͱ͕Մೳɺ͋Δ͍͸ϒϩοΩϯάΛߦ͏͜ͱ͕Մೳɻͦͷର ࡦͱͯ͠ͷDNS҉߸Խɻ DNS҉߸Խ͸Πϯλʔωοτ҉߸ԽͷϥετϫϯϚΠϧɻ

  6. ࣌ؒతʹද໘ͳͧΔͩ ͚Ͱ͢

  7. Pervasive Monitoring is an Attack RFC 7258 2014/5

  8. DNS Privacy Considerations RFC 7626 2015/8

  9. None

  10. DNS over TLS (DoT) RFC 7858 2016/5

  11. DNS Queries over HTTPS (DoH) RFC 8484 2018/10

  12. DoT vs DoH • DoT͸port 853Λ࢖͏ɺDoH͸HTTPSͱಉ༷port 443Λ࢖͏ • DoT͸port 853ͷϒϩοΩϯάͰ๦֐Մೳ

    • DoH͸port 443Λར༻͢ΔͷͰ௨ৗͷHTTPSϦΫΤετͱ۠ผ Ͱ͖ͳ͍ • ҰํͰΑ͘஌ΒΕ͍ͯΔDoHରԠαʔόʔ΁ͷIPϒϩοΩ ϯάΛߦ͑͹๦֐Մೳ

  13. Oblivious DNS over HTTPS draft-pauly-dprive-oblivious-doh -00 @ 2020/10, -03 @

    2020/12
  14. None
  15. None

  16. DNS over QUIC https:/ /adguard.com/ja/blog/dns- over-quic.html

  17. DNSCrypt, DNSCurve …͸ଘࡏ͢Δ͚ͲIETFͰඪ४Խ͞Εͯ ͳ͍ͷͰུ

  18. None

  19. ࿦఺

  20. ஫: චऀ͸҉߸ԽਪਐدΓ Ͱ͢

  21. DoT/DoH/ODoH͸ ωοτϫʔΫ؅ཧऀʹ ͱͬͯ౎߹͕ѱ͍

  22. ͦΕ͸ ࢓༷Ͱ͢

  23. DNS҉߸Խ͸sysadminʹ౎ ߹͕ѱ͍ • ॾʑͷࣄ৘ • DNSΛ࢖ͬͯad-blocking, parental controlΛ͍ͨ͠ • DNSΛ࢖ͬͯϗϞάϥϑ߈ܸ΍typosquatting͔Β๷Ӵ͍ͨ͠

    • nextdns.io ͱ͍͏αʔϏε͕ࣄ࣮ଘࡏ͢Δ • ͿͬͪΌ͚ ৗ࣌HTTPSԽ΍E2EE΋sysadminʹ౎߹͕ѱ͍

  24. DNS҉߸Խ͸sysadminʹ౎ ߹͕ѱ͍ • ͔͠͠DoT/DoH/ODoH͸ωοτϫʔΫ؅ཧऀ͕ѱҙΛ͍࣋ͬͯ ΔέʔεΛ૝ఆͯ͠σβΠϯ͞Ε͍ͯΔ • ϓϩόΠμ͕σʔλΛऩू͍ͯ͠Δέʔε • ϓϩόΠμͱ݁ୗͯ͠੓෎ػ͕ؔσʔλΛऩू͢Δέʔε •

    "Pervasive Monitoring is an Attack"

  25. stub-recursive, recursive- authoritative͚ؒͩ҉߸Խ͢Δ͜ͱ ͸Ͱ͖Δ͔ʁ • pervasive monitoringͷରࡦʹ͸ͳΔɺrecursive͕ѱҙͷ͋Δέʔ ε͸ҙຯͳ͍ • IPΞυϨεূ໌ॻͷऔಘͷϋʔυϧ͕ߴ͘઀ଓઌೝূ͕ࠔ೉

    • ઀ଓઌೝূΛͤͣ҉߸Խ͚ͩ͢Δ͜ͱΛ͢Ε͹pervasive monitoringͷରࡦ͸Մೳ

  26. PKIΛ࢖ͬͨTLS͕੒ཱ ͢Δͷ΋ׂͱDNSͷ͓ ͔͛Έ͍ͨͳͱ͜Ζ͕ ͋Δ

  27. DNSϒϩοΩϯάͱ͸ ʮΠϯλʔωοτΛڊ େͳΠϯτϥωοτͱ Έͳͯ͠؅ཧ͍ͨ͠ʯ ͱ͍͏͜ͱʹ૬౰

  28. DoT/DoH͸Πϯλʔωοτͷ தԝूݖԽΛଅ͢ • DoT/DoHαʔόʔ͸Ͳ͏΍ͬͯબ୒͞ΕΔͷʁ • ৴༻Ͱ͖ΔDoT/DoHαʔόʔͱ͸ʁ • DoT/DoH͸৴༻ͷ໰୊ΛωοτϫʔΫࣄۀऀ͔ΒDoT/DoHαʔ όʔӡ༻ऀʹԡ͠෇͚͍ͯΔ͚ͩͰ͸ͳ͍͔ʁ •

    DoT/DoHαʔόʔࣄۀऀ͕ѱତͪͨ͠Βʁ
  29. None

  30. ·ͱΊ • DNS queryͷ౪ௌ͕ࠔΔͷͰDNS҉߸Խ͕ੜ·ΕͨΑ • DNS over TLS (DoT), DNS

    Queries over HTTPS (DoH)ͱ͍͏ͷ͕ओͳ ख๏ͩΑ • ҉߸Խ͞ΕΔͱsysadminʹ౎߹͕ѱ͍ɺ͚Ͳ࢓༷ͩΑ • ৴༻ͬͯԿͩΖ͏

  31. Questions? send to @s01 on Twitter