DNS Related Stuff @ IETF 105

404139d782ec666acea93dffc86e089f?s=47 sylph01
September 07, 2019

DNS Related Stuff @ IETF 105

Presented @ DNS-Onsen 6, during "the drunkards LT session"
https://atnd.org/events/107142

404139d782ec666acea93dffc86e089f?s=128

sylph01

September 07, 2019
Tweet

Transcript

  1. DNS Related Stuff @ IETF105 sylph01 (Ryo Kajiwara) DNS-Onsen 6

  2. ୭ʁ ֿݪ ཾ(sylph01) Twitter: @s01 ҉߸ͱ͔Ͱ͖·͢ TLSΑΓ্ͷ૚ DNS·ΔͰΘ͔ΒΜ

  3. એ఻ "DNSDNS Resolution" ͳΔຊΛॻ͍ٕͯ ज़ॻయ6(ࠓ೥ͷ4݄)ʹ൦෍͠·ͨ͠ DNSʹର͢Δ߈ܸɺDNSϒϩοΩϯάɺ DNSSECɺDNS over TLS/HTTPS͋ͨΓ ͷɺDNSͷηΩϡϦςΟɾϓϥΠόγʔ

    ʹؔΘΔτϐοΫΛѻ͍ͬͯ·͢ ෺ཧ൛͸׬ച͠·͕ͨ͠ݟຊ͸͖࣋ͬͯ ͯ·͢ɻిࢠ൛͸ܧଓͯ͠൦෍த ϚαΧϦ͓଴͍ͪͯ͠·͢
  4. એ఻ͦͷ2 ಉٕ͘͡ज़ॻయ4(ࡢ೥)ʹͯ "Dark Depths of SMTP" ͳΔຊΛग़͠·ͨ͠ ೔ຊޠͷ঎ۀͷSMTPͷຊ͸5೥Ҏ্ग़ͯ ͳ͍ϋζͳͷͰ͜ͷ෼໺ͷوॏͳup-to- dateͳຊͰ͢

    SPF, DKIM, DMARC౳΋౰વΧόʔ͍ͯ͠ ·͢ ͪ͜Β΋෺ཧ൛͸׬ചɺిࢠ൛Λܧଓ͠ ͯ൦෍த ͳ͓౦ํཁૉ͸දࢴ͚ͩͰ͢
  5. https:/ / cryptic- command.net

  6. None
  7. ͱ͍͏Θ͚Ͱ IETF105 (7/20-26) ߦ͖ͬͯ·ͨ͠ (ࠓճॳࢀՃ)

  8. ߦͬͨओͳ໨తͰ͋Δͱ͜Ζͷ Messaging Layer Securityͷ࿩͸ผͷ ͱ͜ΖͰ͠Ό΂ͬͨͷͰҎԼࢀর https://bit.ly/2LuvrAv

  9. None
  10. ANRW (Applied Network Research Workshop)

  11. Who Is Answering My Queries: Understanding and Characterizing Interception of

    the DNS Resolution Path ύϒϦοΫDNSαʔόʔͱͷ௨৴Λinterceptͯ͠ҟͳΔIPΞυϨε Λฦ͍ͯ͠Δon-path deviceͷଘࡏͱͦͷಛ௃Λେن໛ଌఆʹΑΓ ໌Β͔ʹͨ͠ɺͱ͍͏ݚڀɻ શੈքͰ7.36%ɺதࠃࠃ಺Ͱ17.13%ͷAS͕͜ͷΑ͏ͳinterceptionΛ ߦ͍ͬͯΔͱͷ͜ͱɻ
  12. Who Is Answering My Queries(ry Կ͕ى͜Δ͔͸ https:/ /labs.ripe.net/Members/babak_farrokhi/is- your-isp-hijacking-your-dns-traffic ͷهड़͕Θ͔Γ΍͍͢ɻ

    http:/ /whatismydnsresolver.com/ Ͱࣗ෼ͷ؀ڥʹ͍ͭͯ஌Δ͜ͱ͕ Ͱ͖Δʢ͜Ε͸ݚڀνʔϜ͕༻ҙͨ͠΋ͷʣɻ
  13. Who Is Answering My Queries(ry • Global analysis: TCP SOCKSΛ࢖ͬͨproxy

    networkͰଟ਺ͷIPΞυ Ϩε͔Βͷ௨৴ΛࢼΈΔ • ϞόΠϧϢʔβʔ޲͚ͷωοτϫʔΫσόοάπʔϧΛ։ൃ͠ ͍ͯΔձࣾͱڞಉݚڀɺ͜ΕʹΑͬͯUDPͰͷDNS௨৴΋ଌఆ Մೳʹ
  14. Oblivious DNS: Practical Privacy for DNS Queries ݱߦͷDNSͰ͸recursive resolver͕ϢʔβʔͷϓϥΠόγʔʹؔΘ Δ৘ใͷଟ͘ΛऩूͰ͖ΔɻύϒϦοΫDNS΋τϥετΛ൴Βʹ

    ҕͶΔ͚ͩͰղܾʹͳ͍ͬͯͳ͍ɻ ͜ͷఏҊͰ͸ݱߦͷΠϯϑϥͱޓ׵ੑͷ͋Δํ๏ͰϢʔβʔͷݸ ਓಛఆ৘ใΛΫΤϦ಺༰͔Β෼཭͢Δɺͱ͍͏͜ͱΛࢼΈ͍ͯ Δɻ
  15. Oblivious DNS ʮDNSͰDNSΛτϯωϦϯά͢Δʯํ๏ΛऔΔɻ • ελϒϦκϧόʔ͸υϝΠϯΛ҉߸Խͨ͠ϑΥʔϚοτʹม׵ • recursive resolverͰ͸ΫΤϦͷ࣮ࡍͷத਎͸ݟΕͳ͍ • Ϣʔβʔͷidentity͸ݟΕΔ

    • ODNS authoritative server͕࣮ࡍͷrecursive resolverͷ໾ׂΛՌͨ ͢ • ͜͏͢ΔͱODNSͰ͸Ϣʔβʔͷidentity͸ݟΕͳ͍
  16. None
  17. None
  18. Oblivious DNS ύϑΥʔϚϯε͸Ͳ͏ͳΔͷʁ • ҉߸ԽͷΦʔόʔϔου͸ରশ伴҉߸ͳͷͰ1-2ms • ODNS resolver΁ͷϨΠςϯγ͕֤ΫΤϦͰ௥Ճ͞ΕΔ • CDNΛ࢖ͬͯanycastͰେن໛ʹσϓϩΠ͢Δ͜ͱͰWANϨΠ

    ςϯγΛ࡟ݮͰ͖Δ • ͨͩ͠anycastͰ΍ͬͯ͠·͏ͱ҉߸伴഑෍ͷ໰୊͕ൃੜ͢Δ • Ωϟογϡ͕ޮ͖ʹ͍͘ͱ͍͏໰୊͸ى͜Δ
  19. Analyzing the Costs (and Benefits) of DNS, DoT, and DoH

    for the Modern Web DoH͕Do53ΑΓ଎͍͜ͱ͕͋ΔɻͳΜͰʁ • DNS wire formatͷHTTP cachingʹΑΔޮՌ • lossy networkͰ͸TCPͷ࠶ૹ੍ޚͷ͓͔͛ͰDoT/DoH > Do53
  20. What Can You Learn from an IP? (Measurement and Optimisation͔Β)

    DNSΫΤϦͷϦΫΤετ/Ϩεϙϯε͸DoH/DoTɺSNI͸Encrypted SNIɺαʔόʔূ໌ॻ͸TLS 1.3Ͱ҉߸Խ͞ΕΔΑ͏ʹͳͬͨɻ߈ܸ ऀ͕ݟΕΔͷ͸IPͷΈɻͰ͸IP͸߈ܸऀʹϢʔβʔಛఆͷͨΊͷ͍ ͔ͳΔ৘ใΛఏڙ͢Δͷ͔ʁ -> ͚ͬ͜͏͍ΖΜͳ͜ͱ͕Θ͔Δɻ rDNSͰ͸େͨ͠৘ใ͕ಘΒΕͳ͍ͷͰɺେن໛ΫϩʔϦϯάͰIP → υϝΠϯͷϚοϐϯάΛ࡞Δɻ
  21. What Can You Learn from an IP? • 47.6%ͷIP͸anonimity set(1

    IPʹର͍͍ͯͭͯ͠ΔυϝΠϯͷू ߹)ͷαΠζ͕1 • ࠷େͷanonimity setͷαΠζ͸16000+ • αΠτϢχʔΫͳIPΞυϨε͸68% • ϖʔδϩʔυ࣌ʹಡΈࠐΉIPΞυϨεͷηοτΛऔಘ͢Δ͜ͱ Ͱ͞ΒʹಛఆΛਐΊΒΕΔ • ରࡦ: ϗεςΟϯάΠϯϑϥͷมߋɻCDNͷIPΞυϨεͷϥϯμ ϜԽͳͲɻ
  22. What Can You Learn from an IP? ݸਓతʹڵຯਂ͍ͱࢥͬͨ͜ͱ͸ʮIPv4ރׇରࡦͷͨΊʹIPv6ɺ SNIཁΒͳ͍ʯΛશྗͰਪ͠ਐΊΔͱAnonimity Set

    1ͷIPΞυϨε ͩΒ͚ʹͳͬͯ͠·͍ɺIPΞυϨεͰͷfingerprinting͕༰қʹͳͬ ͯ͠·͏͜ͱɺ·ͨͦͷͨΊSNIͷॏཁੑ͸IPv4ރׇରࡦΑΓ΋ϓ ϥΠόγʔʹγϑτ͍ͯ͠ΔՄೳੑ͕͋Δɺͱ͍͏͜ͱɻ
  23. None
  24. dnsop

  25. interoperable dns server cookies https:/ /datatracker.ietf.org/doc/draft-sury-toorop-dnsop-server- cookies/ DNS Server Cookies͸ʢݶఆతͰ͸͋Δ͕ʣ૿෯߈ܸɺύε֎ͷ

    ΩϟογϡϙΠζχϯάͳͲʹରͯ͠ରࡦΛఏڙ͢Δ࢓૊Έɻຊ ౰ʹ༗༻ʹͳΔͨΊʹ͸ଟ͘ͷαʔόʔ͕ಋೖ͢Δඞཁ͕͋Δɻ Αͬͯ͜ΕΛαʔόʔؒͰinteroperableʹ͍ͨ͠ɻ
  26. ANAME https:/ /datatracker.ietf.org/doc/draft-ietf-dnsop-aname/ "CNAME on apex"ͱͯ࢝͠·͕ͬͨɺ"Address-specific DNS aliases"ͱ͍͏υϥϑτ໊ɻapexυϝΠϯ໊ΛaliasʹͰ͖Δɻ CNAMEͱ͸ҟͳΓଞͷϨίʔυλΠϓͱڞଘՄೳɻ httpssvcͱ໾ׂͷ੗Έ෼͚ΛͪΌΜͱ্ͨ͠Ͱsimplifyɺͦͷ্Ͱ

    WGLCɻ
  27. HTTPSSVC HTTPS઀ଓͷࡍʹඞཁͳ৘ใΛͻͱ·ͱΊʹͨ͠Ϩίʔυ͕ཉ͠ ͍ • Encrypted SNIͷͨΊͷ伴 (-> ESNI DNSϨίʔυ) •

    HTTP/2͋Δ͍͸HTTP/3Ͱ௨৴ՄೳͰ͋Δͱ͍͏͜ͱΛࣔ͢Alt- svc (-> HTTPϨεϙϯεϔομ౳ʹؚ·ΕΔ) • ...
  28. HTTPSSVC example.com. 2H IN HTTPSSVC 0 0 svc.example.net. svc.example.net. 2H

    IN HTTPSSVC 1 2 svc3.example.net. "hq=\":8003\" \ esnikeys=\"...\"" svc.example.net. 2H IN HTTPSSVC 1 3 svc2.example.net. "h2=\":8002\" \ esnikeys=\"...\"" (subtyping͋Δͷ͸࣮૷্໘౗ͳͷͰ͸…ʁ৽͍͠ϑΥʔϚοτ͕ ௥ՃͰ͖Δͱ͸͍ͬͯ΋ઈରʹαϙʔτ͞Εͳ͍ɻྫͱͯ͠ DNSKEY)
  29. RDBD https:/ /datatracker.ietf.org/doc/draft-brotman-rdbd/ related domains by dns υϝΠϯͷؔ࿈ͷ༗ແΛࣔ͢ dnssec-likeͳsignature RDBD

    RRtype
  30. DNS Resolver Information Self-Publication https:/ /datatracker.ietf.org/doc/draft-ietf-dnsop-resolver-information/ looking for WG adoption

    -> WGʹadopt͞Εͨɻ DoHΤϯυϙΠϯτ͕ͲͷΑ͏ʹৼΔ෣͏͔Λࣔ͢৘ใΛඪ४త ͳํ๏Ͱ஌Γ͍ͨɻDNS Resolver͕ͦͷ৘ใΛࣗΒࠂ஌Ͱ͖Δɻ
  31. Avoid Fragmentation https:/ /datatracker.ietf.org/doc/draft-fujiwara-dnsop-avoid- fragmentation/ JPRSͷ౻ݪઌੜΑΓɻΑΓϑϥάϝϯςʔγϣϯʹڧ͍TCP͕࢖͑ ͳ͍৔߹ɺEDNS0ͷUDPϖΠϩʔυαΠζΛ1220(= RFC 4035ͷ࠷ ௿஋)ʹͯ͠ϑϥάϝϯςʔγϣϯ͕ى͖ͳ͍Α͏ʹ͠Ζɺͱ͍͏

    ಺༰ɻ
  32. draft-krecicki-dns-covert-00 "Domain Name System (DNS) Resource Record types for transferring

    covert information from primary to secondaries" ΫΤϦ͞ΕΔ΂͖Ͱͳ͍৘ใ(nsec5 keys, zsk for inline signing, ...)Λ primary͔Βsecondaryʹzone transfer͢ΔͨΊͷํ๏ͷఏҊɻυϝ ΠϯϨίʔυͷಋೖΛఏҊ͍ͯ͠Δ͕ɺͿͬͪΌ͚DNS RRͰ΍Δ ͳɺͱ͍͏ҙݟ͕ڧ͍ɻ
  33. None
  34. add (Applications Doing DNS) DoH/DoTʹؔ͢Δ͍Ζ͍ΖͳBoFɺͿͬͪΌ͚ͱͬࢄΒ͔ͬͯͨɻ • DoHͷσϓϩΠͲ͏͢΂͖ʁBCP࡞Δʁ • Ͳͷάϧʔϓ͕͜ͷ΁Μ΍Δͷʁ •

    DNSOPͰ΍Εɺ͚ͩͲ͜Εͬͯ"ops"͚ͩͬͨͬ • DNSOP͕࣮࣭DNS WGͱԽͯ͠ΔͷͰϦϑΝΫλϦϯά͕ඞ ཁͳͷͰ͸
  35. None
  36. ͓·͚: ඇٕज़ύʔτ

  37. None
  38. None
  39. None
  40. None
  41. None
  42. None
  43. None
  44. None
  45. None