Debugging DDR for Encrypted DNS with Ruby

Transcript

1. Debugging DDR for Encrypted DNS with Ruby Taketo Takashima (@taketo1113)

2. About me Taketo Takashima @taketo1113 (GitHub/X) Web Application Engineer Co-founder

   of fukui.rb A member of ShowNet NOC Team

3. ✦ Traditional DNS name resolution uses UDP port 53 (Do53)

   ✦ Encryption mechanisms have emerged for privacy and security ✦ Protocols ✦ DNS over HTTPS (DoH) ✦ DNS over TLS (DoT) ✦ DNS over QUIC (DoQ) Encrypted DNS Client DNS Resolver Encrypted (HTTPS/TLS/QUIC)

4. ✦ No con fi guration needed ✦ (if using the

   RubyKaigi network or a Public DNS) ✦ The web browser or OS automatically upgrades to an encrypted DNS resolver using DDR ✦ Or Manual con fi guration via browser or OS settings How to Use Encrypted DNS?

5. Discovery of Designated Resolvers (DDR)

6. About Discovery of Designated Resolvers (DDR) ✦ A set of

   mechanisms for DNS clients to use DNS records to discover a resolver's encrypted DNS con fi guration. ✦ RFC 9462 ✦ https://www.rfc-editor.org/ rfc/rfc9462.html

7. ✦ (1) Discovery Using Resolver IP Addresses ✦ DNS Query:

   SVCB _dns.resolver.arpa. (UDP/53) ✦ (2) Veri fi ed Discovery ✦ Certi fi cation Path Validation ✦ Subject Alternative Name (SAN) ✦ (3) Use of Designated Resolvers ✦ Encrypted DNS: DoH(h1.1, h2, h3), DoT, or DoQ How DDR Works _dns.resolver.arpa. SVCB 1 dns.example.com. alpn="h2,h3" dohpath="/dns-query{?dns}" _dns.resolver.arpa. SVCB 2 dns.example.com. alpn="dot" Client DNS Resolver (1) Encrypted DNS Resolver (3) (2)

8. ✦ Di ffi cult to verify due to the wide

   variety of possible combinations Challenges in Verifying DDR (1) DNS Service Type (DoH/DoT/DoQ) Resolver IP Addresses (IPv4/IPv6) Verified Discovery × × DoH(h1.1) DoH(h2) DoH(h3) DoT DoQ 203.0.113.1 203.0.113.2 2001:db8::1 2001:db8::2 Example: dns.example.com × = 20 patterns

9. Challenges in Verifying DDR (2) ✦ Unclear which resolver/ service

   is used from the application side (e.g., web browser) ✦ Encrypted tra ffi c makes packet capture analysis di ffi cult Which protocol is being used for name resolution? UDP/53, DoH/1.1, DoH/2, DoH/3, DoT or DoQ Web developer tools (Firefox v137)

10. Implementing a DDR Debugging Tool

11. ✦ DDR client / DNS client ✦ Output of a

    list of resolvers/protocols distributed by DDR, as well as name resolution with each resolver. ✦ https://github.com/taketo1113/ddig ddig gem

12. ✦ List of Designated Resolvers and Veri fi cation Results

    Usage $ ddig --ddr dot: dns.google:853 (8.8.4.4), unencrypted_resolver: 8.8.8.8, verify cert: true dot: dns.google:853 (8.8.8.8), unencrypted_resolver: 8.8.8.8, verify cert: true h2: dns.google:443 (8.8.8.8), path: /dns-query{?dns}, unencrypted_resolver: 8.8.8.8, verify cert: true h2: dns.google:443 (8.8.4.4), path: /dns-query{?dns}, unencrypted_resolver: 8.8.8.8, verify cert: true h3: dns.google:443 (8.8.4.4), path: /dns-query{?dns}, unencrypted_resolver: 8.8.8.8, verify cert: true h3: dns.google:443 (8.8.8.8), path: /dns-query{?dns}, unencrypted_resolver: 8.8.8.8, verify cert: true # SERVER: 8.8.8.8

13. ✦ Name Resolution Results from All Designated Resolvers ✦ Supported

    Protocols ✦ UDP(Do53) ✦ DoH(h1.1) ✦ DoT ✦ DoH(h2/h3) and DoQ ✦ Not yet implemented Usage $ ddig rubykaigi.org # Do53 (IPv4) rubykaigi.org A 3.165.11.52 rubykaigi.org A 3.165.11.86 ... rubykaigi.org AAAA 2600:9000:26ef:3000:7:104e:1d80:93a1 rubykaigi.org AAAA 2600:9000:26ef:3600:7:104e:1d80:93a1 ... # SERVER: 8.8.8.8 # DDR ## DDR (#0) - dot: dns.google:853 (8.8.8.8), unencrypted_resolver: 8.8.8.8, verify cert: true rubykaigi.org A 3.165.11.36 rubykaigi.org A 3.165.11.52 ... rubykaigi.org AAAA 2600:9000:26ef:e600:7:104e:1d80:93a1 rubykaigi.org AAAA 2600:9000:26ef:9000:7:104e:1d80:93a1 ... # SERVER(Address): 8.8.8.8 # PORT: 853 ## DDR (#2) - h2: dns.google:443 (8.8.8.8), path: /dns-query{?dns}, unencrypted_resolver: 8.8.8.8, verify cert: true rubykaigi.org A 3.165.11.52 rubykaigi.org A 3.165.11.36 ... rubykaigi.org AAAA 2600:9000:26ef:600:7:104e:1d80:93a1 rubykaigi.org AAAA 2600:9000:26ef:3000:7:104e:1d80:93a1 ... # SERVER(Hostname): 8.8.8.8 # SERVER(Path): /dns-query{?dns} # PORT: 443 …(skip)

14. Troubleshooting DDR Deployment at ShowNet 2024

15. ✦ The largest annual exhibition of Internet Technologies in Japan

    ✦ Over 200 booths and about 120,000 visitors for 3 days ✦ About 270 sessions in the exhibition and Interop conference ✦ Interop Tokyo

16. ✦ The Live Demonstration Network built at Interop Tokyo ✦

    Conducting interoperability tests and demonstrations of the latest networking technologies every year ✦ Providing internet connectivity for Interop exhibitors and visitors ✦ Deploying DDR in the DNS service provided at ShowNet 2024 ShowNet

17. ✦ DDR enabled, but name resolution via DoH doesn't work

    ✦ Typo: DoH server name :-) ✦ Certi fi cate veri fi cation error: server certi fi cate not properly deployed ✦ DDR worked fi ne in production at ShowNet 2024! Troubles Encountered During Setup $ ddig --ddr h2: cache.svc.inteorp-tokyo.net:443 (45.0.194.14), path: /dns-query{?dns}, verify cert: false h3: cache.svc.interop-tokyo.net:443 (45.0.194.14), path: /dns-query{?dns}, verify cert: false dot: cache.svc.interop-tokyo.net:853 (45.0.194.14), verify cert: true

18. Conclusion Developed a Debugging DDR Tool Successfully provided DDR as

    a service at ShowNet 2024 Try DDR in action over the RubyKaigi Wi-Fi!

19. ✦ RubyKaigi NOC Team ✦ Provided the Wi-Fi network that

    enables DDR ✦ Debugging the DDR Debugging Tool at RubyKaigi 2024 & 2025 Special Thanks