DNS Privacy Clients. Stubby, Mobile apps and beyond! dnsprivacy.org

Similar documents
DNS Privacy. EDU Tutorial dnsprivacy.org. Sara Dickinson Sinodun

DNS Privacy - Implementation and Deployment Status

Latest Measurements on DNS Privacy

The Importance of Being an Earnest stub

Where s my DNS? Sara Dickinson IDS 2. Where s my DNS?

Recommendations for DNS Privacy Service Operators

How to get a trustworthy DNS Privacy enabling recursive resolver

getdns API Implementation Update Update Willem Toorop NLnet Labs 14 May 2015 NLnet Labs

DNS Sessions. - where next? OARC 27 San Jose, Sep Sep 2017, San Jose. DNS OARC 27

Developing a monitoring plugin for DNS-over-TLS at the IETF hackathon

DoH and DoT experience. Ólafur Guðmundsson Marek Vavrusa

A New Internet? RIPE76 - Marseille May Jordi Palet

A New Internet? Introduction to HTTP/2, QUIC and DOH

Developing DNS-over-HTTPS clients and servers

QNAME minimisation. Ralph Dolmans (NLnet Labs) March 2016 Stichting NLnet Labs

Impact of security vulnerabilities in timing protocols on Domain Name System (DNS)

Is your DNS server up-to-date? Pieter Lexis Senior PowerDNS Engineer April 22 nd 2018

API implementation. Willem Toorop NLnet. Labs. 11 May NLnet. Labs

Update on DNS Privacy Measurements

Updates: 7858 (if approved) Intended status: Standards Track Expires: March 15, 2018 McAfee September 11, 2017

The Changing Landscape of the DNS

Internet Engineering Task Force (IETF) Request for Comments: Category: Standards Track. McAfee March 2018

A Look at RFC 8145 Trust Anchor Signaling for the 2017 KSK Rollover

Let s Encrypt and DANE

DNS64 and NAT64. IPv6 Migration workshop for IETF and 3GPP. November 5-6, 2009 Shanghai, China. Simon Perreault Viagénie

DNS(SEC) client analysis

Towards Secure Name Resolution on the Internet

Understanding and Characterizing Hidden Interception of the DNS Resolution Path

Session initiation protocol & TLS

DNS Flag day. A tale of five cctlds. Hugo Salgado,.CL Sebastián Castro,.NZ DNS-OARC 29, Amsterdam

Feature Comparison Checklist

DNSSEC Workshop. Dan York, Internet Society ICANN 54 October 2015

The DNS Camel. Or How many features can we add to this protocol before it breaks? Bert Hubert /

DNS Survival Guide. Artyom Gavrichenkov

DANE, why we need it. Daniel Stirnimann Bern, 29. March SWITCH 1

John S. Otto Mario A. Sánchez John P. Rula Fabián E. Bustamante

Domain Name System (DNS) Session 2: Resolver Operation and debugging. Joe Abley AfNOG Workshop, AIS 2017, Nairobi

Measuring the effects of DNSSEC deployment on query load

Introduction to the DANE Protocol

Application Layer. Applications and application-layer protocols. Goals:

VMware Tunnel on Linux. VMware Workspace ONE UEM 1811

ECE 435 Network Engineering Lecture 7

IETF Working Groups Working Groups in:

Evaluation and consideration of multiple responses. Kazunori Fujiwara, JPRS OARC 28

Fencing the Cloud. Roger Casals. Senior Director Product Management. Shared vision for the Identity: Fencing the Cloud 1

Network Requirements

DANE Demonstration! Duane Wessels, Verisign! ICANN 49 DNSSEC Workshop! March 26, 2014!

What s new in TLS 1.3 (and OpenSSL as a result) Rich Salz

August 14th, 2018 PRESENTED BY:

DNSSEC: what every sysadmin should know to keep things working

Request for Comments: 3764 Category: Standards Track April enumservice registration for Session Initiation Protocol (SIP) Addresses-of-Record

BT CLOUD VOICE COMMUNICATOR USER GUIDE.

Cloud Security Whitepaper

Internet and Intranet Protocols and Applications

eduvpn François Kooman

Root KSK Roll Update Webinar

Why do we really want an ID/locator split anyway?

Building a Kubernetes on Bare-Metal Cluster to Serve Wikipedia. Alexandros Kosiaris Giuseppe Lavagetto

Back-end architecture

DNSSEC Basics, Risks and Benefits

SaaS Providers. ThousandEyes for. Summary

SIP Compliance APPENDIX

What Is Wireless Setup

CloudFleet Documentation

Desktop sharing with the Session Initiation Protocol

Identifier Technology Health Indicators (ITHI) Alain Durand, Christian Huitema 13 March 2018

On Host Identity Protocol

Last mile authentication problem

TLS 1.3. Eric Rescorla Mozilla draft-ietf-tls-tls13-21 IETF 100 TLS 1

SR-201 Network Relay Quick Start Guide

perdition: Mail Retrieval Proxy

Unbound in C. San Diego Wouter Wijngaards Stichting NLnet Labs

Overview of Open Source Tools for DNSSEC

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

Lecture 4 Naming. Prof. Wilson Rivera. University of Puerto Rico at Mayaguez Electrical and Computer Engineering Department

TAPS-related topics from the NEAT project. Naeem Khademi (NEAT project) TAPS WG - IETF 97 Seoul- South Korea 16 November 2016

Overview. Last Lecture. This Lecture. Next Lecture. Scheduled tasks and log management. DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly

2017 DNSSEC KSK Rollover. DSSEC KSK Rollover

Web as a Distributed System

What we did last OARC. Keith Mitchell DNS-OARC RIPE77 DNS WG Amsterdam, Oct 2018

Computer Networks. Wenzhong Li. Nanjing University

Application Layer: OSI and TCP/IP Models

Considerations and Actions of Content Providers in Adopting IPv6

Skype for Business for Android

SSL Orchestrator Reference Guide. Version

Magister 6 API Documentation

Stichting NLnet Labs NLnet Labs

RFC 2181 Ranking data and referrals/glue importance --- new resolver algorithm proposal ---

MAN-IN-THE-MACHINE: EXPLOIT ILL-SECURE COMMUNICATION INSIDE THE COMPUTER

SSSD. Client side identity management. LinuxDays 2012 Jakub Hrozek

IPv6 How-To for a Registry 17th CENTR Technical Workshop

SIP and VoIP What is SIP? What s a Control Channel? History of Signaling Channels

Transport Layer Security

ProxyCap Help. Table of contents. Configuring ProxyCap Proxy Labs

Application-layer Protocols

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

Configuring SSL. SSL Overview CHAPTER

DNSSEC Basics, Risks and Benefits

QUIC. Internet-Scale Deployment on Linux. Ian Swett Google. TSVArea, IETF 102, Montreal

BIG-IP Local Traffic Management: Profiles Reference. Version 12.1

Transcription:

DNS Privacy Clients Stubby, Mobile apps and beyond! dnsprivacy.org Sara Dickinson Allison Mankin Willem Toorop sara@sinodun.com amankin@salesforce.com willem@nlnetlabs.com OARC 27 San Jose, Sep 2017

Overview What do we mean here by DNS Privacy? What clients support DNS Privacy today? Comparison of features Shameless plug for Stubby Wish list 2

FUNCTIONALITY DNS Privacy (stub to recursive) Concentrate on DNS-over-TLS (RFC7858) No implementations of DNS-over-DTLS (RFC8094) DNSCrypt not standard, HTTPS, QUIC Good TCP (RFC7766, RFC7828) Pipeline queries over persistent connections, handle OOOR, TCP Fast open, etc. Good TLS (RFC7525, TLS 1.2, Session resumption) 3

FUNCTIONALITY DNS Privacy (stub to recursive) EDNS0 Padding to hide msg size (RFC7830, draft) EDNS0 Client Subnet (to prevent ECS upstream) TLS authentication of server (draft-tls-profiles) Authentication name/spki pinset DANE, TLS DNSSEC Chain Extension Strict vs Opportunistic Usage profile 4

Authentication in FUNCTIONALITY DNS-over-TLS Profiles draft defines 2 Usage profiles: Strict Do or do not. There is no try. Opportunistic Success is stumbling from failure to failure with no loss of enthusiasm 5

Authentication in FUNCTIONALITY DNS-over-TLS Profiles draft defines 2 Usage profiles: Strict (Encrypt & Authenticate) or Nothing Do or do not. There is no try. Opportunistic Success is stumbling from failure to failure with no loss of enthusiasm 5

Authentication in FUNCTIONALITY DNS-over-TLS Profiles draft defines 2 Usage profiles: Strict (Encrypt & Authenticate) or Nothing Do or do not. There is no try. Opportunistic Success is stumbling from failure to failure with no loss of enthusiasm Try in order: 1. Encrypt & Authenticate then 2. Encrypt then 3. Clear text 5

USABILITY DNS Privacy Client Usability DNS Privacy is a new paradigm for end users End users are a new paradigm for DNS people! 6

USABILITY DNS Privacy Client Usability DNS Privacy is a new paradigm for end users End users are a new paradigm for DNS people! Uptake critically dependant on clients being usable Usable Security : Good GUIs aren t enough - users still struggle with the basics if they don t understand what they are doing (DNSSEC, HTTPS, PGP) 6

Flavours of client Desktop system resolvers Command line tools/libraries/forwarders Mobile DISCLAIMER!! Not exhaustive, other DNS clients are available All data here are to the best of my knowledge! Please send corrections/updates/additions to sara@sinodun.com 7

Desktop System resolvers TLS support Linux libc, systemd* macos Windows 8

Desktop System resolvers TLS support Linux libc, systemd* macos Windows But then again, think about DNSSEC support 8

STUB Command line tools Features getdns_query kdig delv (dig) drill DNS ECS privacy 9.12 TCP Pipelining OOOR Keepalive/DSO 9.12 TCP Fast Open 9.12 TLS TLS Authentication Strict vs Oppo EDNS0 Padding 9.12 Dark Green: Light Green: Yellow: Grey: Latest stable release supports this Patch available Patch/work in progress Not applicable or not yet planned 9

STUB Libraries Features getdns libknot libunbound ldns dnsmasq DNS TCP ECS Privacy Pipelining OOOR Keepalive/DSO TCP Fast Open TLS TLS Authentication Strict vs Oppo EDNS0 Padding Dark Green: Light Green: Yellow: Grey: Latest stable release supports this Patch available Patch/work in progress Not applicable or not yet planned 10

STUB Local forwarders Features stubby (getdns) Stub unbound proxy (stunnel) DNS TCP ECS Privacy Pipelining OOOR Keepalive/DSO TCP Fast Open TLS TLS Authentication Strict vs Oppo EDNS0 Padding Dark Green: Light Green: Yellow: Grey: Latest stable release supports this Patch available Patch/work in progress Not applicable or not yet planned 11

STUB Local forwarders Features stubby (getdns) Stub unbound proxy (stunnel) DNS TCP ECS Privacy Pipelining OOOR Keepalive/DSO TCP Fast Open TLS TLS Authentication Strict vs Oppo EDNS0 Padding Dark Green: Light Green: Yellow: Grey: Latest stable release supports this Patch available Patch/work in progress Not applicable or not yet planned 11 Knot resolver support coming soon!

Mobile Native support Apps Android IETF 99 Hackathon: WIP on Opportunistic DNS-over-TLS ios Work inprogress!! Wrapper around Stubby: dnsdisco.com, GitHub repo 12

CLIENTS Stubby A privacy enabling stub resolver: User Guide From getdns team, but is now a standalone application And a movie (Stg. Stubby movie) Daemon listening on localhost, TLS proxy Comes with config for experimental servers, including authentication information (Strict is easy) 13

CLIENTS Stubby status Command line tool - for advanced users 1.2 release: Stability improvements, YAML for config Linux Packages for getdns, not yet for Stubby macos: Homebrew formula for stubby service NEW! Windows binary NEW! macos: GUI prototype NEW! 14

CLIENTS Stubby status Command line tool - for advanced users 1.2 release: Stability improvements, YAML for config Linux Packages for getdns, not yet for Stubby macos: Homebrew formula for stubby service NEW! Windows binary macos: GUI prototype NEW! NEW! Funded by NLnet Foundation and Salesforce! 14

CLIENTS Subby GUI preview Prototype! HELP WANTED

RECURSIVE Experimental! Test DNS Privacy servers Details on dnsprivacy.org: DNS Test Servers

Wish list Windows support (targeting non-technical users) ios: Native support Large open resolver offering DNS-over-TLS Usable security research on DNS Privacy (NDSS 2018) More testing at IETF 100!! 17

Thank you! Any Questions? dnsprivacy.org 18

Additional slides

DNS Auth using DANE DNS Privacy client [DNSSEC] DNS Privacy server 1: Obtain a Auth Domain name & IP address (1a) Configure Auth domain name Do Opportunistic A lookup 20

DNS Auth using DANE DNS Privacy client [DNSSEC] DNS Privacy server 1: Obtain a Auth Domain name & IP address (1a) Configure Auth domain name Do Opportunistic A lookup 2a: Opportunistic lookup of DANE records for server Validate locally with DNSSEC 20

DNS Auth using DANE DNS Privacy client [DNSSEC] DNS Privacy server 1: Obtain a Auth Domain name & IP address (1a) Configure Auth domain name Do Opportunistic A lookup 2a: Opportunistic lookup of DANE records for server Validate locally with DNSSEC 20

DNS Auth using DANE DNS Privacy client [DNSSEC] TLS DNS Privacy server 1: Obtain a Auth Domain name & IP address (1a) Configure Auth domain name Do Opportunistic A lookup 2a: Opportunistic lookup of DANE records for server Validate locally with DNSSEC 20

DNS Auth using DANE DNS Privacy client [DNSSEC] TLS DNS Privacy server 1: Obtain a Auth Domain name & IP address (1a) Configure Auth domain name Do Opportunistic A lookup 2a: Opportunistic lookup of DANE records for server Validate locally with DNSSEC 20

TLS DNSSEC Chain Extension DNS Privacy client [DNSSEC] DNS Privacy server 1: Obtain a Auth Domain name & IP address (1a) Configure Auth domain name Do Opportunistic A lookup 21

TLS DNSSEC Chain Extension DNS Privacy client [DNSSEC] DNS Privacy server 1: Obtain a Auth Domain name & IP address 0 (or 2): Obtains DANE records for itself! (1a) Configure Auth domain name Do Opportunistic A lookup 21

TLS DNSSEC Chain Extension DNS Privacy client [DNSSEC] Client Hello: TLS DNSSEC Chain Ext DNS Privacy server 1: Obtain a Auth Domain name & IP address 0 (or 2): Obtains DANE records for itself! (1a) Configure Auth domain name Do Opportunistic A lookup 21

TLS DNSSEC Chain Extension DNS Privacy client [DNSSEC] Client Hello: TLS DNSSEC Chain Ext Server Hello: Server DANE records DNS Privacy server 1: Obtain a Auth Domain name & IP address 0 (or 2): Obtains DANE records for itself! (1a) Configure Auth domain name Do Opportunistic A lookup 21

TLS DNSSEC Chain Extension DNS Privacy client [DNSSEC] Client Hello: TLS DNSSEC Chain Ext Server Hello: Server DANE records DNS Privacy server 1: Obtain a Auth Domain name & IP address 0 (or 2): Obtains DANE records for itself! (1a) Configure Auth domain name Do Opportunistic A lookup 21

TLS DNSSEC Chain Extension DNS Privacy client [DNSSEC] Client Hello: TLS DNSSEC Chain Ext Server Hello: Server DANE records DNS Privacy server 1: Obtain a Auth Domain name & IP address 0 (or 2): Obtains DANE records for itself! (1a) Configure Auth domain name Do Opportunistic A lookup Reduces Latency Eliminates need for intermediate recursive 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback