DNS-over-HTTPS (DoH) Arve Gengelbach October 25, 2019 Cryptoparty, - PowerPoint PPT Presentation

DNS-over-HTTPS (DoH) Arve Gengelbach October 25, 2019 Cryptoparty, Uppsala 1

HTTPS

2

3

4

5

6

HTTPS Encrypt traffic to ensure confidentiality, integrity and authenticity. • Only browser and server read the communication • The content is not modified • The sender is talking to the intended server 7

DNS

DNS An address book • Address book: Anna Svensson → Drottninggata 1, Uppsala • DNS resolver: www.uu.se → 130.238.7.133 and 130.238.7.134 DNS resolver answers the question: At which IP addresses is www.uu.se reachable? 8

Demo: Look at a DNS package (with wireshark) We trace the DNS traffic, by # tcpdump -i any -w do53.pcap -s 0 port 53 when accessing www.uu.se (by $ ping -c 1 www.uu.se ). 9

DNS - a decentralised address book 10

11

12

13

14

Potential Threats 15

Potential Threats By default, DNS is clear text (unencrypted) metadata of services that you use. 15

Which resolver to use? You choose your DNS resolver (e.g. ISPs 1 suggestion) 1 Internet Service Provider 16

Which resolver to use? Applications use the OSs DNS resolver 17

DNS-over-HTTPS

DNS-over-HTTPS The client and the DNS resolver communicate encrypted, over HTTPS (port 443 rather than unencrypted port 53). 18

Look at traffic of DNS-over-HTTPS (Demo) We resolve www.uu.se with the DoH resolver fi.doh.dns.snopyta.org . 1. DNS query: fi.doh.dns.snopyta.org → 95.216.24.230 2. HTTPS request to: https://95.216.24.230/dns-query?name=www.uu.se 19

Discussion of DNS-over-HTTPS • Encrypted connection to the DoH resolver (not among resolvers) • DoH lookups indistinguishable from other (HTTPS-)traffic • Hostnames are exposed (of any server and DoH server) • To know IP of DoH resolver a DNS look-up is necessary DNS query: fi.doh.dns.snopyta.org → 95.216.24.230 • Domains names may be local goldfish.mycompany 20

Discussion of DNS-over-HTTPS (2) • Centralises DNS to fewer DoH resolvers • A DNS query does not come from same origin as a future HTTP query e.g. streaming media from Content-Delivery-Networks • DoH makes it harder to monitor/filter traffic, e.g. • parental control • malware • authoritive regime • DNS slightly faster than DoH • Easy to block DNS, hard to block HTTPS 21

“DoH is incompatible with the basic architecture of the DNS because it moves control plane (signaling) messages to the data plane (message forwarding), and that’s a no-no.” (Paul Vixie, 2018) 22

Support • Clients e.g. Firefox, Chrome, curl, Opera • List of DNS servers at Privacytools.io and in the curl wiki 23

References & License • Lin Clark, “A cartoon intro to DNS over HTTPS”, Mozilla Hacks Blog, May 31, 2018 • Illustrations by Lin Clark. • Paul Vixie, “DNS Wars: Episode IV - A New Workaround”, Presentation at Elbsides Conference, September 16, 2019 • Photo of goldfish by Nikhil Thomas • The DNS Privacy Project License Creative Commons Attribution Share-Alike License v3.0 24