07-bertola-the doh dilemma - dns symposium 2019 - v2...the dohdilemma impactsof dns-over-https on...
TRANSCRIPT
![Page 1: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/1.jpg)
The DoH dilemmaImpacts of DNS-over-HTTPS on how the Internet works
Vittorio Bertola, DNS Symposium 2019
![Page 2: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/2.jpg)
2
1.What does DoH do?
![Page 3: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/3.jpg)
33
What is DoH?
DNS-over-HTTPS (RFC 8484)New IETF standard by Web people (thatalso operate public resolvers)Transmits DNS queries to the resolverover an HTTPS connection (encrypted)Can be used by any HTTPS-speakingapp, bypassing the OS and its settingsRequires upgraded DNS / Web servers
![Page 4: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/4.jpg)
44
Three main changes to resolution
1. The device-to-resolver connection isencrypted and hidden inside Web traffic
2. Each application can use a differentresolver (DNS becomes an applicationlevel service, not a network one)
3. Each application maker gains control of resolver choice and can hardwire a remote resolver list
Protocoldesign choices
Deployment and policy
choices
Only one in common
with DNS-over-TLS
![Page 5: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/5.jpg)
5
2.A note on terminology
![Page 6: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/6.jpg)
66
A debate on words
Debate over which defining feature isthe root of (most) issues, and how do wename it□ Unencrypted vs encrypted?□ Business model – ISP vs OTT?□ Concentrated vs distributed?□ «DNS-over-cloud»?My choice is «local» vs «remote»
![Page 7: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/7.jpg)
7
Local DNS resolution
Home LAN ISP The Internet
AuthoritativeDNS server(s)
Applications
OSStub
resolver
Resolver(«name server»)
![Page 8: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/8.jpg)
88
Why «local»?
The ISP’s network is the first that youtraverse to get to the Internet, no matter where you goThe ISP is normally in the same country, usually in the same city□ Same jurisdiction□ Same language□ Maybe they suck, but you know how to
reach them
![Page 9: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/9.jpg)
9
Remote DNS resolution
Home LAN ISP The Internet
AuthoritativeDNS server(s)
Applications
OSStub
resolverResolver
(«name server»)
![Page 10: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/10.jpg)
1010
Why «remote»?
It is topologically distant from you□ Often in another countryIt is run by a third party□ For free («public resolver»)
E.g. 8.8.8.8, 9.9.9.9, 1.1.1.1□ Or as a paid premium service
E.g. Cisco Umbrella/OpenDNS
![Page 11: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/11.jpg)
11
3.Consequences of DoH’sdeployment
![Page 12: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/12.jpg)
1212
#1The device-to-resolver connection
is encrypted and hiddeninside Web traffic
![Page 13: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/13.jpg)
13
Remote DNS resolution, intercepted
Home LAN ISP The Internet
AuthoritativeDNS server(s)
Applications
OSStub
resolverResolver
(«name server»)
![Page 14: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/14.jpg)
14
Local DNS resolution, not intercepted unless the ISP is hacked
Home LAN ISP The Internet
AuthoritativeDNS server(s)
Applications
OSStub
resolver
Resolver(«name server»)
![Page 15: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/15.jpg)
15
Remote DNS resolution, proxied by the ISP
Home LAN ISP The Internet
AuthoritativeDNS server(s)
Applications
OSStub
resolverResolver
(«name server»)
TransparentDNS proxy
![Page 16: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/16.jpg)
1616
Is this good or bad?
GoodIf you use remote resolution and are attacked or trackedIf you don’t trust your ISP / itdoes bad thingsto you
IndifferentIf you use localresolution and are attacked or tracked, unlessthe attacker ison the ISP’snetwork
BadIf you trust yourISP / it doesgood things for you
![Page 17: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/17.jpg)
17
It depends.But mostly good.
![Page 18: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/18.jpg)
1818
#2Each application can use a different
resolver (DNS becomesan application level service,
not a network one)
![Page 19: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/19.jpg)
1919
Is this good or bad?
GoodIf the applicationmaker is smarterthan the user, and is honestIf you don’t trust your OSIf the OS’s DNS implementationis not goodenough
IndifferentIf all DoHapplicationsused the OS settings
BadIf the applicationmaker issmarter thanthe user, and isdishonestIf the user issmarter thanthe applicationmaker
![Page 20: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/20.jpg)
2020
Is this good or bad?
BadIf eachapplication startspointing you to different IPs for the same nameIf eachapplication startsusing its own(augmented) namespace
BadIf the applicationdoesn’t let youconfigure the DoH serverIf the remote DoH server provided by the applicationmaker fails
BadIf the applicationmaker’sinterests and the user’sinterests are opposite
![Page 21: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/21.jpg)
21
Bad.«Crossing the streams» bad!
![Page 22: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/22.jpg)
2222
#3Each application maker gains
control of resolver choice and can hardwire a remote resolver list
![Page 23: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/23.jpg)
23
A consequence of deployment policies
Mozilla’s announcement from May 2018
![Page 24: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/24.jpg)
24
Mozilla’s resolver accreditation policyBromite’s
configurationscreen
![Page 25: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/25.jpg)
2525
The real change
Now (and for the last 20 years)
Local resolution is the defaultYou get the nearestresolver when youconnectYou can set your resolveronce for all in your OS
In the DoH futureRemote resolution with multiple servers is the defaultYou get the applicationmaker’s resolver whenyou install the appYou have to set yourresolver for every new application
![Page 26: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/26.jpg)
2626
What does this mean?
![Page 27: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/27.jpg)
2727
New gatekeepers + Concentration
NowDNS traffic is spread across hundreds of thousands of serversAnd they are everywhereacross the worldAnd you can easily pickthe server you want
In the DoH futureFour browser makersthat have 90% of the market control 90% of the world’s Web trafficresolutionsAnd they are all in the same country and jurisdictionHow easily can youchoose?
![Page 28: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/28.jpg)
2828
Privacy ?
NowYour queries can be sniffedYou are covered by yourown country’s privacy, law enforcement and neutrality rulesYour DNS is normallysupplied by a company that does not live off targeted advertising
In the DoH futureYour queries cannot be sniffedYour DNS data will be subject to the resolver’sprivacy, law enforcementand neutrality rulesMany of the likely DNS providers live off data monetization (and use cookies / fingerprinting)
![Page 29: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/29.jpg)
2929
Freedom from censorship ?
NowYou get the DNS-basedcontent filters mandatedby the law of yourcountry
In the DoH futureYou get the DNS-basedcontent filters mandatedby the law of the remote resolver’s countryAnd your country maystart mandating IP address filters as a response
![Page 30: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/30.jpg)
3030
Network neutrality ?
NowYour ISP may break network neutrality, unlessthere are laws to preventthis
In the DoH futureYour application maker or resolver operator maybreak network neutrality, unless there are laws to prevent this
![Page 31: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/31.jpg)
3131
Performance ?
NowThe application has to wait for the OSYour local resolver isnear, though it can be slow and unreliableYour local resolver getsthe topologically betterresult from CDNs
In the DoH futureThe application doesn’thave to wait for the OSYour remote resolver isfar, but it could stillperform betterYour remote resolvercannot get the topologically betterresult from CDNs unlessit violates your privacy
![Page 32: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/32.jpg)
3232
Security ?
NowYour ISP can blockbotnets and malwarewith localized DNS filtersYour ISP can detectnetwork problems and infections via the DNSYour ISP can use split horizon, local names…
In the DoH futureWill your remote resolverget real-time threatfeeds for your country?Your ISP will be blindLocal names won’t work any moreDoH can be used for data exfiltration
![Page 33: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/33.jpg)
3333
User empowerment ?
NowYou can easily pick a different serverYou can get DNS-basedservices (parental control…) from whomever you wantYou can easily know whereall your queries goSmarter users expectthings to work this way
In the DoH futureYou have to change the server in each app, and not all apps may let youAll other DNS-basedservices stop workingYour queries go whereverthe app wantsNo one expects or understands the change
![Page 34: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/34.jpg)
3434
Privacy in transport != Privacy
Concentration + Less user control = Surveillance point
Changing the entity in charge !=More freedom
![Page 35: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/35.jpg)
3535
Is this good or bad?Good
If you are a dissidentwithout a clueIf you trust Google/Apple/ Mozilla/Cloudflare more than your ISPIf you trust the U.S. government and lawsmore than yoursIf you don’t care aboutcentralization
BadIf you are ok with yourcurrent resolverIf you like to control DNS If you trust your ISP more than Google etc.If you trust your owngovernment and laws more than the U.S. onesIf you are worried about the centralization of the net
![Page 36: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/36.jpg)
36
It depends.But mostly bad.
Especially without appropriate policies.
![Page 37: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/37.jpg)
37
4.The DoHdilemma(s)
![Page 38: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/38.jpg)
3838
The user? The ISP? The browser?
Who should choosethe device’s resolver?
![Page 39: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/39.jpg)
3939
Who should be entitledto apply policies to your DNS?
The network administrator?
The resolver?The government?
![Page 40: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/40.jpg)
4040
Where shouldthe issues be discussed?
By regulators?
At ICANN?At IETF?
![Page 41: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/41.jpg)
4141
Work to do
TechnicalDiscoveryprotocolPending IETF drafts: server BCPs, client BCPs…Missing piecesMonitoring and research
Policy / CommunityIndependenttrusted resolveraccreditationDeployment promotion and user educationEx post analysison IETF processshortcomings
RegulatoryJurisdictionissuesLaw enforcementmechanismsContent control responsibilitiesService liabilities
EuroDIGworkshop
June 20, The Hague
![Page 42: 07-bertola-The DoH dilemma - DNS Symposium 2019 - v2...The DoHdilemma Impactsof DNS-over-HTTPS on howthe Internet works Vittorio Bertola, DNS Symposium 2019](https://reader033.vdocuments.site/reader033/viewer/2022041521/5e2e8bb194614a6c4e309d89/html5/thumbnails/42.jpg)
42
Thanks!Any questions?You can find me at
Credits: Original presentation template by SlidesCarnival modified by myself License: This presentation is distributed under a Creative Commons Attribution (CC-BY) license