DNS over HTTPS is issued in RFC 8484 - but not everyone is happy with it
At the end of October, the Internet Engineering Council (IETF) introduced the DNS over HTTPS (DoH) standard for encrypting DNS traffic, issuing it in the form of RFC 8484. It was approved by many large companies, but there were those who remained dissatisfied with the IETF decision. Among the latter was one of the creators of the DNS system Paul Vixie (Paul Vixie). Today we will tell you what the point is.
/ photo Martinelle PD
The DNS protocol does not encrypt user requests to the server and responses to them. Data is broadcast as text. Thus, queries contain the names of the hosts that the user is visiting. From here it is possible to “overhear” the communication channel and intercept unprotected personal data.
')
To remedy the situation, the DNS over HTTPS standard, or "DNS over HTTPS" was proposed. The IETF began working on it in May 2017. It was written by engineers Paul Hoffman of ICANN - the corporation for managing domain names and IP addresses - and Patrick McManus of Mozilla.
A feature of DoH is that requests to determine IP addresses are not sent to a DNS server, but are encapsulated into HTTPS traffic and transmitted to an HTTP server, on which a special resolver processes them using an API. DNS traffic is disguised as normal HTTPS traffic, while client-server communication occurs via the standard HTTPS port 443. The content of the requests and the fact that DoH is used remain hidden.
In RFC 8484, the Engineering Council lists examples of DNS queries to example.com with DoH. Here is the query with the GET method:
A similar request using POST:
Many of the representatives of the IT industry have come out in support of the IETF standard. For example , Lead Researcher at the APNIC Internet Registrar, Geoff Houston.
The development of the protocol was supported by large Internet companies. From the beginning of the year (when the protocol was still at the draft stage), DoH has been testing Google / Alphabet and Mozilla. One of the Alphabet divisions, has released an Intra application for encrypting users DNS traffic. Mozilla Firefox browser supports DNS over HTTPS since June of this year.
DoH has implemented DNS services - Cloudflare and Quad9 . In Cloudflare, they recently released an application ( this was an article on Habre ) for working with the new protocol on Android and iOS. It acts as a VPN to its own device (to the address 127.0.0.1). DNS queries begin to be sent to Cloudflare using DoH, and traffic goes the “normal” route.
A list of DoH-enabled browsers and clients can be found on GitHub .
Not all industry participants have responded positively to the IETF decision. Opponents of the standard believe that DoH is a step in the wrong direction and it will only reduce the level of security of the connection. The most dramatic about the new protocol was Paul Vixie, one of the developers of the DNS system. On Twitter, he called DoH "complete nonsense in terms of information security."
In his opinion, the new technology will not effectively control the operation of networks. For example, system administrators will not be able to block potentially malicious sites, and ordinary users will be deprived of the possibility of organizing parental control in browsers.
/ photo TheAndrasBarta PD
Opponents of DoH suggest using another approach - the DNS over TLS, or DoT protocol . This technology is adopted as an IETF standard and is described in RFC 7858 and RFC 8310 . Like DoH, the DoT protocol hides the contents of requests, but sends them not over HTTPS, but uses TLS. To connect to the DNS server, a separate port is used - 853. Because of this, sending a DNS query is not hidden, as is the case with DoH.
DoT technology has also been criticized. In particular, experts note: because the protocol works with a dedicated port, a third party will be able to track the use of a secure channel and, if necessary, block it.
According to experts, it is not yet clear which way to protect DNS queries will become more common.
Now both Cloudflare, and Quad9, and Alphabet support both standards. If DoH Alphabet uses Intra in the above-mentioned application, then DoT protocol was used to protect the traffic in Android Pie. Google also included DoH and DoT support in Google Public DNS - and the introduction of the second standard was not announced at all .
The Register publication writes that the ultimate choice between DoT and DoH will depend on users and providers, and now none of the standards have a clear advantage. In particular, according to IT specialists, for the widespread adoption of the DoH protocol in practice, it will take a couple of decades.
PS Other materials from our corporate IaaS blog:
PPS Our Telegram channel is about virtualization technologies:
/ photo Martinelle PD
DNS problem
The DNS protocol does not encrypt user requests to the server and responses to them. Data is broadcast as text. Thus, queries contain the names of the hosts that the user is visiting. From here it is possible to “overhear” the communication channel and intercept unprotected personal data.
')
What is DNS over HTTPS?
To remedy the situation, the DNS over HTTPS standard, or "DNS over HTTPS" was proposed. The IETF began working on it in May 2017. It was written by engineers Paul Hoffman of ICANN - the corporation for managing domain names and IP addresses - and Patrick McManus of Mozilla.
A feature of DoH is that requests to determine IP addresses are not sent to a DNS server, but are encapsulated into HTTPS traffic and transmitted to an HTTP server, on which a special resolver processes them using an API. DNS traffic is disguised as normal HTTPS traffic, while client-server communication occurs via the standard HTTPS port 443. The content of the requests and the fact that DoH is used remain hidden.
In RFC 8484, the Engineering Council lists examples of DNS queries to example.com with DoH. Here is the query with the GET method:
:method = GET :scheme = https :authority = dnsserver.example.net :path = /dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB accept = application/dns-message A similar request using POST:
:method = POST :scheme = https :authority = dnsserver.example.net :path = /dns-query accept = application/dns-message content-type = application/dns-message content-length = 33 <33 bytes represented by the following hex encoding> 00 00 01 00 00 01 00 00 00 00 00 00 03 77 77 77 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00 01 Many of the representatives of the IT industry have come out in support of the IETF standard. For example , Lead Researcher at the APNIC Internet Registrar, Geoff Houston.
The development of the protocol was supported by large Internet companies. From the beginning of the year (when the protocol was still at the draft stage), DoH has been testing Google / Alphabet and Mozilla. One of the Alphabet divisions, has released an Intra application for encrypting users DNS traffic. Mozilla Firefox browser supports DNS over HTTPS since June of this year.
DoH has implemented DNS services - Cloudflare and Quad9 . In Cloudflare, they recently released an application ( this was an article on Habre ) for working with the new protocol on Android and iOS. It acts as a VPN to its own device (to the address 127.0.0.1). DNS queries begin to be sent to Cloudflare using DoH, and traffic goes the “normal” route.
A list of DoH-enabled browsers and clients can be found on GitHub .
Criticism of the DoH standard
Not all industry participants have responded positively to the IETF decision. Opponents of the standard believe that DoH is a step in the wrong direction and it will only reduce the level of security of the connection. The most dramatic about the new protocol was Paul Vixie, one of the developers of the DNS system. On Twitter, he called DoH "complete nonsense in terms of information security."
In his opinion, the new technology will not effectively control the operation of networks. For example, system administrators will not be able to block potentially malicious sites, and ordinary users will be deprived of the possibility of organizing parental control in browsers.
/ photo TheAndrasBarta PD
Opponents of DoH suggest using another approach - the DNS over TLS, or DoT protocol . This technology is adopted as an IETF standard and is described in RFC 7858 and RFC 8310 . Like DoH, the DoT protocol hides the contents of requests, but sends them not over HTTPS, but uses TLS. To connect to the DNS server, a separate port is used - 853. Because of this, sending a DNS query is not hidden, as is the case with DoH.
DoT technology has also been criticized. In particular, experts note: because the protocol works with a dedicated port, a third party will be able to track the use of a secure channel and, if necessary, block it.
What is waiting for the protocols further
According to experts, it is not yet clear which way to protect DNS queries will become more common.
Now both Cloudflare, and Quad9, and Alphabet support both standards. If DoH Alphabet uses Intra in the above-mentioned application, then DoT protocol was used to protect the traffic in Android Pie. Google also included DoH and DoT support in Google Public DNS - and the introduction of the second standard was not announced at all .
The Register publication writes that the ultimate choice between DoT and DoH will depend on users and providers, and now none of the standards have a clear advantage. In particular, according to IT specialists, for the widespread adoption of the DoH protocol in practice, it will take a couple of decades.
PS Other materials from our corporate IaaS blog:
- Serverless computing in the cloud - a trend of modernity or necessity?
- NetApp Directions 2018 - Conference Report
PPS Our Telegram channel is about virtualization technologies:
Source: https://habr.com/ru/post/429768/
All Articles