SlideShare a Scribd company logo

DNS over HTTPS

Daniel Stenberg
Daniel Stenberg

DNS over HTTPS - the good, the bad and the ugly. A presentation held at FOSDEM 2019 by Daniel Stenberg

Technology
1 of 38
Download to read offline
1 DNS over HTTPS
Daniel Stenberg @bagder
Daniel Stenberg @bagder
Daniel Stenberg @bagder
Daniel Stenberg @bagder
Daniel Stenberg @bagder
Daniel Stenberg @bagder Any DNS (over HTTPS) provider
AgendaAgenda The insecure DNSThe insecure DNS DNS-over-HTTPS is secure DNSDNS-over-HTTPS is secure DNS How to enable DNS-over-HTTPSHow to enable DNS-over-HTTPS The resistanceThe resistance We’re not done yet!We’re not done yet! DNSSEC, DNScrypt and DNS-over-TLSDNSSEC, DNScrypt and DNS-over-TLS Common secure-DNS challengesCommon secure-DNS challenges
Imagine you walk into a coffee shop Or a huge room at a conference offering free wifi
DHCP Anyone, is there a DNS server around for me??!?!1!! Sure, send all your requests in clear text to the server over there!
DHCP Asking for a serverAsking for a server In clear textIn clear text Getting a response from an unverified sourceGetting a response from an unverified source In clear textIn clear text Suggesting we use another unverified sourceSuggesting we use another unverified source To send sensitive data toTo send sensitive data to In clear textIn clear text
DNS over UDP (or TCP)DNS over UDP (or TCP) Asking for an name-to-address translation in clear text Getting a response from an unverified source in clear text That server might ask one or more other servers in clear text
A lot of clear text
PhotobyAntonioMarínSegovia
What’s being done to secure DNS?
DNS over HTTPS RFC 8484 Never over clear-text HTTP HTTPS protection RFC 1035 packets in HTTPS “payloads” Privacy and security Needs to be manually configured
Why HTTPS? Applications can resolve names easily Proxy friendly Hard to block Easy to implement Easy connection re-use HTTPS with HTTP/2 means ✔ Multiplexing ✔ Server push
How to enable DoH
DoH in Firefox Added in 62/63 Multiple modes Defaults to “soft-fail”
DoH in curl $ curl --doh-url https://doh.example.com/ https://daniel.haxx.se/ Shipped in 7.62.0
DoH in libcurl Shipped in 7.62.0 curl = curl_easy_init(); curl_easy_setopt(curl, CURLOPT_URL, "https://curl.haxx.se/"); curl_easy_setopt(curl, CURLOPT_DOH_URL, "https://doh.example.com/"); res = curl_easy_perform(curl);
DoH in Chrome Code added in the repository Unknown status Bromite offers DoH support Google runs an experimental DoH end-point
DoH in the server Several public end-points Google, quad9, Cloudflare, cleanbrowsing, Power-DNS, etc * Many server implementations * Proxy options makes it easy to run your own I wrote my toy DoH server in hours * = https://github.com/curl/curl/wiki/DNS-over-HTTPS
What’s considered less good
DNS over HTTPS – the resistance A protocol layer violationA protocol layer violation DNS centralization is wrongDNS centralization is wrong Cl**dfl**e is evilCl**dfl**e is evil GDPR will save all EuropeansGDPR will save all Europeans HTTPS allows for more user-trackingHTTPS allows for more user-tracking
DNS over HTTPS – the resistance User configuration is hardUser configuration is hard Admins need to monitor usersAdmins need to monitor users Name resolves can’t be unsupervisedName resolves can’t be unsupervised ““Debugging DNS issues is impossible”Debugging DNS issues is impossible” ““Split horizon” problemsSplit horizon” problems Bad responses due to wrong geographyBad responses due to wrong geography
We’re not done yet
DoH - areas to explore further No browser enables it by default Discovery (draft-hoffman-resolver- associated-doh) More than one? Trusted service operators? “I run a service, ask me about my domains” HTTP/3 (vs DNS over QUIC)
Some neighboring technologies and why they aren’t enough
ᄃᄃ DNSSEC By the IETF in 1999 Prevents fake responses and tampering Still done over clear text – no privacy protection Basically never used to the end user 15% of the world’s DNS resolvers verify Should be used by the resolver you DoH/DoT with
DNScryptDNScrypt Traces back to 2008 Not done through IETF TCP/UDP on port 443 No connection re-use No multiplexing “probably the most deployed encrypted DNS protocol to date”
DNS over TLS Uses TLS instead of UDP/TCP RFC 7858 (May 2016) Secure Private - easy to block since it uses a unique port (853) - typically done opportunistically - not widely used yet
DoT vs DoH – what you really wanted to know System configured Controlled server Trivially blockable Not multiplexed Often no connection reuse DoTDoT DoHDoH User controlled Secured network path Hard to block Multiplexed (HTTP/2) Basically always connection reuse
Common secure-DNS challenges Discovery Probing Opportunistic Blocking forces downgrade System vs users
DNS privacy panel DNS room 11:55 Sunday February 3rd
Wrap-up DoH is authenticated secure name resolves Easy to use Easy to serve Offers functionality related tech lacks It does not imply centralization Secure DNS is not completely solved yet
Daniel Stenberg @bagder https://daniel.haxx.se/ Thank you!Thank you! Questions?Questions?

Recommended

Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan VMware Tanzu
 
HTTP/3
HTTP/3HTTP/3
HTTP/3Daniel Stenberg
 
Learn nginx in 90mins
Learn nginx in 90minsLearn nginx in 90mins
Learn nginx in 90minsLarry Cai
 
Managing Millions of Tests Using Databricks
Managing Millions of Tests Using DatabricksManaging Millions of Tests Using Databricks
Managing Millions of Tests Using DatabricksDatabricks
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerNaveen Kumar
 
Introduction to Nginx
Introduction to NginxIntroduction to Nginx
Introduction to NginxKnoldus Inc.
 
Zero trust in a multi tenant environment
Zero trust in a multi tenant environment Zero trust in a multi tenant environment
Zero trust in a multi tenant environment Ashnikbiz
 
How to overcome mysterious problems caused by large and multi-tenancy Hadoop ...
How to overcome mysterious problems caused by large and multi-tenancy Hadoop ...How to overcome mysterious problems caused by large and multi-tenancy Hadoop ...
How to overcome mysterious problems caused by large and multi-tenancy Hadoop ...DataWorks Summit/Hadoop Summit
 

Recommended

Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan VMware Tanzu
 
HTTP/3
HTTP/3HTTP/3
HTTP/3Daniel Stenberg
 
Learn nginx in 90mins
Learn nginx in 90minsLearn nginx in 90mins
Learn nginx in 90minsLarry Cai
 
Managing Millions of Tests Using Databricks
Managing Millions of Tests Using DatabricksManaging Millions of Tests Using Databricks
Managing Millions of Tests Using DatabricksDatabricks
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerNaveen Kumar
 
Introduction to Nginx
Introduction to NginxIntroduction to Nginx
Introduction to NginxKnoldus Inc.
 
Zero trust in a multi tenant environment
Zero trust in a multi tenant environment Zero trust in a multi tenant environment
Zero trust in a multi tenant environment Ashnikbiz
 
How to overcome mysterious problems caused by large and multi-tenancy Hadoop ...
How to overcome mysterious problems caused by large and multi-tenancy Hadoop ...How to overcome mysterious problems caused by large and multi-tenancy Hadoop ...
How to overcome mysterious problems caused by large and multi-tenancy Hadoop ...DataWorks Summit/Hadoop Summit
 
HTTP/3 for everyone
HTTP/3 for everyoneHTTP/3 for everyone
HTTP/3 for everyoneDaniel Stenberg
 
Centralized Logging with syslog
Centralized Logging with syslogCentralized Logging with syslog
Centralized Logging with syslogamiable_indian
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisGTKlondike
 
What is TLS/SSL?
What is TLS/SSL? What is TLS/SSL?
What is TLS/SSL? Shehzad Imran
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyCrowdStrike
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overviewdavisli
 
Messaging for IoT
Messaging for IoTMessaging for IoT
Messaging for IoTdejanb
 
Alfresco Workshop: Introduction to Records Management Using Alfresco Governan...
Alfresco Workshop: Introduction to Records Management Using Alfresco Governan...Alfresco Workshop: Introduction to Records Management Using Alfresco Governan...
Alfresco Workshop: Introduction to Records Management Using Alfresco Governan...Lighton Phiri
 
HTTP/3, QUIC and streaming
HTTP/3, QUIC and streamingHTTP/3, QUIC and streaming
HTTP/3, QUIC and streamingDaniel Stenberg
 
Https
HttpsHttps
HttpsPooya Sagharchiha
 
Gorush: A push notification server written in Go
Gorush: A push notification server written in GoGorush: A push notification server written in Go
Gorush: A push notification server written in GoBo-Yi Wu
 
JDD 2017: Nginx + Lua = OpenResty (Marcin Stożek)
JDD 2017: Nginx + Lua = OpenResty (Marcin Stożek)JDD 2017: Nginx + Lua = OpenResty (Marcin Stożek)
JDD 2017: Nginx + Lua = OpenResty (Marcin Stożek)PROIDEA
 
4 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 1014 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 101Ievgenii Katsan
 
Wireless security
Wireless securityWireless security
Wireless securityAurobindo Nayak
 
Get Hands-On with NGINX and QUIC+HTTP/3
Get Hands-On with NGINX and QUIC+HTTP/3Get Hands-On with NGINX and QUIC+HTTP/3
Get Hands-On with NGINX and QUIC+HTTP/3NGINX, Inc.
 
Advanced Caching Concepts @ Velocity NY 2015
Advanced Caching Concepts @ Velocity NY 2015Advanced Caching Concepts @ Velocity NY 2015
Advanced Caching Concepts @ Velocity NY 2015Rakesh Chaudhary
 
IPFS: The Permanent Web
IPFS: The Permanent WebIPFS: The Permanent Web
IPFS: The Permanent WebSivachandran Paramsivam
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Freenet
FreenetFreenet
FreenetAshraf Uddin
 
Wireless hacking
Wireless hackingWireless hacking
Wireless hackingarushi bhatnagar
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...DTM Security
 

More Related Content

What's hot

Centralized Logging with syslog
Centralized Logging with syslogCentralized Logging with syslog
Centralized Logging with syslogamiable_indian
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisGTKlondike
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyCrowdStrike
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overviewdavisli
 
Messaging for IoT
Messaging for IoTMessaging for IoT
Messaging for IoTdejanb
 
Alfresco Workshop: Introduction to Records Management Using Alfresco Governan...
Alfresco Workshop: Introduction to Records Management Using Alfresco Governan...Alfresco Workshop: Introduction to Records Management Using Alfresco Governan...
Alfresco Workshop: Introduction to Records Management Using Alfresco Governan...Lighton Phiri
 
HTTP/3, QUIC and streaming
HTTP/3, QUIC and streamingHTTP/3, QUIC and streaming
HTTP/3, QUIC and streamingDaniel Stenberg
 
Gorush: A push notification server written in Go
Gorush: A push notification server written in GoGorush: A push notification server written in Go
Gorush: A push notification server written in GoBo-Yi Wu
 
JDD 2017: Nginx + Lua = OpenResty (Marcin Stożek)
JDD 2017: Nginx + Lua = OpenResty (Marcin Stożek)JDD 2017: Nginx + Lua = OpenResty (Marcin Stożek)
JDD 2017: Nginx + Lua = OpenResty (Marcin Stożek)PROIDEA
 
4 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 1014 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 101Ievgenii Katsan
 
Get Hands-On with NGINX and QUIC+HTTP/3
Get Hands-On with NGINX and QUIC+HTTP/3Get Hands-On with NGINX and QUIC+HTTP/3
Get Hands-On with NGINX and QUIC+HTTP/3NGINX, Inc.
 
Advanced Caching Concepts @ Velocity NY 2015
Advanced Caching Concepts @ Velocity NY 2015Advanced Caching Concepts @ Velocity NY 2015
Advanced Caching Concepts @ Velocity NY 2015Rakesh Chaudhary
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 

What's hot (20)

HTTP/3 for everyone
HTTP/3 for everyoneHTTP/3 for everyone
HTTP/3 for everyone
 
Centralized Logging with syslog
Centralized Logging with syslogCentralized Logging with syslog
Centralized Logging with syslog
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
 
What is TLS/SSL?
What is TLS/SSL? What is TLS/SSL?
What is TLS/SSL?
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overview
 
Messaging for IoT
Messaging for IoTMessaging for IoT
Messaging for IoT
 
Alfresco Workshop: Introduction to Records Management Using Alfresco Governan...
Alfresco Workshop: Introduction to Records Management Using Alfresco Governan...Alfresco Workshop: Introduction to Records Management Using Alfresco Governan...
Alfresco Workshop: Introduction to Records Management Using Alfresco Governan...
 
HTTP/3, QUIC and streaming
HTTP/3, QUIC and streamingHTTP/3, QUIC and streaming
HTTP/3, QUIC and streaming
 
Https
HttpsHttps
Https
 
Gorush: A push notification server written in Go
Gorush: A push notification server written in GoGorush: A push notification server written in Go
Gorush: A push notification server written in Go
 
JDD 2017: Nginx + Lua = OpenResty (Marcin Stożek)
JDD 2017: Nginx + Lua = OpenResty (Marcin Stożek)JDD 2017: Nginx + Lua = OpenResty (Marcin Stożek)
JDD 2017: Nginx + Lua = OpenResty (Marcin Stożek)
 
4 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 1014 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 101
 
Wireless security
Wireless securityWireless security
Wireless security
 
Get Hands-On with NGINX and QUIC+HTTP/3
Get Hands-On with NGINX and QUIC+HTTP/3Get Hands-On with NGINX and QUIC+HTTP/3
Get Hands-On with NGINX and QUIC+HTTP/3
 
Advanced Caching Concepts @ Velocity NY 2015
Advanced Caching Concepts @ Velocity NY 2015Advanced Caching Concepts @ Velocity NY 2015
Advanced Caching Concepts @ Velocity NY 2015
 
IPFS: The Permanent Web
IPFS: The Permanent WebIPFS: The Permanent Web
IPFS: The Permanent Web
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
Freenet
FreenetFreenet
Freenet
 
Wireless hacking
Wireless hackingWireless hacking
Wireless hacking
 

Similar to DNS over HTTPS

MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...DTM Security
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOHAPNIC
 
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 HackathonDNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 HackathonDan York
 
DaNode - A home made web server in D
DaNode - A home made web server in DDaNode - A home made web server in D
DaNode - A home made web server in DAndrei Alexandrescu
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS OblivionAPNIC
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
 
IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS PrivacyAPNIC
 
DNS Rebinding Attack
DNS Rebinding AttackDNS Rebinding Attack
DNS Rebinding AttackFelipe Japm
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutionsNick Owen
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsPeter R. Egli
 
5 things you didn't know nginx could do velocity
5 things you didn't know nginx could do velocity5 things you didn't know nginx could do velocity
5 things you didn't know nginx could do velocitysarahnovotny
 
DNS Fundamentals Presentation_PANDI-2022.pdf
DNS Fundamentals Presentation_PANDI-2022.pdfDNS Fundamentals Presentation_PANDI-2022.pdf
DNS Fundamentals Presentation_PANDI-2022.pdfroemahtoedjoeh
 

Similar to DNS over HTTPS (20)

MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
 
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
 
Understanding DNS Security
Understanding DNS SecurityUnderstanding DNS Security
Understanding DNS Security
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOH
 
Introduction To The DANE Protocol (DNSSEC)
Introduction To The DANE Protocol (DNSSEC)Introduction To The DANE Protocol (DNSSEC)
Introduction To The DANE Protocol (DNSSEC)
 
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 HackathonDNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
 
DaNode - A home made web server in D
DaNode - A home made web server in DDaNode - A home made web server in D
DaNode - A home made web server in D
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
 
Linux and DNS Server
Linux and DNS ServerLinux and DNS Server
Linux and DNS Server
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
 
IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS Privacy
 
Google Cloud DNS
Google Cloud DNSGoogle Cloud DNS
Google Cloud DNS
 
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan YorkION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
 
DNS Rebinding Attack
DNS Rebinding AttackDNS Rebinding Attack
DNS Rebinding Attack
 
Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
 
Ost ssl lec
Ost ssl lecOst ssl lec
Ost ssl lec
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutions
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
 
5 things you didn't know nginx could do velocity
5 things you didn't know nginx could do velocity5 things you didn't know nginx could do velocity
5 things you didn't know nginx could do velocity
 
DNS Fundamentals Presentation_PANDI-2022.pdf
DNS Fundamentals Presentation_PANDI-2022.pdfDNS Fundamentals Presentation_PANDI-2022.pdf
DNS Fundamentals Presentation_PANDI-2022.pdf
 

More from Daniel Stenberg

mastering libcurl part 2
mastering libcurl part 2mastering libcurl part 2
mastering libcurl part 2Daniel Stenberg
 
mastering libcurl part 1
mastering libcurl part 1mastering libcurl part 1
mastering libcurl part 1Daniel Stenberg
 
curl - openfourm europe.pdf
curl - openfourm europe.pdfcurl - openfourm europe.pdf
curl - openfourm europe.pdfDaniel Stenberg
 
curl experiments - curl up 2022
curl experiments - curl up 2022curl experiments - curl up 2022
curl experiments - curl up 2022Daniel Stenberg
 
curl security - curl up 2022
curl security - curl up 2022curl security - curl up 2022
curl security - curl up 2022Daniel Stenberg
 
HTTP/3 in curl - curl up 2022
HTTP/3 in curl - curl up 2022HTTP/3 in curl - curl up 2022
HTTP/3 in curl - curl up 2022Daniel Stenberg
 
Let me tell you about curl
Let me tell you about curlLet me tell you about curl
Let me tell you about curlDaniel Stenberg
 
Getting started with libcurl
Getting started with libcurlGetting started with libcurl
Getting started with libcurlDaniel Stenberg
 
HTTP/3 is next generation HTTP
HTTP/3 is next generation HTTPHTTP/3 is next generation HTTP
HTTP/3 is next generation HTTPDaniel Stenberg
 
Testing curl for security
Testing curl for securityTesting curl for security
Testing curl for securityDaniel Stenberg
 
common mistakes when using libcurl
common mistakes when using libcurlcommon mistakes when using libcurl
common mistakes when using libcurlDaniel Stenberg
 
HTTP/3 over QUIC. All is new but still the same!
HTTP/3 over QUIC. All is new but still the same!HTTP/3 over QUIC. All is new but still the same!
HTTP/3 over QUIC. All is new but still the same!Daniel Stenberg
 

More from Daniel Stenberg (20)

mastering libcurl part 2
mastering libcurl part 2mastering libcurl part 2
mastering libcurl part 2
 
mastering libcurl part 1
mastering libcurl part 1mastering libcurl part 1
mastering libcurl part 1
 
curl - openfourm europe.pdf
curl - openfourm europe.pdfcurl - openfourm europe.pdf
curl - openfourm europe.pdf
 
curl experiments - curl up 2022
curl experiments - curl up 2022curl experiments - curl up 2022
curl experiments - curl up 2022
 
curl security - curl up 2022
curl security - curl up 2022curl security - curl up 2022
curl security - curl up 2022
 
HTTP/3 in curl - curl up 2022
HTTP/3 in curl - curl up 2022HTTP/3 in curl - curl up 2022
HTTP/3 in curl - curl up 2022
 
The state of curl 2022
The state of curl 2022The state of curl 2022
The state of curl 2022
 
Let me tell you about curl
Let me tell you about curlLet me tell you about curl
Let me tell you about curl
 
Curl with rust
Curl with rustCurl with rust
Curl with rust
 
Getting started with libcurl
Getting started with libcurlGetting started with libcurl
Getting started with libcurl
 
HTTP/3 is next generation HTTP
HTTP/3 is next generation HTTPHTTP/3 is next generation HTTP
HTTP/3 is next generation HTTP
 
Landing code in curl
Landing code in curlLanding code in curl
Landing code in curl
 
Testing curl for security
Testing curl for securityTesting curl for security
Testing curl for security
 
common mistakes when using libcurl
common mistakes when using libcurlcommon mistakes when using libcurl
common mistakes when using libcurl
 
HTTP/3 in curl 2020
HTTP/3 in curl 2020HTTP/3 in curl 2020
HTTP/3 in curl 2020
 
The state of curl 2020
The state of curl 2020The state of curl 2020
The state of curl 2020
 
curl roadmap 2020
curl roadmap 2020curl roadmap 2020
curl roadmap 2020
 
curl better
curl bettercurl better
curl better
 
HTTP/3 in curl
HTTP/3 in curlHTTP/3 in curl
HTTP/3 in curl
 
HTTP/3 over QUIC. All is new but still the same!
HTTP/3 over QUIC. All is new but still the same!HTTP/3 over QUIC. All is new but still the same!
HTTP/3 over QUIC. All is new but still the same!
 

Recently uploaded

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 

Recently uploaded (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 

DNS over HTTPS

  • 7. Daniel Stenberg @bagder Any DNS (over HTTPS) provider
  • 8. AgendaAgenda The insecure DNSThe insecure DNS DNS-over-HTTPS is secure DNSDNS-over-HTTPS is secure DNS How to enable DNS-over-HTTPSHow to enable DNS-over-HTTPS The resistanceThe resistance We’re not done yet!We’re not done yet! DNSSEC, DNScrypt and DNS-over-TLSDNSSEC, DNScrypt and DNS-over-TLS Common secure-DNS challengesCommon secure-DNS challenges
  • 9. Imagine you walk into a coffee shop Or a huge room at a conference offering free wifi
  • 10. DHCP Anyone, is there a DNS server around for me??!?!1!! Sure, send all your requests in clear text to the server over there!
  • 11. DHCP Asking for a serverAsking for a server In clear textIn clear text Getting a response from an unverified sourceGetting a response from an unverified source In clear textIn clear text Suggesting we use another unverified sourceSuggesting we use another unverified source To send sensitive data toTo send sensitive data to In clear textIn clear text
  • 12. DNS over UDP (or TCP)DNS over UDP (or TCP) Asking for an name-to-address translation in clear text Getting a response from an unverified source in clear text That server might ask one or more other servers in clear text
  • 13. A lot of clear text
  • 15. What’s being done to secure DNS?
  • 16. DNS over HTTPS RFC 8484 Never over clear-text HTTP HTTPS protection RFC 1035 packets in HTTPS “payloads” Privacy and security Needs to be manually configured
  • 17. Why HTTPS? Applications can resolve names easily Proxy friendly Hard to block Easy to implement Easy connection re-use HTTPS with HTTP/2 means ✔ Multiplexing ✔ Server push
  • 19. DoH in Firefox Added in 62/63 Multiple modes Defaults to “soft-fail”
  • 20.
  • 21. DoH in curl $ curl --doh-url https://doh.example.com/ https://daniel.haxx.se/ Shipped in 7.62.0
  • 22. DoH in libcurl Shipped in 7.62.0 curl = curl_easy_init(); curl_easy_setopt(curl, CURLOPT_URL, "https://curl.haxx.se/"); curl_easy_setopt(curl, CURLOPT_DOH_URL, "https://doh.example.com/"); res = curl_easy_perform(curl);
  • 23. DoH in Chrome Code added in the repository Unknown status Bromite offers DoH support Google runs an experimental DoH end-point
  • 24. DoH in the server Several public end-points Google, quad9, Cloudflare, cleanbrowsing, Power-DNS, etc * Many server implementations * Proxy options makes it easy to run your own I wrote my toy DoH server in hours * = https://github.com/curl/curl/wiki/DNS-over-HTTPS
  • 26. DNS over HTTPS – the resistance A protocol layer violationA protocol layer violation DNS centralization is wrongDNS centralization is wrong Cl**dfl**e is evilCl**dfl**e is evil GDPR will save all EuropeansGDPR will save all Europeans HTTPS allows for more user-trackingHTTPS allows for more user-tracking
  • 27. DNS over HTTPS – the resistance User configuration is hardUser configuration is hard Admins need to monitor usersAdmins need to monitor users Name resolves can’t be unsupervisedName resolves can’t be unsupervised ““Debugging DNS issues is impossible”Debugging DNS issues is impossible” ““Split horizon” problemsSplit horizon” problems Bad responses due to wrong geographyBad responses due to wrong geography
  • 29. DoH - areas to explore further No browser enables it by default Discovery (draft-hoffman-resolver- associated-doh) More than one? Trusted service operators? “I run a service, ask me about my domains” HTTP/3 (vs DNS over QUIC)
  • 30. Some neighboring technologies and why they aren’t enough
  • 31. ᄃᄃ DNSSEC By the IETF in 1999 Prevents fake responses and tampering Still done over clear text – no privacy protection Basically never used to the end user 15% of the world’s DNS resolvers verify Should be used by the resolver you DoH/DoT with
  • 32. DNScryptDNScrypt Traces back to 2008 Not done through IETF TCP/UDP on port 443 No connection re-use No multiplexing “probably the most deployed encrypted DNS protocol to date”
  • 33. DNS over TLS Uses TLS instead of UDP/TCP RFC 7858 (May 2016) Secure Private - easy to block since it uses a unique port (853) - typically done opportunistically - not widely used yet
  • 34. DoT vs DoH – what you really wanted to know System configured Controlled server Trivially blockable Not multiplexed Often no connection reuse DoTDoT DoHDoH User controlled Secured network path Hard to block Multiplexed (HTTP/2) Basically always connection reuse
  • 36. DNS privacy panel DNS room 11:55 Sunday February 3rd
  • 37. Wrap-up DoH is authenticated secure name resolves Easy to use Easy to serve Offers functionality related tech lacks It does not imply centralization Secure DNS is not completely solved yet