DNS Privacy: Problem and solutions

Slides:



Advertisements
Similar presentations
Review iClickers. Ch 1: The Importance of DNS Security.
Advertisements

DNS Alphabet Soup. IPv6 Increases packet size Both transport and question/answer sections Preference: goes first Fragmentation done by end points (ICMPv6!)
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
DNS-centric PKI Sean Turner Russ Housley Tim Polk.
1 Application Layer Lecture 6 Imran Ahmed University of Management & Technology.
The complete picture Linux Network Management. End to End Connection Being able to describe the end to end connection sequence is a useful thing Very.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
ECE Prof. John A. Copeland fax Office: Klaus 3362.
Secure Socket Layer (SSL) and Secure Electronic Transactions (SET) Network Security Fall Dr. Faisal Kakar
DNS Privacy Overview Allison Mankin & Shumon Huque, Verisign Labs DNS-OARC Fall Workshop October 3, 2015.
Protocols COM211 Communications and Networks CDA College Olga Pelekanou
Encryption protocols Monil Adhikari. What is SSL / TLS? Transport Layer Security protocol, ver 1.0 De facto standard for Internet security “The primary.
1 Review – The Internet’s Protocol Architecture. Protocols, Internetworking & the Internet 2 Introduction Internet standards Internet standards Layered.
THE LARGEST NAME SERVICE ACTING AS A PHONE BOOK FOR THE INTERNET The Domain Name System click here to next page 1.
Communication protocols 2. HTTP Hypertext Transfer Protocol, is the protocol of World Wide Web (www) Client web browser Web server Request files Respond.
Data Communications I & Computer Security I Faculty currently includes: G. Chen, Costello, Elbirt, Liu, D. Martin, Wang.
TLS: avoiding dangers A presentation by Dmitry Belyavsky, TCI Business Internet Conference Kiev, Ukraine, December 2013.
Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos
TLS/SSL Protocol Presented by: Vivek Nelamangala Includes slides presented by Miao Zhang on April Course: CISC856 - TCP/IP and Upper Layer Protocols.
Geoff Huston Chief Scientist, APNIC
or call for office visit, or call Kathy Cheek,
Chapter 7 - Secure Socket Layer (SSL)
EDNS Client Subnet (ECS) in CDN solution
Security Issues with Domain Name Systems
Routing Game.
The Transport Layer Implementation Services Functions Protocols
Analysis of secured VoIP services
DNS Security Advanced Network Security Peter Reiher August, 2014
Instructor Materials Chapter 5 Providing Network Services
NET 536 Network Security Firewalls and VPN
DNS Team IETF 99 Hackathon.
DNS Security Issues SeongHo Cho DPNM Lab., POSTECH
Level 2 Diploma Unit 10 Setting up an IT Network
Review End of Semester.
IPv6 – THE WAY TO THE SECURE INTERNET
Network Wiring and Reference
Programming Assignment #1
Practical Censorship Evasion Leveraging Content Delivery Networks
Living on the Edge: (Re)focus DNS Efforts on the End-Points
The Importance of Being an Earnest stub
Some bits on how it works
How data travels through a network The Internet
CZ.NIC in a nutshell Domain, DNSSEC, Turris Project and others
The Last Link in the DNSSEC Chain of Trust
Working at a Small-to-Medium Business or ISP – Chapter 7
In Search We Trust How does an EU search engine contribute to cybersecurity? EESC, Tuesday, 9 January 2018 Guillaume Vassault-Houlière, on behalf of Eric.
Working at a Small-to-Medium Business or ISP – Chapter 7
Working at a Small-to-Medium Business or ISP – Chapter 7
Protecting Your Maps and Data when using ArcGIS Server
DNS Privacy (or not!) Geoff Huston APNIC.
Who am I talking to?.
Working at a Small-to-Medium Business or ISP – Chapter 7
The world changes again
The Secure Sockets Layer (SSL) Protocol
When you connect with DHCP, you are assigned a
Encrypting DNS traffic
DNS: Domain Name System
IETF DNSOP WG Update – and some DPRIVE
“DNS Flag day” A tale of five ccTLDs Hugo Salgado, .CL
Applications Layer Functionality & Protocols
Cybercrime and TLS.
Advanced Computer Networks
Read this to find out how the internet works!
INFORMATION FLOW ACROSS THE INTERNET
DoH! Peter Van Roste GAC/ccNSO meeting - ICANN 64
Q/ Compare between HTTP & HTTPS? HTTP HTTPS
Hackathon AIS’19 Measurement group DNS over HTTPS/TLS team
Presentation transcript:

DNS Privacy: Problem and solutions A presentation by Dmitry Belyavsky, TCI EE DNS Forum / UADOM Kyiv, December 1, 2016

Age of privacy Internet has changed the world What is privacy now? Personal data Metadata (Whom did you contact to?) Cookies, web-counters… Nation-wide eavesdroppers Protecting privacy Safe protocols: HTTPS, IMAPS, SFTP, SSH… All but DNS! Company Logo

Problem with DNS DNS – very old protocol Is DNS Data sensitive? DNSSec does not protect data exchange from monitoring Send as little data as possible! Encrypt it! Company Logo

Normal resolving process Company Logo

DNS Privacy: history Initiated by Stephane Bortzmeyer (2013) IETF working group dprive (2014) https://datatracker.ietf.org/wg/dprive Threat model: RFC 7626 (2015) QNAME minimization: RFC 7816 (2016) EDNS(0) Padding Option: RFC 7830 (2016) DNS over TLS: RFC 7858 (2016) Company Logo

DNS Privacy: Threat model Described in RFC 7626 DNS data is public, Your DNS request is NOT Public QNAME Source IP DNS and data routing may differ DNS requests are not encrypted Up to 70% of users can be recognized by their queries. Company Logo

DNS Privacy: QNAME minimization Described in RFC 7816 (Experimental) If you want to access l5.l4.l3.example.com, root DNS servers can answer about .com .com – about example.com … No extra privacy leaks May increase or reduce number of requests Problems with some CDNs – to be fixed Supported in Knot Resolver 1.0+ Unbound 1.5.7+ Company Logo

DNS Privacy: DNS over (D)TLS Described in RFC 7858 TCP: DNS over TLS UDP: DNS over DTLS Port 853 Implemented in Unbound 1.4.7+ - server Getdns – client Go library Company Logo

DNS Privacy + DNSSEC Whom do we trust? TLS Hello extension Trusted certs Opportunistic security TLS Hello extension Request: DNSSEC Chain Ext Response: Server DANE records Specification: https://datatracker.ietf.org/doc/draft-ietf-tls-dnssec-chain-extension/ Company Logo

DNS Privacy: How to test Servers: Sinodun, DNS-OARC https://portal.sinodun.com/wiki/display/TDNS/DNS-over-TLS+test+servers https://www.dns-oarc.net/oarc/services/dnsprivacy Stub resolvers: GetDNS Stubby https://getdnsapi.net Company Logo

Related technologies: DNSCrypt No RFC, https://dnscrypt.org/ Protects communication between client and resolver 443 port, both TCP/UDP Implemented in many routers and Yandex.browser (port 15353) Company Logo

DNS Privacy: conclusions There are all the necessary standards It’s time to switch them on Company Logo

Q&A Questions? Drop ‘em at: beldmit@tcinet.ru

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.