Encrypting DNS traffic

Slides:

Advertisements

Similar presentations

Internet Protocol Security (IP Sec)

Advertisements

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Surfing the Net. Surfing the net Browsers – Internet Explorer, Firefox, others Dissecting URLs Some web page definitions Browser navigation Bookmarks.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

Information Networking Security and Assurance Lab National Chung Cheng University Guidelines on Electronic Mail Security

CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.

DHCP: Dual-Stack Issues draft-ietf-dhc-dual-stack-01 Tim Chown dhc WG, IETF 60, San Diego, August 2, 2004.

RTCWEB Signaling Matthew Kaufman. Scope Web Server Browser.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

DHCP Security DHCP Snooping and Security David Mitchell 03/19/2008.

Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Encryption and Security Dylan Anderson Michael Huffman Julie Rothacher Dylan Anderson Michael Huffman Julie Rothacher.

Georgios Kontaxis‡, Michalis Polychronakis‡, Angelos D. Keromytis‡, and Evangelos P.Markatos* ‡Columbia University and *FORTH-ICS USENIX-SEC (August, 2012)

IP Security. P R E S E N T E D B Y ::: Semester : 8 ::: Year : 2009 Naeem Riaz Maria Shakeel Aqsa Nizam.

Protocols COM211 Communications and Networks CDA College Olga Pelekanou

Automated Certificate Management ACME + Let’s Encrypt Richard

Encryption protocols Monil Adhikari. What is SSL / TLS? Transport Layer Security protocol, ver 1.0 De facto standard for Internet security “The primary.

1 Chapter 7 WEB Security. 2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction.

1 Review – The Internet’s Protocol Architecture. Protocols, Internetworking & the Internet 2 Introduction Internet standards Internet standards Layered.

By Zach Archer COSC 480. Road map What is SPDY Timeline SPDY gateways Major Advances over HTTP Where SPDY is Currently Closing Thoughts.

Some Network Commands n Some useful network commands –ping –finger –nslookup –tracert –ipconfig.

MPLS-TP Next-Hop Ethernet Addressing draft-fbb-mpls-tp-ethernet-addressing-00 Dan Stewart Matthew

ArcGIS for Server Security: Advanced

BUILD SECURE PRODUCTS AND SERVICES

Rolling the Root Zone DNSSEC Key Signing Key

KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting

Mike Irving Software Developer, Consultant Web Development: - mainly on C# / .NET, SQL Server, Windows Server Years Commercial Experience. Mobile.

Web Applications Security Cryptography 1

Data Virtualization Tutorial… SSL with CIS Web Data Sources

Go to youtube and search “Code.org internet videos”

Installing TMG & Choosing a Client Type

Instructor Materials Chapter 5 Providing Network Services

Cryptography and Network Security

Password Management Limit login attempts Encrypt your passwords

Cryptography Reference: Network Security

Cryptography Reference: Network Security

Secure Sockets Layer (SSL)

DNS Privacy: Problem and solutions

Practical Censorship Evasion Leveraging Content Delivery Networks

Living on the Edge: (Re)focus DNS Efforts on the End-Points

The Last Link in the DNSSEC Chain of Trust

Topic 1: Data, information, knowledge and processing

Introduction to Networking

DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers

Cryptography and Network Security

Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.

Cryptography and Network Security

The world changes again

Re(AC)t Reputation and Anonymous Credentials for Access Control (t=2)

Internet Basics Videos

Applications Layer Functionality & Protocols

DoH! Peter Van Roste GAC/ccNSO meeting - ICANN 64

Electronic Payment Security Technologies

Introduction to Let’s Encrypt

Computer Networks Protocols

Q/ Compare between HTTP & HTTPS? HTTP HTTPS

Cryptography and Network Security

Integrated Security System

Hackathon AIS’19 Measurement group DNS over HTTPS/TLS team

INTERNET SECURITY.

Tyler Technologies presents: What you need to know about upcoming changes to your New World ERP technical environment in Scott Alan Miller MCP,

Scott Miller TSM Team Lead Ray Mah Architect, Foundation

Scott Miller TSM Team Lead Ray Mah Architect, Foundation

Security and JavaScript

Austin Hounsel* Kevin Borgolte* Paul Schmitt*

Presentation transcript:

Encrypting DNS traffic The why and the how John Crain Eastern Europe DNS Forum 4-5 December 2018

The Why How did we get here?

DNS Traffic Interception We know that parties actively intercept DNS traffic both for good and for bad Good: See if you're about to go to a malicious site and catch you before you do. Bad: snooping for various reasons. Most traffic is now encrypted, why not start encrypting DNS traffic as well?

The How? Options

Early solutions DNSCrypt came soon thereafter DNSCurve proposed by Dan Bernstein in 2009 First introduction of Curve25519, replacement for Elliptical Curve Digital Signature Algorithm (ECDSA) Did not catch on DNSCrypt came soon thereafter Got a little more adoption Both were cryptographically sound, but neither was taken to the IETF for standardization

DNS over TLS (DoT) Protects traffic from the stub resolver to the recursive resolver Take the original DNS protocol and run it over Transport Layer Security (TLS) on a new port (port 853) - Standardized in RFC 7858 (May 2016) - Implemented in major recursive resolvers Very little uptake from the operating systems (Android is furthest ahead here)

DNS over HTTPs (DoH) Protects traffic from the browser to the recursive resolver It is DNS over HTTP over SSL/TLS (Port 443) Allows all the normal HTTP semantics, caching, server push etc. - RFC 8484, very recent (October 2018) - Code is already in Firefox, soon to be in Chrome, but not turned on by default - Many DNS server implementations

DNS over HTTPs (DoH) Uses the concept of Trusted Recursive Resolvers (TRR) Configured in the browser Browsers ship with default TRR Firefox uses Cloudflare 1.1.1.1 (Not clear which TRR other browsers will choose) https://github.com/curl/curl/wiki/DNS-over-HTTPS

It’s very new Still a lot of questions As a business how to ensure your users are using the TRR you trust? (Draft suggestion: https://datatracker.ietf.org/doc/draft-hoffman-resolver-associated-doh/) How do you distinguish DNS from other traffic? (443)

DoT vs DoH DNS over TLS DNS over HTTPs VS Uses a new dedicated port Implemented in the DNS server software Needs OS support Uses current server provisioning (DHCP) You can run a local DoT server Uses the HTTPs port Implemented in DNS server software Needs Browser support Servers currently specified in stub/browser config You can run a local DoH server VS

Questions? John’s Contact Info: John.crain@icann.org Twitter: @johnlcrain Skype: JohnLcrain You can adjust the email/web address to whichever email or web address is best suited to your presentation. This should be your final slide.