DoH! Peter Van Roste GAC/ccNSO meeting - ICANN 64

Slides:

Advertisements

Similar presentations

Internet Protocols and Innovation John C Klensin John C Klensin and Associates

Advertisements

5-Network Defenses Dr. John P. Abraham Professor UTPA.

© GlobalSign. A GMO Internet Inc group company. Authentication. Security. Trust. A tutorial on how you can host multiple SSL Certificates on a single IP.

1 Web Content Delivery Reading: Section and COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Mohammed Saiyeedur Rahman.  E-commerce is buying and selling goods over the internet. This could include selling/buying mobile phones, clothes or DVD’s.

Chapter 16 – DNS. DNS Domain Name Service This service allows client machines to resolve computer names (domain names) to IP addresses DNS works at the.

THE INTERNET INTERNET REGISTRIES & INTERNET REGISTRARS.

© British Telecommunications plc Network Filtering.

INTERNET. BROADBAND The amount of information a connection is capable of carrying. Measured in bits per second.

Privacy & Security Online Ivy, Kris & Neil Privacy Threat - Ivy Is Big Brother Watching You? - Kris Identity Theft - Kris Medical Privacy - Neil Children’s.

The Domain Name System and DNS Blocking Malcolm Hutty Head of Public Affairs, LINX February 2011.

Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?

Monitoring commercial cloud service providers CERN openlab Summer Students Lightning Talk Sessions Lassi Kojo › 19/08/2015.

WHAT IS E-COMMERCE? E-COMMERCE is a online service that helps the seller/buyer complete their transaction through a secure server. Throughout the past.

The Internet What is the Internet? The Internet is a lot of computers over the whole world connected together so that they can share information. It.

15-1 Networking Computer network A collection of computing devices that are connected in various ways in order to communicate and share resources Usually,

DNS Security Risks Section 0x02. Joke/Cool thing traceroute traceroute c

Internet Basics 10/23/2012. What is the Internet? It’s a world-wide network of computer networks. It grows hourly and involves national governments, communities,

SmallMail, protect your from nosey Big Brothers Peter Roozemaal

CRLite: A Scalable System for Pushing All TLS Revocations to All Browsers By Kartik Patel.

Go to youtube and search “Code.org internet videos”

HTTP and Abstraction on the Internet

HTTP AND ABSTRACTION ON THE INTERNET

NETWORK Unit 1 Module: 2 Objective: 7.

1.4 Wired and Wireless Networks

SSL Certificates for Secure Websites

Level 2 Diploma Unit 10 Setting up an IT Network

What is the Internet? © EIT, Author Gay Robertson, 2016.

IPv6 – THE WAY TO THE SECURE INTERNET

Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)

IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It works.

Vocabulary Prototype: A preliminary sketch of an idea or model for something new. It’s the original drawing from which something real might be built or.

Practical Censorship Evasion Leveraging Content Delivery Networks

Web Hosting What you need to know!.

Vocabulary Prototype: A preliminary sketch of an idea or model for something new. It’s the original drawing from which something real might be built or.

Addresses on the Web.

Who should be responsible for risks to basic Internet infrastructure?

Domain Name System Presentation

Rachel Akisada & Melanie Kingsley

Client-Server Computing

Providing Network Services

Working at a Small-to-Medium Business or ISP – Chapter 7

15-1 Networking Computer network A collection of computing devices that are connected in various ways in order to communicate and share resources Usually,

Internet Basics.

Firewalls Routers, Switches, Hubs VPNs

Kerberos Kerberos is an authentication protocol for trusted hosts on untrusted networks.

What is the World Wide Web (www)

Chapter Goals Compare and contrast various technologies for home Internet connections Explain packet switching Describe the basic roles of various network.

The world changes again

Firewalls Jiang Long Spring 2002.

Web Server Technology Unit 10 Website Design and Development.

HTTP and Abstraction on the Internet / The Need for DNS

NETWORK Unit 1 Module: 2 Objective: 7.

Encrypting DNS traffic

NETWORK Unit 1 Module: 2 Objective: 7.

Networking Computer network A collection of computing devices that are connected in various ways in order to communicate and share resources Usually,

DNS: Domain Name System

Networking Computer network A collection of computing devices that are connected in various ways in order to communicate and share resources Usually,

Internet Basics Videos

How Our Customers Communicate With Us

COMPUTER NETWORKS PRESENTATION

was not invented by Al Gore…

Networking Computer network A collection of computing devices that are connected in various ways in order to communicate and share resources Usually,

Q/ Compare between HTTP & HTTPS? HTTP HTTPS

Networking Computer network A collection of computing devices that are connected in various ways in order to communicate and share resources Usually,

Hackathon AIS’19 Measurement group DNS over HTTPS/TLS team

Scott Miller TSM Team Lead Ray Mah Architect, Foundation

Austin Hounsel* Kevin Borgolte* Paul Schmitt*

The Resolvers We Use Geoff Huston APNIC.

Presentation transcript:

DoH! Peter Van Roste peter@centr.org GAC/ccNSO meeting - ICANN 64 Kobe, Japan 13 March, 2019

Who knows what DoH is?

What’s the IP address for www.example.eu? Today: Operating System asks Access Provider for IP address of www.example.eu What’s the IP address for www.example.eu? Access Provider DNS Resolver

Today: DNS Resolver asks Root Name Server for IP of a DNS server for Today: DNS Resolver asks Root Name Server for IP of a DNS server for .eu Where’s the .eu registry DNS server? (Because we need to know where www.example.eu is) Access Provider DNS Resolver Root Name Server

Today: DNS Resolver asks Root Name Server for IP of a DNS server for Today: DNS Resolver asks Root Name Server for IP of a DNS server for .eu It’s at IP address: 198.51.100.56 Access Provider DNS Resolver Root Name Server

What is DoH DNS over HTTPS It’s a protocol (in an RFC standard) that allows resolving a domain name in a different way than we are used to Rather than your ISP (or company) resolver, your browser will take care of resolving a domain name. Your browser will work with a selected service provider (e.g. 1.1.1.1) to answer those queries. Only a few organisations can provide robust reliable resolving services to the whole world. Browsermarket: Chrome 64.63% + Internet Explorer 10.49% + Firefox 9.83% + Edge 4.3% + Safari 3.79% = 93.04% (Source: NetApplications.com © 2017)

ENCRYPTED What does it look like? 3rd party Access Provider DNS Resolver 3rd party ENCRYPTED

ENCRYPTED What does it look like? 3rd party DNS Resolver Access Provider DNS Resolver

Why the change? DoH hides DNS traffic in HTTPS traffic, making it unblockable. Some well known security and privacy issues with regular DNS resolving have been unaddressed for 3 decades Clear text queries (wo)Men-in the middle attacks DoH provides answers by encrypting DNS requests and responses and securing the path between user and DNS resolver

Who likes it? Users (Art. 19) cautiously positive: more privacy Pirates and journalists in oppressive regimes: no blocking Browser vendors: more control Selected resolvers: more juicy data (even though they will remove PII after 24 hours and will never ever ever use or sell data)

Who hates it? Users that don’t like a central control point or users that trust their local ISP more than a third party (foreign) resolver ISPs: losing control over network traffic Losing juicy user data Losing ability to stop abusive traffic Some DNS service providers: losing control and data (and business) Probably (if they realise the impact) law enforcement: losing data available in their jurisdiction Probably (if they realise the impact) Courts: who to send blocking order to? Organisations like Internet Watch Foundation or those providing parental control tools

Who worries? CERTS: Security (no visibility) and privacy (non-EU resolver?) concerns Technical issues (e.g. resolving local names for a company’s intranet)

Unresolved questions What impact would it have on user experience? Would a Firefox user see the same thing as a Chrome user? Knock, knock. “Who’s there?” – “The end of internet universality.” Will DoH be a baked-in resolving method or will users be able to choose between DoH and old-fashioned DNS resolution? Will browsers hardcode resolvers in their software? What would be the impact of a German court order sent to e.g. US-based resolver for a Belgian user? How will this change the balance of power in the DNS industry? What if the resolvers disregard (voluntary!) standards? What happens to ICANN if a handful of resolvers could decide to shape the rootzone as they see fit (e.g. adding .amazon)?

Impact on ccTLDs Limited on a technical level Probably a decreased query load. Need to be watchful things like TTL are respected by the resolvers, but limited power to enforce that. Should make the DNS a little faster (even though tests have shown that a particular resolver is slower in responding to queries for content that are not in that resolver’s cloud). Main impact: political/policy: the balance in the ecosystem will be affected

Any questions? peter@centr.org

What is DoT DNS over TLS It’s a protocol (in an RFC standard) that allows resolving a name in a different way than we are used to The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data. Similar to DoH but easier to block as it has a dedicated port (DoH blocking would block all website traffic) Still a race between DoH and DoT but browsers will be calling the winner very soon. (and it is unlikely to be DoT)