Presentation is loading. Please wait.

Presentation is loading. Please wait.

Encrypting DNS traffic

Published by Modified over 6 years ago

Similar presentations

Presentation on theme: "Encrypting DNS traffic"— Presentation transcript:

1 Encrypting DNS traffic
The why and the how John Crain Eastern Europe DNS Forum 4-5 December 2018

2 The Why How did we get here?

3 DNS Traffic Interception
We know that parties actively intercept DNS traffic both for good and for bad Good: See if you're about to go to a malicious site and catch you before you do. Bad: snooping for various reasons. Most traffic is now encrypted, why not start encrypting DNS traffic as well?

4 The How? Options

5 Early solutions DNSCrypt came soon thereafter
DNSCurve proposed by Dan Bernstein in 2009 First introduction of Curve25519, replacement for Elliptical Curve Digital Signature Algorithm (ECDSA) Did not catch on DNSCrypt came soon thereafter Got a little more adoption Both were cryptographically sound, but neither was taken to the IETF for standardization

6 DNS over TLS (DoT) Protects traffic from the stub resolver to the recursive resolver Take the original DNS protocol and run it over Transport Layer Security (TLS) on a new port (port 853) - Standardized in RFC 7858 (May 2016) - Implemented in major recursive resolvers   Very little uptake from the operating systems (Android is furthest ahead here)

7 DNS over HTTPs (DoH) Protects traffic from the browser to the recursive resolver It is DNS over HTTP over SSL/TLS (Port 443) Allows all the normal HTTP semantics, caching, server push etc. - RFC 8484, very recent (October 2018) - Code is already in Firefox, soon to be in Chrome, but not turned on by default   - Many DNS server implementations

8 DNS over HTTPs (DoH) Uses the concept of Trusted Recursive Resolvers (TRR) Configured in the browser Browsers ship with default TRR Firefox uses Cloudflare (Not clear which TRR other browsers will choose)

9 It’s very new Still a lot of questions
As a business how to ensure your users are using the TRR you trust? (Draft suggestion: How do you distinguish DNS from other traffic? (443)

10 DoT vs DoH DNS over TLS DNS over HTTPs VS Uses a new dedicated port
Implemented in the DNS server software Needs OS support Uses current server provisioning (DHCP) You can run a local DoT server Uses the HTTPs port Implemented in DNS server software Needs Browser support Servers currently specified in stub/browser config You can run a local DoH server VS

11 Questions? John’s Contact Info: Skype: JohnLcrain You can adjust the /web address to whichever or web address is best suited to your presentation. This should be your final slide.

Download ppt "Encrypting DNS traffic"

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.

 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Surfing the Net. Surfing the net Browsers – Internet Explorer, Firefox, others Dissecting URLs Some web page definitions Browser navigation Bookmarks.

Surfing the Net. Surfing the net Browsers – Internet Explorer, Firefox, others Dissecting URLs Some web page definitions Browser navigation Bookmarks.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
Information Networking Security and Assurance Lab National Chung Cheng University Guidelines on Electronic Mail Security

Information Networking Security and Assurance Lab National Chung Cheng University Guidelines on Electronic Mail Security
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.

CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
DHCP: Dual-Stack Issues draft-ietf-dhc-dual-stack-01 Tim Chown dhc WG, IETF 60, San Diego, August 2, 2004.

DHCP: Dual-Stack Issues draft-ietf-dhc-dual-stack-01 Tim Chown dhc WG, IETF 60, San Diego, August 2, 2004.
RTCWEB Signaling Matthew Kaufman. Scope Web Server Browser.

RTCWEB Signaling Matthew Kaufman. Scope Web Server Browser.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
DHCP Security DHCP Snooping and Security David Mitchell 03/19/2008.

DHCP Security DHCP Snooping and Security David Mitchell 03/19/2008.
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
Encryption and Security Dylan Anderson Michael Huffman Julie Rothacher Dylan Anderson Michael Huffman Julie Rothacher.

Encryption and Security Dylan Anderson Michael Huffman Julie Rothacher Dylan Anderson Michael Huffman Julie Rothacher.
Georgios Kontaxis‡, Michalis Polychronakis‡, Angelos D. Keromytis‡, and Evangelos P.Markatos* ‡Columbia University and *FORTH-ICS USENIX-SEC (August, 2012)

Georgios Kontaxis‡, Michalis Polychronakis‡, Angelos D. Keromytis‡, and Evangelos P.Markatos* ‡Columbia University and *FORTH-ICS USENIX-SEC (August, 2012)
IP Security. P R E S E N T E D B Y ::: Semester : 8 ::: Year : 2009 Naeem Riaz Maria Shakeel Aqsa Nizam.

IP Security. P R E S E N T E D B Y ::: Semester : 8 ::: Year : 2009 Naeem Riaz Maria Shakeel Aqsa Nizam.
Protocols COM211 Communications and Networks CDA College Olga Pelekanou

Protocols COM211 Communications and Networks CDA College Olga Pelekanou
Automated Certificate Management ACME + Let’s Encrypt Richard

Automated Certificate Management ACME + Let’s Encrypt Richard
Encryption protocols Monil Adhikari. What is SSL / TLS? Transport Layer Security protocol, ver 1.0 De facto standard for Internet security “The primary.

Encryption protocols Monil Adhikari. What is SSL / TLS? Transport Layer Security protocol, ver 1.0 De facto standard for Internet security “The primary.
1 Chapter 7 WEB Security. 2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction.

1 Chapter 7 WEB Security. 2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction.

Similar presentations

Ads by Google