Presentation is loading. Please wait.

Presentation is loading. Please wait.

DoH! Peter Van Roste GAC/ccNSO meeting - ICANN 64

Published byAbraham Rodgers Modified over 5 years ago

Similar presentations

Presentation on theme: "DoH! Peter Van Roste GAC/ccNSO meeting - ICANN 64"— Presentation transcript:

1 DoH! Peter Van Roste peter@centr.org GAC/ccNSO meeting - ICANN 64
Kobe, Japan 13 March, 2019

2 Who knows what DoH is?

3 What’s the IP address for www.example.eu?
Today: Operating System asks Access Provider for IP address of What’s the IP address for Access Provider DNS Resolver

4 Today: DNS Resolver asks Root Name Server for IP of a DNS server for
Today: DNS Resolver asks Root Name Server for IP of a DNS server for .eu Where’s the .eu registry DNS server? (Because we need to know where is) Access Provider DNS Resolver Root Name Server

5 Today: DNS Resolver asks Root Name Server for IP of a DNS server for
Today: DNS Resolver asks Root Name Server for IP of a DNS server for .eu It’s at IP address: Access Provider DNS Resolver Root Name Server

6 What is DoH DNS over HTTPS
It’s a protocol (in an RFC standard) that allows resolving a domain name in a different way than we are used to Rather than your ISP (or company) resolver, your browser will take care of resolving a domain name. Your browser will work with a selected service provider (e.g ) to answer those queries. Only a few organisations can provide robust reliable resolving services to the whole world. Browsermarket: Chrome 64.63% + Internet Explorer 10.49% + Firefox 9.83% + Edge 4.3% + Safari 3.79% = 93.04% (Source: NetApplications.com © 2017)

7 ENCRYPTED What does it look like? 3rd party Access Provider DNS
Resolver 3rd party ENCRYPTED

8 ENCRYPTED What does it look like? 3rd party DNS Resolver
Access Provider DNS Resolver

9 Why the change? DoH hides DNS traffic in HTTPS traffic, making it unblockable. Some well known security and privacy issues with regular DNS resolving have been unaddressed for 3 decades Clear text queries (wo)Men-in the middle attacks DoH provides answers by encrypting DNS requests and responses and securing the path between user and DNS resolver

10 Who likes it? Users (Art. 19) cautiously positive: more privacy
Pirates and journalists in oppressive regimes: no blocking Browser vendors: more control Selected resolvers: more juicy data (even though they will remove PII after 24 hours and will never ever ever use or sell data)

11 Who hates it? Users that don’t like a central control point or users that trust their local ISP more than a third party (foreign) resolver ISPs: losing control over network traffic Losing juicy user data Losing ability to stop abusive traffic Some DNS service providers: losing control and data (and business) Probably (if they realise the impact) law enforcement: losing data available in their jurisdiction Probably (if they realise the impact) Courts: who to send blocking order to? Organisations like Internet Watch Foundation or those providing parental control tools

12 Who worries? CERTS: Security (no visibility) and privacy (non-EU resolver?) concerns Technical issues (e.g. resolving local names for a company’s intranet)

13 Unresolved questions What impact would it have on user experience?
Would a Firefox user see the same thing as a Chrome user? Knock, knock. “Who’s there?” – “The end of internet universality.” Will DoH be a baked-in resolving method or will users be able to choose between DoH and old-fashioned DNS resolution? Will browsers hardcode resolvers in their software? What would be the impact of a German court order sent to e.g. US-based resolver for a Belgian user? How will this change the balance of power in the DNS industry? What if the resolvers disregard (voluntary!) standards? What happens to ICANN if a handful of resolvers could decide to shape the rootzone as they see fit (e.g. adding .amazon)?

14 Impact on ccTLDs Limited on a technical level
Probably a decreased query load. Need to be watchful things like TTL are respected by the resolvers, but limited power to enforce that. Should make the DNS a little faster (even though tests have shown that a particular resolver is slower in responding to queries for content that are not in that resolver’s cloud). Main impact: political/policy: the balance in the ecosystem will be affected

15 Any questions?

16 What is DoT DNS over TLS It’s a protocol (in an RFC standard) that allows resolving a name in a different way than we are used to The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data. Similar to DoH but easier to block as it has a dedicated port (DoH blocking would block all website traffic) Still a race between DoH and DoT but browsers will be calling the winner very soon. (and it is unlikely to be DoT)

Download ppt "DoH! Peter Van Roste GAC/ccNSO meeting - ICANN 64"

Similar presentations

Internet Protocols and Innovation John C Klensin John C Klensin and Associates

Internet Protocols and Innovation John C Klensin John C Klensin and Associates
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
© GlobalSign. A GMO Internet Inc group company. Authentication. Security. Trust. A tutorial on how you can host multiple SSL Certificates on a single IP.

© GlobalSign. A GMO Internet Inc group company. Authentication. Security. Trust. A tutorial on how you can host multiple SSL Certificates on a single IP.
1 Web Content Delivery Reading: Section 9.2.2 and 9.4.3 COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:

1 Web Content Delivery Reading: Section and COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Mohammed Saiyeedur Rahman.  E-commerce is buying and selling goods over the internet. This could include selling/buying mobile phones, clothes or DVD’s.

Mohammed Saiyeedur Rahman.  E-commerce is buying and selling goods over the internet. This could include selling/buying mobile phones, clothes or DVD’s.
Chapter 16 – DNS. DNS Domain Name Service This service allows client machines to resolve computer names (domain names) to IP addresses DNS works at the.

Chapter 16 – DNS. DNS Domain Name Service This service allows client machines to resolve computer names (domain names) to IP addresses DNS works at the.
THE INTERNET INTERNET REGISTRIES & INTERNET REGISTRARS.

THE INTERNET INTERNET REGISTRIES & INTERNET REGISTRARS.
© British Telecommunications plc Network Filtering.

© British Telecommunications plc Network Filtering.
INTERNET. BROADBAND The amount of information a connection is capable of carrying. Measured in bits per second.

INTERNET. BROADBAND The amount of information a connection is capable of carrying. Measured in bits per second.
Privacy & Security Online Ivy, Kris & Neil Privacy Threat - Ivy Is Big Brother Watching You? - Kris Identity Theft - Kris Medical Privacy - Neil Children’s.

Privacy & Security Online Ivy, Kris & Neil Privacy Threat - Ivy Is Big Brother Watching You? - Kris Identity Theft - Kris Medical Privacy - Neil Children’s.
The Domain Name System and DNS Blocking Malcolm Hutty Head of Public Affairs, LINX February 2011.

The Domain Name System and DNS Blocking Malcolm Hutty Head of Public Affairs, LINX February 2011.
Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?

Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?
Monitoring commercial cloud service providers CERN openlab Summer Students Lightning Talk Sessions Lassi Kojo › 19/08/2015.

Monitoring commercial cloud service providers CERN openlab Summer Students Lightning Talk Sessions Lassi Kojo › 19/08/2015.
WHAT IS E-COMMERCE? E-COMMERCE is a online service that helps the seller/buyer complete their transaction through a secure server. Throughout the past.

WHAT IS E-COMMERCE? E-COMMERCE is a online service that helps the seller/buyer complete their transaction through a secure server. Throughout the past.
The Internet What is the Internet? The Internet is a lot of computers over the whole world connected together so that they can share information. It.

The Internet What is the Internet? The Internet is a lot of computers over the whole world connected together so that they can share information. It.
15-1 Networking Computer network A collection of computing devices that are connected in various ways in order to communicate and share resources Usually,

15-1 Networking Computer network A collection of computing devices that are connected in various ways in order to communicate and share resources Usually,
DNS Security Risks Section 0x02. Joke/Cool thing traceroute 216.81.59.173 traceroute 216.81.59.173 https://www.youtube.com/watch?v=5_dRqPLP1d c https://www.youtube.com/watch?v=5_dRqPLP1d.

DNS Security Risks Section 0x02. Joke/Cool thing traceroute traceroute c
Internet Basics 10/23/2012. What is the Internet? It’s a world-wide network of computer networks. It grows hourly and involves national governments, communities,

Internet Basics 10/23/2012. What is the Internet? It’s a world-wide network of computer networks. It grows hourly and involves national governments, communities,
SmallMail, protect your from nosey Big Brothers Peter Roozemaal

SmallMail, protect your from nosey Big Brothers Peter Roozemaal

Similar presentations

Ads by Google