DNS-over-HTTPS (DoH) Arve Gengelbach October 25, 2019 Cryptoparty, - - PowerPoint PPT Presentation

dns over https doh
SMART_READER_LITE
LIVE PREVIEW

DNS-over-HTTPS (DoH) Arve Gengelbach October 25, 2019 Cryptoparty, - - PowerPoint PPT Presentation

Aug 20, 2022 550 likes •843 views

DNS-over-HTTPS (DoH) Arve Gengelbach October 25, 2019 Cryptoparty, Uppsala 1 HTTPS 2 3 4 5 6 HTTPS Encrypt traffic to ensure confidentiality, integrity and authenticity. Only browser and server read the communication The

slide-1
SLIDE 1

DNS-over-HTTPS (DoH)

Arve Gengelbach October 25, 2019

Cryptoparty, Uppsala 1

slide-2
SLIDE 2

HTTPS

slide-3
SLIDE 3

2

slide-4
SLIDE 4

3

slide-5
SLIDE 5

4

slide-6
SLIDE 6

5

slide-7
SLIDE 7

6

slide-8
SLIDE 8

HTTPS

Encrypt traffic to ensure confidentiality, integrity and authenticity.

  • Only browser and server read the communication
  • The content is not modified
  • The sender is talking to the intended server

7

slide-9
SLIDE 9

DNS

slide-10
SLIDE 10

DNS An address book

  • Address book:

Anna Svensson → Drottninggata 1, Uppsala

  • DNS resolver:

www.uu.se → 130.238.7.133 and 130.238.7.134 DNS resolver answers the question: At which IP addresses is www.uu.se reachable?

8

slide-11
SLIDE 11

Demo: Look at a DNS package (with wireshark)

We trace the DNS traffic, by # tcpdump -i any -w do53.pcap -s 0 port 53 when accessing www.uu.se (by $ ping -c 1 www.uu.se).

9

slide-12
SLIDE 12

DNS - a decentralised address book

10

slide-13
SLIDE 13

11

slide-14
SLIDE 14

12

slide-15
SLIDE 15

13

slide-16
SLIDE 16

14

slide-17
SLIDE 17

Potential Threats

15

slide-18
SLIDE 18

Potential Threats

By default, DNS is clear text (unencrypted) metadata of services that you use.

15

slide-19
SLIDE 19

Which resolver to use?

You choose your DNS resolver (e.g. ISPs1 suggestion)

1Internet Service Provider

16

slide-20
SLIDE 20

Which resolver to use?

Applications use the OSs DNS resolver

17

slide-21
SLIDE 21

DNS-over-HTTPS

slide-22
SLIDE 22

DNS-over-HTTPS

The client and the DNS resolver communicate encrypted,

  • ver HTTPS (port 443 rather than unencrypted port 53).

18

slide-23
SLIDE 23

Look at traffic of DNS-over-HTTPS (Demo)

We resolve www.uu.se with the DoH resolver fi.doh.dns.snopyta.org.

  • 1. DNS query:

fi.doh.dns.snopyta.org → 95.216.24.230

  • 2. HTTPS request to:

https://95.216.24.230/dns-query?name=www.uu.se

19

slide-24
SLIDE 24

Discussion of DNS-over-HTTPS

  • Encrypted connection to the DoH resolver (not among

resolvers)

  • DoH lookups indistinguishable from other (HTTPS-)traffic
  • Hostnames are exposed (of any server and DoH server)
  • To know IP of DoH resolver a DNS look-up is necessary

DNS query: fi.doh.dns.snopyta.org → 95.216.24.230

  • Domains names may be local goldfish.mycompany

20

slide-25
SLIDE 25

Discussion of DNS-over-HTTPS (2)

  • Centralises DNS to fewer DoH resolvers
  • A DNS query does not come from same origin as a future

HTTP query e.g. streaming media from Content-Delivery-Networks

  • DoH makes it harder to monitor/filter traffic, e.g.
  • parental control
  • malware
  • authoritive regime
  • DNS slightly faster than DoH
  • Easy to block DNS, hard to block HTTPS

21

slide-26
SLIDE 26

“DoH is incompatible with the basic architecture of the DNS because it moves control plane (signaling) messages to the data plane (message forwarding), and that’s a no-no.” (Paul Vixie, 2018)

22

slide-27
SLIDE 27

Support

  • Clients

e.g. Firefox, Chrome, curl, Opera

  • List of DNS servers at Privacytools.io

and in the curl wiki

23

slide-28
SLIDE 28

References & License

  • Lin Clark, “A cartoon intro to DNS over HTTPS”, Mozilla

Hacks Blog, May 31, 2018

  • Illustrations by Lin Clark.
  • Paul Vixie, “DNS Wars: Episode IV - A New Workaround”,

Presentation at Elbsides Conference, September 16, 2019

  • Photo of goldfish by Nikhil Thomas
  • The DNS Privacy Project

License Creative Commons Attribution Share-Alike License v3.0

24