SECURE DNS & BUILDING THE DNS COMMUNITY IN VIET NAM Nha Trang, August 23, 2019 Secure DNS Building the DNS Community in Viet Nam DNS Privacy DNS Privacy - Problem • Almost every activity on the Internet starts with a DNS query (and often several) • However DNS queries are sent in clear text (using UDP or TCP) which means passive eavesdroppers can observe all the DNS lookups performed • Some ISPs log DNS queries at the resolver and share this information with third-parties in ways not known or obvious to end users. • Some ISPs embed user information (e.g. a user id or MAC address) within DNS queries that go to the ISPs resolver in order to provide services such as Parental Filtering. This allows for fingerprinting of individual users. • Man-in-the-Middle (MITM): DNS Spoofing, DNS Hijacking DNS Privacy – The Solutions • Solutions • DNS-over-TLS (DoT) • DNS-over-HTTPS (DoH) • DNS over DTLS (DoD) • DNS Query Name Minimisation • DNSCrypt DoT/DoH Traditional DNS DNS-over-TLS (DoT) • Uses Transport Layer Security (TLS) for DNS queries and responses • All traffic is encrypted between the stub and recursive resolver • Stub able to authenticate the resolver • Requires support in stub and recursive resolver • TCP port 853 • RFC 7858 and RFC 8310 How DNS-over-TLS work? • When using DoT, the stub resolver will connect to the recursive DNS resolver over Transmission Control Protocol (TCP) port 853 • When the connection is made, a TLS handshake is initiated • When the TLS session is established, further communication will be encrypted DNS-over-HTTPS (DoH) • DNS over HTTPS • Uses an HTTPS session with a resolver • Similar to DNS over TLS, but with HTTP object semantics • Uses TCP port 443, so can be masked within other HTTPS traffic • Can use DNS wireformat or JSON format DNS payload • RFC 8484 How DoH work? • DoH uses HTTPS connections to encrypt DNS communication with TLS • Generally, the connection will be initiated in a comparable way to when a user would access any HTTPS (TLS) secured website • When the encrypted channel is created, DNS data will be encapsulated in HTTP POST/GET frames. • Depending on the implementation the payload of the frame will contain wire-format (Internet draft) or JSON (Google implementation) DNS data DoT Implementation Status DoT Implementation Status DoH Implementation Status • Clients: • Mozilla Firefox • Google Chrome • Server Software: • https://github.com/facebookexperimental/doh-proxy • https://github.com/curl/curl/wiki/DNS-over-HTTPS#doh- tools Android 9 – DNS over TLS by default DoT & DoH public recursors • Google DNS (8.8.8.8) • Cloudflare (1.1.1.1) • Quad9 (9.9.9.9) • CleanBrowsing DNS Flag Day What is DNS Flag Day? • DNS Flag Day is an initiative by the DNS Community to deprecate and remove support for an older DNS workaround that DNS vendors have been using for years • The goal is to make DNS software a little less complex, easier to maintain, have more predictable behavior, and improve performance. DNS Flag Day 2019 1. FEbruary 2019 What is the problem? • Authoritative DNS servers block responses, or don’t answer, or answer with the wrong packet. • In general, bad implementations of DNS not following the standards • Poorly implemented firewalls on the way, poor firewall rules blocking valid traffic or unaware of the standards • Resolvers have to send a query, wait for a timeout and retry using a different method: TCP or discard EDNS • Forces delays and thwarts innovation and deployment of new features What is the problem? Supporters DNS Flag Day 2020 • It will focus on the operational and security problems in DNS caused by Internet Protocol packet fragmentation. • Goal: • Eliminate operational issues caused by fragments • Improve security of DNS Eliminating fragments • For large DNS answers switch to TCP • No change for small answers - UDP • Existing standards • DNS over TCP in RFC 7766 and predecessors • Default EDNS buffer size ~= 1220 (= never fragment) • Non-compliance on several levels • Authoritative - do not listen on TCP • Authoritative - do not honor EDNS buffer size • Recursive (ignores TC=1) What is happening? • Authoritative side • Resolver side (operations) (operations) • Honor RFC 7766 • Honor RFC 7766 - DNS • Answer on TCP port 53 and check Transport over TCP your firewall, too! • Answer on TCP port 53 and • EDNS buffer size ~= 1220 to avoid check your firewall, too! fragmentation • EDNS buffer size ~= 1220 to • Defaults in software will reflect this avoid fragmentation • Resolvers MUST support fallback • Defaults in software will reflect this from UDP to TCP • Authoritative MUST NOT send • Standard compliant software does oversized answers not require changes • Standard compliant software does not require changes Testing • BIND • Tools with nice UI are coming • options { edns-udp-size 1220; max-udp- size 1220; }; • Manual test - all queries must • Knot DNS succeed • server: max-udp-payload: 1220 • $ dig +tcp @auth_IP • Knot Resolver yourdomain.example. • net.bufsize(1220) • $ dig +tcp @resolver_IP • PowerDNS Authoritative yourdomain.example. • udp-truncation-threshold=1220 • $ dig @resolver_IP test.knot- resolver.cz. TXT • PowerDNS Recursor • edns-outgoing-bufsize=1220 • udp-truncation-threshold=1220 • Unbound https://dnsflagday.nEt/2020/ • server: edns-buffer-size: 1220 • NSDserver: • ipv4-edns-size: 1220 • ipv6-edns-size: 1220 Get in touch • Web https://dnsflagday.net/ • Supporters • Twitter https://twitter.com/dnsflagday • Announcements: https://lists.dns- oarc.net/mailman/listinfo/dns-announce • Questions: [email protected] oarc.net Deployment Root DNS in Vietnam Root DNS System DNS Community in Vietnam DNS Community in Vietnam • Purpose: Working • Activities: environment • Hosted and Operated by • To discuss about DNS topic VNNIC • To share knowledge and Experience • Mailinglist • Troubleshooting DNS • Social network: Facebook, • Members: DNS Administrator • Other App: Slack, Telegram,… of • DNS topics (technical updates, • Registrars protocols, DNS security • ISPs solutions, troubleshooting,…) • DNS Hosting Providers to discuss • Banks, Post offices • All members can discussion • Governments,… questions • Verify information by VNNIC DNS Community • Mailing list: • BIND Users Mailing List: https://lists.isc.org/mailman/listinfo/bind-users • DNS Operations (DNS-OARC): https://lists.dns- oarc.net/mailman/listinfo/dns-operations • DNS Forum: • DNS-OARC • ICANN • APNIC • InternetSociety • Men and Mice • Name: Mr. Nguyen Van Tri • Email: [email protected] • Skype: nguyenvantri712 .