Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DNS Encryption and Its Controversies

sylph01
December 19, 2020
Technology
0
760

DNS Encryption and Its Controversies

DNS暗号化とその論点 @ DNS温泉番外編 in 大阪

sylph01

December 19, 2020
Tweet

More Decks by sylph01

See All by sylph01
Introduction to C Extensions
sylph01
3
160
"Actual" Security in Microcontroller Ruby!?
sylph01
0
110
Everyone Now Understands AuthZ/AuthN and Encryption Perfectly and I'm Gonna Lose My Job
sylph01
1
45
Updates on PicoRuby Networking, HPKE (and maybe more)
sylph01
1
270
Adding Security to Microcontroller Ruby
sylph01
2
3.4k
Secure Messaging at IETF 118
sylph01
0
94
Adventures in the Dungeons of OpenSSL
sylph01
0
570
Community & RubyKaigi Showcase @ Ehime.rb Reboot Meetup
sylph01
0
340
Build and Learn Rails Authentication
sylph01
8
2.1k

Other Decks in Technology

See All in Technology
開発現場とセキュリティ担当をつなぐ脅威モデリング
cloudace
0
140
大規模プロジェクトにおける 品質管理の要点と実践 / 20250327 Suguru Ishii
shift_evolve
0
320
Amebaにおける Platform Engineeringの実践
kumorn5s
5
840
Agile TPIを活用した品質改善事例
tomasagi
0
590
マルチアカウント管理で必須!AWS Organizationsの機能とユースケース解説
nrinetcom
PRO
1
120
デザインシステムのレガシーコンポーネントを刷新した話/Design System Legacy Renewal
kaonavi
0
140
Tirez profit de Messenger pour améliorer votre architecture
tucksaun
1
200
SaaSプロダクト開発におけるバグの早期検出のためのAcceptance testの取り組み
kworkdev
PRO
0
540
ペアーズにおけるData Catalog導入の取り組み
hisamouna
0
250
生成AI時代のセキュアCI/CDとソース管理
yuriemori
0
110
こんなデータマートは嫌だ。どんな? / waiwai-data-meetup-202504
shuntak
3
580
サーバシステムを無理なくコンテナ移行する際に伝えたい4つのポイント/Container_Happy_Migration_Method
ozawa
1
120

Featured

See All Featured
A Tale of Four Properties
chriscoyier
158
23k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
YesSQL, Process and Tooling at Scale
rocio
172
14k
Six Lessons from altMBA
skipperchong
27
3.7k
Making the Leap to Tech Lead
cromwellryan
133
9.2k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
160
15k
Statistics for Hackers
jakevdp
798
220k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
331
21k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.5k
The Cult of Friendly URLs
andyhume
78
6.3k
A Modern Web Designer's Workflow
chriscoyier
693
190k
Docker and Python
trallard
44
3.3k

Transcript

  1. DNS҉߸Խͱͦͷ࿦఺ sylph01 / Ryo Kajiwara @ DNSԹઘ൪֎ฤ in େࡕ, 2020/12/19

  2. ୭ʁ ֿݪ ཾ(sylph01) Twitter: @s01 ໺ੜͷϓϩάϥϚ ҉߸ͱ͔Ͱ͖·͢ TLSΑΓ্ͷ૚ DNS·ΔͰΘ͔ΒΜ

  3. એ఻ "DNSDNS Resolution" ͳΔຊΛॻ͍ٕͯ ज़ॻయ6(2019/4)Ͱ൦෍͠·ͨ͠ DNSʹର͢Δ߈ܸɺDNSϒϩοΩϯάɺ DNSSECɺDNS over TLS/HTTPS͋ͨΓ ͷɺDNSͷηΩϡϦςΟɾϓϥΠόγʔ

    ʹؔΘΔτϐοΫΛѻ͍ͬͯ·͢ ࠓ೔ѻ͏DNS҉߸Խͷ࿩΋ѻ͍ͬͯ·͢ ૿ิ൛Ͱ͋Δ"append mix"ΛBOOTHʹͯ ൦෍த
  4. None

  5. preface DNSSECͷ࿩Ͱ͸ͳ͍ɻ DNSSEC͸ॺ໊Ͱ͋ͬͯ҉߸ԽͰ͸ͳ͍ɻ DNS queryͷ౪ௌʹΑͬͯݸਓͷᅂ޷ɾࢥ૝ʹؔ͢Δ৘ใΛऩू͢ Δ͜ͱ͕Մೳɺ͋Δ͍͸ϒϩοΩϯάΛߦ͏͜ͱ͕Մೳɻͦͷର ࡦͱͯ͠ͷDNS҉߸Խɻ DNS҉߸Խ͸Πϯλʔωοτ҉߸ԽͷϥετϫϯϚΠϧɻ

  6. ࣌ؒతʹද໘ͳͧΔͩ ͚Ͱ͢

  7. Pervasive Monitoring is an Attack RFC 7258 2014/5

  8. DNS Privacy Considerations RFC 7626 2015/8

  9. None

  10. DNS over TLS (DoT) RFC 7858 2016/5

  11. DNS Queries over HTTPS (DoH) RFC 8484 2018/10

  12. DoT vs DoH • DoT͸port 853Λ࢖͏ɺDoH͸HTTPSͱಉ༷port 443Λ࢖͏ • DoT͸port 853ͷϒϩοΩϯάͰ๦֐Մೳ

    • DoH͸port 443Λར༻͢ΔͷͰ௨ৗͷHTTPSϦΫΤετͱ۠ผ Ͱ͖ͳ͍ • ҰํͰΑ͘஌ΒΕ͍ͯΔDoHରԠαʔόʔ΁ͷIPϒϩοΩ ϯάΛߦ͑͹๦֐Մೳ

  13. Oblivious DNS over HTTPS draft-pauly-dprive-oblivious-doh -00 @ 2020/10, -03 @

    2020/12
  14. None
  15. None

  16. DNS over QUIC https:/ /adguard.com/ja/blog/dns- over-quic.html

  17. DNSCrypt, DNSCurve …͸ଘࡏ͢Δ͚ͲIETFͰඪ४Խ͞Εͯ ͳ͍ͷͰུ

  18. None

  19. ࿦఺

  20. ஫: චऀ͸҉߸ԽਪਐدΓ Ͱ͢

  21. DoT/DoH/ODoH͸ ωοτϫʔΫ؅ཧऀʹ ͱͬͯ౎߹͕ѱ͍

  22. ͦΕ͸ ࢓༷Ͱ͢

  23. DNS҉߸Խ͸sysadminʹ౎ ߹͕ѱ͍ • ॾʑͷࣄ৘ • DNSΛ࢖ͬͯad-blocking, parental controlΛ͍ͨ͠ • DNSΛ࢖ͬͯϗϞάϥϑ߈ܸ΍typosquatting͔Β๷Ӵ͍ͨ͠

    • nextdns.io ͱ͍͏αʔϏε͕ࣄ࣮ଘࡏ͢Δ • ͿͬͪΌ͚ ৗ࣌HTTPSԽ΍E2EE΋sysadminʹ౎߹͕ѱ͍

  24. DNS҉߸Խ͸sysadminʹ౎ ߹͕ѱ͍ • ͔͠͠DoT/DoH/ODoH͸ωοτϫʔΫ؅ཧऀ͕ѱҙΛ͍࣋ͬͯ ΔέʔεΛ૝ఆͯ͠σβΠϯ͞Ε͍ͯΔ • ϓϩόΠμ͕σʔλΛऩू͍ͯ͠Δέʔε • ϓϩόΠμͱ݁ୗͯ͠੓෎ػ͕ؔσʔλΛऩू͢Δέʔε •

    "Pervasive Monitoring is an Attack"

  25. stub-recursive, recursive- authoritative͚ؒͩ҉߸Խ͢Δ͜ͱ ͸Ͱ͖Δ͔ʁ • pervasive monitoringͷରࡦʹ͸ͳΔɺrecursive͕ѱҙͷ͋Δέʔ ε͸ҙຯͳ͍ • IPΞυϨεূ໌ॻͷऔಘͷϋʔυϧ͕ߴ͘઀ଓઌೝূ͕ࠔ೉

    • ઀ଓઌೝূΛͤͣ҉߸Խ͚ͩ͢Δ͜ͱΛ͢Ε͹pervasive monitoringͷରࡦ͸Մೳ

  26. PKIΛ࢖ͬͨTLS͕੒ཱ ͢Δͷ΋ׂͱDNSͷ͓ ͔͛Έ͍ͨͳͱ͜Ζ͕ ͋Δ

  27. DNSϒϩοΩϯάͱ͸ ʮΠϯλʔωοτΛڊ େͳΠϯτϥωοτͱ Έͳͯ͠؅ཧ͍ͨ͠ʯ ͱ͍͏͜ͱʹ૬౰

  28. DoT/DoH͸Πϯλʔωοτͷ தԝूݖԽΛଅ͢ • DoT/DoHαʔόʔ͸Ͳ͏΍ͬͯબ୒͞ΕΔͷʁ • ৴༻Ͱ͖ΔDoT/DoHαʔόʔͱ͸ʁ • DoT/DoH͸৴༻ͷ໰୊ΛωοτϫʔΫࣄۀऀ͔ΒDoT/DoHαʔ όʔӡ༻ऀʹԡ͠෇͚͍ͯΔ͚ͩͰ͸ͳ͍͔ʁ •

    DoT/DoHαʔόʔࣄۀऀ͕ѱତͪͨ͠Βʁ
  29. None

  30. ·ͱΊ • DNS queryͷ౪ௌ͕ࠔΔͷͰDNS҉߸Խ͕ੜ·ΕͨΑ • DNS over TLS (DoT), DNS

    Queries over HTTPS (DoH)ͱ͍͏ͷ͕ओͳ ख๏ͩΑ • ҉߸Խ͞ΕΔͱsysadminʹ౎߹͕ѱ͍ɺ͚Ͳ࢓༷ͩΑ • ৴༻ͬͯԿͩΖ͏

  31. Questions? send to @s01 on Twitter