$30 off During Our Annual Pro Sale. View Details »
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
DNS Encryption and Its Controversies
Search
sylph01
December 19, 2020
Technology
0
820
DNS Encryption and Its Controversies
DNS暗号化とその論点 @ DNS温泉番外編 in 大阪
sylph01
December 19, 2020
Tweet
Share
More Decks by sylph01
See All by sylph01
Updates on MLS on Ruby (and maybe more)
sylph01
1
220
End-to-End Encryption Saves Lives. You Can Start Saving Lives With Ruby, Too (RubyConf Taiwan 2025 ver.)
sylph01
1
110
PicoRuby's Networking is Incomplete
sylph01
1
100
The Definitive? Guide To Locally Organizing RubyKaigi
sylph01
6
1.9k
End-to-End Encryption Saves Lives. You Can Start Saving Lives With Ruby, Too
sylph01
1
150
End-to-End Encryption Saves Lives. You Can Start Saving Lives With Ruby, Too (JP subtitles)
sylph01
2
780
Introduction to C Extensions
sylph01
3
240
"Actual" Security in Microcontroller Ruby!?
sylph01
0
180
Everyone Now Understands AuthZ/AuthN and Encryption Perfectly and I'm Gonna Lose My Job
sylph01
1
89
Other Decks in Technology
See All in Technology
AI駆動開発における設計思想 認知負荷を下げるフロントエンドアーキテクチャ/ 20251211 Teppei Hanai
shift_evolve
PRO
2
440
アプリにAIを正しく組み込むための アーキテクチャ── 国産LLMの現実と実践
kohju
0
140
Power of Kiro : あなたの㌔はパワステ搭載ですか?
r3_yamauchi
PRO
0
200
AIエージェント開発と活用を加速するワークフロー自動生成への挑戦
shibuiwilliam
4
650
普段使ってるClaude Skillsの紹介(by Notebooklm)
zerebom
2
570
AlmaLinux + KVM + Cockpit で始めるお手軽仮想化基盤 ~ 開発環境などでの利用を想定して ~
koedoyoshida
0
130
Strands AgentsとNova 2 SonicでS2Sを実践してみた
yama3133
1
1k
生成AI時代におけるグローバル戦略思考
taka_aki
0
210
AI-DLCを現場にインストールしてみた:プロトタイプ開発で分かったこと・やめたこと
recruitengineers
PRO
2
190
AWS re:Invent 2025~初参加の成果と学び~
kubomasataka
0
150
1人1サービス開発しているチームでのClaudeCodeの使い方
noayaoshiro
2
510
ハッカソンから社内プロダクトへ AIエージェント「ko☆shi」開発で学んだ4つの重要要素
sonoda_mj
6
940
Featured
See All Featured
Are puppies a ranking factor?
jonoalderson
0
2.3k
brightonSEO & MeasureFest 2025 - Christian Goodrich - Winning strategies for Black Friday CRO & PPC
cargoodrich
2
61
How Software Deployment tools have changed in the past 20 years
geshan
0
29k
Gemini Prompt Engineering: Practical Techniques for Tangible AI Outcomes
mfonobong
2
220
The Anti-SEO Checklist Checklist. Pubcon Cyber Week
ryanjones
0
23
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
31
3k
30 Presentation Tips
portentint
PRO
1
170
Build The Right Thing And Hit Your Dates
maggiecrowley
38
3k
Large-scale JavaScript Application Architecture
addyosmani
515
110k
技術選定の審美眼(2025年版) / Understanding the Spiral of Technologies 2025 edition
twada
PRO
115
91k
Done Done
chrislema
186
16k
HDC tutorial
michielstock
0
260
Transcript
DNS҉߸Խͱͦͷ sylph01 / Ryo Kajiwara @ DNSԹઘ൪֎ฤ in େࡕ, 2020/12/19
୭ʁ ֿݪ ཾ(sylph01) Twitter: @s01 ੜͷϓϩάϥϚ ҉߸ͱ͔Ͱ͖·͢ TLSΑΓ্ͷ DNS·ΔͰΘ͔ΒΜ
એ "DNSDNS Resolution" ͳΔຊΛॻ͍ٕͯ ज़ॻయ6(2019/4)Ͱ൦͠·ͨ͠ DNSʹର͢Δ߈ܸɺDNSϒϩοΩϯάɺ DNSSECɺDNS over TLS/HTTPS͋ͨΓ ͷɺDNSͷηΩϡϦςΟɾϓϥΠόγʔ
ʹؔΘΔτϐοΫΛѻ͍ͬͯ·͢ ࠓѻ͏DNS҉߸Խͷѻ͍ͬͯ·͢ ૿ิ൛Ͱ͋Δ"append mix"ΛBOOTHʹͯ ൦த
None
preface DNSSECͷͰͳ͍ɻ DNSSECॺ໊Ͱ͋ͬͯ҉߸ԽͰͳ͍ɻ DNS queryͷ౪ௌʹΑͬͯݸਓͷᅂɾࢥʹؔ͢ΔใΛऩू͢ Δ͜ͱ͕Մೳɺ͋Δ͍ϒϩοΩϯάΛߦ͏͜ͱ͕Մೳɻͦͷର ࡦͱͯ͠ͷDNS҉߸Խɻ DNS҉߸ԽΠϯλʔωοτ҉߸ԽͷϥετϫϯϚΠϧɻ
࣌ؒతʹද໘ͳͧΔͩ ͚Ͱ͢
Pervasive Monitoring is an Attack RFC 7258 2014/5
DNS Privacy Considerations RFC 7626 2015/8
None
DNS over TLS (DoT) RFC 7858 2016/5
DNS Queries over HTTPS (DoH) RFC 8484 2018/10
DoT vs DoH • DoTport 853Λ͏ɺDoHHTTPSͱಉ༷port 443Λ͏ • DoTport 853ͷϒϩοΩϯάͰՄೳ
• DoHport 443Λར༻͢ΔͷͰ௨ৗͷHTTPSϦΫΤετͱ۠ผ Ͱ͖ͳ͍ • ҰํͰΑ͘ΒΕ͍ͯΔDoHରԠαʔόʔͷIPϒϩοΩ ϯάΛߦ͑Մೳ
Oblivious DNS over HTTPS draft-pauly-dprive-oblivious-doh -00 @ 2020/10, -03 @
2020/12
None
None
DNS over QUIC https:/ /adguard.com/ja/blog/dns- over-quic.html
DNSCrypt, DNSCurve …ଘࡏ͢Δ͚ͲIETFͰඪ४Խ͞Εͯ ͳ͍ͷͰུ
None
: චऀ҉߸ԽਪਐدΓ Ͱ͢
DoT/DoH/ODoH ωοτϫʔΫཧऀʹ ͱͬͯ߹͕ѱ͍
ͦΕ ༷Ͱ͢
DNS҉߸Խsysadminʹ ߹͕ѱ͍ • ॾʑͷࣄ • DNSΛͬͯad-blocking, parental controlΛ͍ͨ͠ • DNSΛͬͯϗϞάϥϑ߈ܸtyposquatting͔ΒӴ͍ͨ͠
• nextdns.io ͱ͍͏αʔϏε͕ࣄ࣮ଘࡏ͢Δ • ͿͬͪΌ͚ ৗ࣌HTTPSԽE2EEsysadminʹ߹͕ѱ͍
DNS҉߸Խsysadminʹ ߹͕ѱ͍ • ͔͠͠DoT/DoH/ODoHωοτϫʔΫཧऀ͕ѱҙΛ͍࣋ͬͯ ΔέʔεΛఆͯ͠σβΠϯ͞Ε͍ͯΔ • ϓϩόΠμ͕σʔλΛऩू͍ͯ͠Δέʔε • ϓϩόΠμͱ݁ୗͯ͠ػ͕ؔσʔλΛऩू͢Δέʔε •
"Pervasive Monitoring is an Attack"
stub-recursive, recursive- authoritative͚ؒͩ҉߸Խ͢Δ͜ͱ Ͱ͖Δ͔ʁ • pervasive monitoringͷରࡦʹͳΔɺrecursive͕ѱҙͷ͋Δέʔ εҙຯͳ͍ • IPΞυϨεূ໌ॻͷऔಘͷϋʔυϧ͕ߴ͘ଓઌೝূ͕ࠔ
• ଓઌೝূΛͤͣ҉߸Խ͚ͩ͢Δ͜ͱΛ͢Εpervasive monitoringͷରࡦՄೳ
PKIΛͬͨTLSཱ͕ ͢ΔͷׂͱDNSͷ͓ ͔͛Έ͍ͨͳͱ͜Ζ͕ ͋Δ
DNSϒϩοΩϯάͱ ʮΠϯλʔωοτΛڊ େͳΠϯτϥωοτͱ Έͳͯ͠ཧ͍ͨ͠ʯ ͱ͍͏͜ͱʹ૬
DoT/DoHΠϯλʔωοτͷ தԝूݖԽΛଅ͢ • DoT/DoHαʔόʔͲ͏ͬͯબ͞ΕΔͷʁ • ৴༻Ͱ͖ΔDoT/DoHαʔόʔͱʁ • DoT/DoH৴༻ͷΛωοτϫʔΫࣄۀऀ͔ΒDoT/DoHαʔ όʔӡ༻ऀʹԡ͚͍ͯ͠Δ͚ͩͰͳ͍͔ʁ •
DoT/DoHαʔόʔࣄۀऀ͕ѱତͪͨ͠Βʁ
None
·ͱΊ • DNS queryͷ౪ௌ͕ࠔΔͷͰDNS҉߸Խ͕ੜ·ΕͨΑ • DNS over TLS (DoT), DNS
Queries over HTTPS (DoH)ͱ͍͏ͷ͕ओͳ ख๏ͩΑ • ҉߸Խ͞ΕΔͱsysadminʹ߹͕ѱ͍ɺ͚Ͳ༷ͩΑ • ৴༻ͬͯԿͩΖ͏
Questions? send to @s01 on Twitter
sylph01
shift_evolve
kohju
r3_yamauchi
shibuiwilliam
zerebom
koedoyoshida
yama3133
taka_aki
recruitengineers
kubomasataka
noayaoshiro
sonoda_mj
jonoalderson
cargoodrich
geshan
mfonobong
ryanjones
danielanewman
portentint
maggiecrowley
addyosmani
twada
chrislema
michielstock
