Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
DNS Encryption and Its Controversies
Search
sylph01
December 19, 2020
Technology
0
800
DNS Encryption and Its Controversies
DNS暗号化とその論点 @ DNS温泉番外編 in 大阪
sylph01
December 19, 2020
Tweet
Share
More Decks by sylph01
See All by sylph01
Updates on MLS on Ruby (and maybe more)
sylph01
1
180
End-to-End Encryption Saves Lives. You Can Start Saving Lives With Ruby, Too (RubyConf Taiwan 2025 ver.)
sylph01
1
87
PicoRuby's Networking is Incomplete
sylph01
1
43
The Definitive? Guide To Locally Organizing RubyKaigi
sylph01
6
1.6k
End-to-End Encryption Saves Lives. You Can Start Saving Lives With Ruby, Too
sylph01
1
130
End-to-End Encryption Saves Lives. You Can Start Saving Lives With Ruby, Too (JP subtitles)
sylph01
2
590
Introduction to C Extensions
sylph01
3
210
"Actual" Security in Microcontroller Ruby!?
sylph01
0
150
Everyone Now Understands AuthZ/AuthN and Encryption Perfectly and I'm Gonna Lose My Job
sylph01
1
71
Other Decks in Technology
See All in Technology
AWSで始める実践Dagster入門
kitagawaz
1
600
現場で効くClaude Code ─ 最新動向と企業導入
takaakikakei
1
230
フルカイテン株式会社 エンジニア向け採用資料
fullkaiten
0
8.7k
共有と分離 - Compose Multiplatform "本番導入" の設計指針
error96num
1
370
サラリーマンの小遣いで作るtoCサービス - Cloudflare Workersでスケールする開発戦略
shinaps
2
420
サンドボックス技術でAI利活用を促進する
koh_naga
0
200
OCI Oracle Database Services新機能アップデート(2025/06-2025/08)
oracle4engineer
PRO
0
110
なぜSaaSがMCPサーバーをサービス提供するのか?
sansantech
PRO
8
2.8k
Agile PBL at New Grads Trainings
kawaguti
PRO
1
410
S3アクセス制御の設計ポイント
tommy0124
3
190
Snowflakeの生成AI機能を活用したデータ分析アプリの作成 〜Cortex AnalystとCortex Searchの活用とStreamlitアプリでの利用〜
nayuts
1
470
Platform開発が先行する Platform Engineeringの違和感
kintotechdev
4
550
Featured
See All Featured
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
112
20k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
188
55k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
9
810
Understanding Cognitive Biases in Performance Measurement
bluesmoon
29
1.9k
How to Ace a Technical Interview
jacobian
279
23k
Build The Right Thing And Hit Your Dates
maggiecrowley
37
2.9k
Code Reviewing Like a Champion
maltzj
525
40k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
23
1.4k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
285
13k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
22k
Product Roadmaps are Hard
iamctodd
PRO
54
11k
Transcript
DNS҉߸Խͱͦͷ sylph01 / Ryo Kajiwara @ DNSԹઘ൪֎ฤ in େࡕ, 2020/12/19
୭ʁ ֿݪ ཾ(sylph01) Twitter: @s01 ੜͷϓϩάϥϚ ҉߸ͱ͔Ͱ͖·͢ TLSΑΓ্ͷ DNS·ΔͰΘ͔ΒΜ
એ "DNSDNS Resolution" ͳΔຊΛॻ͍ٕͯ ज़ॻయ6(2019/4)Ͱ൦͠·ͨ͠ DNSʹର͢Δ߈ܸɺDNSϒϩοΩϯάɺ DNSSECɺDNS over TLS/HTTPS͋ͨΓ ͷɺDNSͷηΩϡϦςΟɾϓϥΠόγʔ
ʹؔΘΔτϐοΫΛѻ͍ͬͯ·͢ ࠓѻ͏DNS҉߸Խͷѻ͍ͬͯ·͢ ૿ิ൛Ͱ͋Δ"append mix"ΛBOOTHʹͯ ൦த
None
preface DNSSECͷͰͳ͍ɻ DNSSECॺ໊Ͱ͋ͬͯ҉߸ԽͰͳ͍ɻ DNS queryͷ౪ௌʹΑͬͯݸਓͷᅂɾࢥʹؔ͢ΔใΛऩू͢ Δ͜ͱ͕Մೳɺ͋Δ͍ϒϩοΩϯάΛߦ͏͜ͱ͕Մೳɻͦͷର ࡦͱͯ͠ͷDNS҉߸Խɻ DNS҉߸ԽΠϯλʔωοτ҉߸ԽͷϥετϫϯϚΠϧɻ
࣌ؒతʹද໘ͳͧΔͩ ͚Ͱ͢
Pervasive Monitoring is an Attack RFC 7258 2014/5
DNS Privacy Considerations RFC 7626 2015/8
None
DNS over TLS (DoT) RFC 7858 2016/5
DNS Queries over HTTPS (DoH) RFC 8484 2018/10
DoT vs DoH • DoTport 853Λ͏ɺDoHHTTPSͱಉ༷port 443Λ͏ • DoTport 853ͷϒϩοΩϯάͰՄೳ
• DoHport 443Λར༻͢ΔͷͰ௨ৗͷHTTPSϦΫΤετͱ۠ผ Ͱ͖ͳ͍ • ҰํͰΑ͘ΒΕ͍ͯΔDoHରԠαʔόʔͷIPϒϩοΩ ϯάΛߦ͑Մೳ
Oblivious DNS over HTTPS draft-pauly-dprive-oblivious-doh -00 @ 2020/10, -03 @
2020/12
None
None
DNS over QUIC https:/ /adguard.com/ja/blog/dns- over-quic.html
DNSCrypt, DNSCurve …ଘࡏ͢Δ͚ͲIETFͰඪ४Խ͞Εͯ ͳ͍ͷͰུ
None
: චऀ҉߸ԽਪਐدΓ Ͱ͢
DoT/DoH/ODoH ωοτϫʔΫཧऀʹ ͱͬͯ߹͕ѱ͍
ͦΕ ༷Ͱ͢
DNS҉߸Խsysadminʹ ߹͕ѱ͍ • ॾʑͷࣄ • DNSΛͬͯad-blocking, parental controlΛ͍ͨ͠ • DNSΛͬͯϗϞάϥϑ߈ܸtyposquatting͔ΒӴ͍ͨ͠
• nextdns.io ͱ͍͏αʔϏε͕ࣄ࣮ଘࡏ͢Δ • ͿͬͪΌ͚ ৗ࣌HTTPSԽE2EEsysadminʹ߹͕ѱ͍
DNS҉߸Խsysadminʹ ߹͕ѱ͍ • ͔͠͠DoT/DoH/ODoHωοτϫʔΫཧऀ͕ѱҙΛ͍࣋ͬͯ ΔέʔεΛఆͯ͠σβΠϯ͞Ε͍ͯΔ • ϓϩόΠμ͕σʔλΛऩू͍ͯ͠Δέʔε • ϓϩόΠμͱ݁ୗͯ͠ػ͕ؔσʔλΛऩू͢Δέʔε •
"Pervasive Monitoring is an Attack"
stub-recursive, recursive- authoritative͚ؒͩ҉߸Խ͢Δ͜ͱ Ͱ͖Δ͔ʁ • pervasive monitoringͷରࡦʹͳΔɺrecursive͕ѱҙͷ͋Δέʔ εҙຯͳ͍ • IPΞυϨεূ໌ॻͷऔಘͷϋʔυϧ͕ߴ͘ଓઌೝূ͕ࠔ
• ଓઌೝূΛͤͣ҉߸Խ͚ͩ͢Δ͜ͱΛ͢Εpervasive monitoringͷରࡦՄೳ
PKIΛͬͨTLSཱ͕ ͢ΔͷׂͱDNSͷ͓ ͔͛Έ͍ͨͳͱ͜Ζ͕ ͋Δ
DNSϒϩοΩϯάͱ ʮΠϯλʔωοτΛڊ େͳΠϯτϥωοτͱ Έͳͯ͠ཧ͍ͨ͠ʯ ͱ͍͏͜ͱʹ૬
DoT/DoHΠϯλʔωοτͷ தԝूݖԽΛଅ͢ • DoT/DoHαʔόʔͲ͏ͬͯબ͞ΕΔͷʁ • ৴༻Ͱ͖ΔDoT/DoHαʔόʔͱʁ • DoT/DoH৴༻ͷΛωοτϫʔΫࣄۀऀ͔ΒDoT/DoHαʔ όʔӡ༻ऀʹԡ͚͍ͯ͠Δ͚ͩͰͳ͍͔ʁ •
DoT/DoHαʔόʔࣄۀऀ͕ѱତͪͨ͠Βʁ
None
·ͱΊ • DNS queryͷ౪ௌ͕ࠔΔͷͰDNS҉߸Խ͕ੜ·ΕͨΑ • DNS over TLS (DoT), DNS
Queries over HTTPS (DoH)ͱ͍͏ͷ͕ओͳ ख๏ͩΑ • ҉߸Խ͞ΕΔͱsysadminʹ߹͕ѱ͍ɺ͚Ͳ༷ͩΑ • ৴༻ͬͯԿͩΖ͏
Questions? send to @s01 on Twitter