Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
DNS Encryption and Its Controversies
Search
sylph01
December 19, 2020
Technology
870
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
DNS Encryption and Its Controversies
DNS暗号化とその論点 @ DNS温泉番外編 in 大阪
sylph01
December 19, 2020
More Decks by sylph01
See All by sylph01
人命を救う技術としてのEnd-to-End暗号化とMessaging Layer Security
sylph01
3
220
Updates on MLS on Ruby (and maybe more)
sylph01
1
280
End-to-End Encryption Saves Lives. You Can Start Saving Lives With Ruby, Too (RubyConf Taiwan 2025 ver.)
sylph01
1
150
PicoRuby's Networking is Incomplete
sylph01
1
260
The Definitive? Guide To Locally Organizing RubyKaigi
sylph01
9
3.8k
End-to-End Encryption Saves Lives. You Can Start Saving Lives With Ruby, Too
sylph01
1
200
End-to-End Encryption Saves Lives. You Can Start Saving Lives With Ruby, Too (JP subtitles)
sylph01
2
950
Introduction to C Extensions
sylph01
3
290
"Actual" Security in Microcontroller Ruby!?
sylph01
0
230
Other Decks in Technology
See All in Technology
AIの性能が向上しても未解決な組織の重大問題は何か?/An Unsolved Organizational Problem in the Age of AI
moriyuya
3
610
Claude Codeをどのように キャッチアップしているか
oikon48
1
710
FinOps × AIエージェントで実現する コストインシデントの自動調査
oasis1994liveforever
0
120
2026TECHFRESH畢業分享會 - 原生還是跨平台? App 開發踩坑實錄
line_developers_tw
PRO
0
780
白金鉱業Meetup_Vol.24_「AIエージェントは分けるほど良い」は本当か? / Is it true that “the more you divide AI agents, the better”?
brainpadpr
1
290
MCP Appsを作ってみよう
iwamot
PRO
4
520
スキルと MCP ツール、責務をどう分けるか? AI が迷わないインターフェース設計の戦略
cdataj
1
950
2026.06.13_AI時代に事業会社が「SIer出身エンジニア」を求める理由 / Why Businesses Seek Engineers with a System Integrator Background in the AI Era
jumtech
0
1k
AAIFに入ってみた ~内から見えるコミュニティ動向~
sato4
0
150
LLMと共に進化するプロセスを目指して
ymatsuwitter
12
4k
Android の公式 Skill / Android skills
yanzm
0
120
MIERUNE JCT 発表資料「宇宙から伊能忠敬ごっこ」
syuchimu
0
210
Featured
See All Featured
Skip the Path - Find Your Career Trail
mkilby
1
140
DevOps and Value Stream Thinking: Enabling flow, efficiency and business value
helenjbeal
1
230
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
122
22k
Exploring the relationship between traditional SERPs and Gen AI search
raygrieselhuber
PRO
2
4k
Learning to Love Humans: Emotional Interface Design
aarron
275
41k
SEO Brein meetup: CTRL+C is not how to scale international SEO
lindahogenes
1
2.7k
Navigating the moral maze — ethical principles for Al-driven product design
skipperchong
2
390
16th Malabo Montpellier Forum Presentation
akademiya2063
PRO
0
140
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
130k
Being A Developer After 40
akosma
91
590k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
659
62k
Chasing Engaging Ingredients in Design
codingconduct
0
220
Transcript
DNS҉߸Խͱͦͷ sylph01 / Ryo Kajiwara @ DNSԹઘ൪֎ฤ in େࡕ, 2020/12/19
୭ʁ ֿݪ ཾ(sylph01) Twitter: @s01 ੜͷϓϩάϥϚ ҉߸ͱ͔Ͱ͖·͢ TLSΑΓ্ͷ DNS·ΔͰΘ͔ΒΜ
એ "DNSDNS Resolution" ͳΔຊΛॻ͍ٕͯ ज़ॻయ6(2019/4)Ͱ൦͠·ͨ͠ DNSʹର͢Δ߈ܸɺDNSϒϩοΩϯάɺ DNSSECɺDNS over TLS/HTTPS͋ͨΓ ͷɺDNSͷηΩϡϦςΟɾϓϥΠόγʔ
ʹؔΘΔτϐοΫΛѻ͍ͬͯ·͢ ࠓѻ͏DNS҉߸Խͷѻ͍ͬͯ·͢ ૿ิ൛Ͱ͋Δ"append mix"ΛBOOTHʹͯ ൦த
None
preface DNSSECͷͰͳ͍ɻ DNSSECॺ໊Ͱ͋ͬͯ҉߸ԽͰͳ͍ɻ DNS queryͷ౪ௌʹΑͬͯݸਓͷᅂɾࢥʹؔ͢ΔใΛऩू͢ Δ͜ͱ͕Մೳɺ͋Δ͍ϒϩοΩϯάΛߦ͏͜ͱ͕Մೳɻͦͷର ࡦͱͯ͠ͷDNS҉߸Խɻ DNS҉߸ԽΠϯλʔωοτ҉߸ԽͷϥετϫϯϚΠϧɻ
࣌ؒతʹද໘ͳͧΔͩ ͚Ͱ͢
Pervasive Monitoring is an Attack RFC 7258 2014/5
DNS Privacy Considerations RFC 7626 2015/8
None
DNS over TLS (DoT) RFC 7858 2016/5
DNS Queries over HTTPS (DoH) RFC 8484 2018/10
DoT vs DoH • DoTport 853Λ͏ɺDoHHTTPSͱಉ༷port 443Λ͏ • DoTport 853ͷϒϩοΩϯάͰՄೳ
• DoHport 443Λར༻͢ΔͷͰ௨ৗͷHTTPSϦΫΤετͱ۠ผ Ͱ͖ͳ͍ • ҰํͰΑ͘ΒΕ͍ͯΔDoHରԠαʔόʔͷIPϒϩοΩ ϯάΛߦ͑Մೳ
Oblivious DNS over HTTPS draft-pauly-dprive-oblivious-doh -00 @ 2020/10, -03 @
2020/12
None
None
DNS over QUIC https:/ /adguard.com/ja/blog/dns- over-quic.html
DNSCrypt, DNSCurve …ଘࡏ͢Δ͚ͲIETFͰඪ४Խ͞Εͯ ͳ͍ͷͰུ
None
: චऀ҉߸ԽਪਐدΓ Ͱ͢
DoT/DoH/ODoH ωοτϫʔΫཧऀʹ ͱͬͯ߹͕ѱ͍
ͦΕ ༷Ͱ͢
DNS҉߸Խsysadminʹ ߹͕ѱ͍ • ॾʑͷࣄ • DNSΛͬͯad-blocking, parental controlΛ͍ͨ͠ • DNSΛͬͯϗϞάϥϑ߈ܸtyposquatting͔ΒӴ͍ͨ͠
• nextdns.io ͱ͍͏αʔϏε͕ࣄ࣮ଘࡏ͢Δ • ͿͬͪΌ͚ ৗ࣌HTTPSԽE2EEsysadminʹ߹͕ѱ͍
DNS҉߸Խsysadminʹ ߹͕ѱ͍ • ͔͠͠DoT/DoH/ODoHωοτϫʔΫཧऀ͕ѱҙΛ͍࣋ͬͯ ΔέʔεΛఆͯ͠σβΠϯ͞Ε͍ͯΔ • ϓϩόΠμ͕σʔλΛऩू͍ͯ͠Δέʔε • ϓϩόΠμͱ݁ୗͯ͠ػ͕ؔσʔλΛऩू͢Δέʔε •
"Pervasive Monitoring is an Attack"
stub-recursive, recursive- authoritative͚ؒͩ҉߸Խ͢Δ͜ͱ Ͱ͖Δ͔ʁ • pervasive monitoringͷରࡦʹͳΔɺrecursive͕ѱҙͷ͋Δέʔ εҙຯͳ͍ • IPΞυϨεূ໌ॻͷऔಘͷϋʔυϧ͕ߴ͘ଓઌೝূ͕ࠔ
• ଓઌೝূΛͤͣ҉߸Խ͚ͩ͢Δ͜ͱΛ͢Εpervasive monitoringͷରࡦՄೳ
PKIΛͬͨTLSཱ͕ ͢ΔͷׂͱDNSͷ͓ ͔͛Έ͍ͨͳͱ͜Ζ͕ ͋Δ
DNSϒϩοΩϯάͱ ʮΠϯλʔωοτΛڊ େͳΠϯτϥωοτͱ Έͳͯ͠ཧ͍ͨ͠ʯ ͱ͍͏͜ͱʹ૬
DoT/DoHΠϯλʔωοτͷ தԝूݖԽΛଅ͢ • DoT/DoHαʔόʔͲ͏ͬͯબ͞ΕΔͷʁ • ৴༻Ͱ͖ΔDoT/DoHαʔόʔͱʁ • DoT/DoH৴༻ͷΛωοτϫʔΫࣄۀऀ͔ΒDoT/DoHαʔ όʔӡ༻ऀʹԡ͚͍ͯ͠Δ͚ͩͰͳ͍͔ʁ •
DoT/DoHαʔόʔࣄۀऀ͕ѱତͪͨ͠Βʁ
None
·ͱΊ • DNS queryͷ౪ௌ͕ࠔΔͷͰDNS҉߸Խ͕ੜ·ΕͨΑ • DNS over TLS (DoT), DNS
Queries over HTTPS (DoH)ͱ͍͏ͷ͕ओͳ ख๏ͩΑ • ҉߸Խ͞ΕΔͱsysadminʹ߹͕ѱ͍ɺ͚Ͳ༷ͩΑ • ৴༻ͬͯԿͩΖ͏
Questions? send to @s01 on Twitter
sylph01
moriyuya
oikon48
oasis1994liveforever
line_developers_tw
brainpadpr
iwamot
cdataj
jumtech
sato4
ymatsuwitter
yanzm
syuchimu
mkilby
.png){kind=avatar}
helenjbeal
panda_program
raygrieselhuber
aarron
lindahogenes
skipperchong
akademiya2063
pedronauck
akosma
lemiorhan
codingconduct
