Re: [dns-privacy] DNS and QUIC,HTTP/3 Long term vision...

"Chris Box (BT)" <chris.box.ietf@gmail.com> Wed, 07 October 2020 17:05 UTC

Return-Path: <chris.box.ietf@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 829EE3A0D79 for <dns-privacy@ietfa.amsl.com>; Wed, 7 Oct 2020 10:05:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UCadRFjyIp86 for <dns-privacy@ietfa.amsl.com>; Wed, 7 Oct 2020 10:05:00 -0700 (PDT)
Received: from mail-qv1-xf33.google.com (mail-qv1-xf33.google.com [IPv6:2607:f8b0:4864:20::f33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC3E83A0D88 for <dns-privacy@ietf.org>; Wed, 7 Oct 2020 10:04:59 -0700 (PDT)
Received: by mail-qv1-xf33.google.com with SMTP id y7so181248qvn.13 for <dns-privacy@ietf.org>; Wed, 07 Oct 2020 10:04:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CumxJUq1fj4YprXE87AGVJcjriGBCXfEyLwljzA+9BA=; b=J1v9tPK6f5jfB5tiyTJ8oqFBWhitg6gHNJh2kwLXuNsqMc0qpgBVWTM7OY60joVfJV xU982uJmN6cw0rcG7Z1yYlkGLdoHwtRYUz7YadKCzAWHC0fcJMoLDgbFofZwFoAkSeZh IVyImdJLFSM1F4gTSQsBcsY8PrAMf2VaaoKTEgaVBvP2EvDCtriO3acevP0j0GtdfPJK bXDkqZgmNx5XGduMPIcIiMnZHcLvBPez8PuLWosPHcAaBie/lh57F4ZqsxMTXk+lg/31 t+Wj0x7GUm/xwSgrIShDlp1rxuXI/zUj5hwyl7UnSwyR7MKQlXwllX+NnH8fKWtrFS0m /YUQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CumxJUq1fj4YprXE87AGVJcjriGBCXfEyLwljzA+9BA=; b=cE4a0NBrOR70KPQjLdA/TUp6kyPu5aVM2Rx+tapZwdpfBPOyIWUWOZW8hpyjZM8sIO OCCjS7yn2xNGJRux+PrhjS7tX9Dmuhw73U8M+SZbWxxOJ7P0YX4/TbL2W//56tet6p/w oaqzw+wp9XJ/u/yW81G2CA3GqSabOQ3n4Z2Bd63+UmrhRZl7MAX1HGcOC6Hj0zwgDp8W of/E5PdBJDOOgsHpZfg/IsfeVeSiQkc6tZQ28W6tLTL0zj/GClY47UqaDEgPNQJ5J7+L Mus1XydOqT72V002Mz7v+Yxjkaa4u8rD980SIk4QWuR9TUs5G9MJoquzxl6pYjhBCkw6 tZwg==
X-Gm-Message-State: AOAM532dPhUO78KI6HKFatn6C23LWz+0u6gJrpbfJsNrnHge/ahX1hGm Ln0otN+0qdn+B+adE8e6r6UY3j+5fPRdAK34wOE=
X-Google-Smtp-Source: ABdhPJxIwxW5iI/iU93TNoJNYz31KzUOBjGog3qT/3JQooOi3mZJhrhVGfYsKJJfk8iFwgcwO6+Ix3btdpCqrci9Uqc=
X-Received: by 2002:a05:6214:11b3:: with SMTP id u19mr4300242qvv.51.1602090298940; Wed, 07 Oct 2020 10:04:58 -0700 (PDT)
MIME-Version: 1.0
References: <MN2PR11MB47604813E0DC2DDA0E297A36D80C0@MN2PR11MB4760.namprd11.prod.outlook.com> <CAO+dDxn1J2bOz1b8iPKbUnYLTFhSLJRhx9Od5hAHpP3TSkp7yQ@mail.gmail.com> <C276A52C-DCBA-4920-95E1-FAF2D3881D0B@apple.com> <MN2PR11MB476044BA6BD5D47C8088D434D80A0@MN2PR11MB4760.namprd11.prod.outlook.com> <F0B35F84-E3F8-44B2-9A06-FDF2C725229E@apple.com> <cfbaf15f-d3f7-99e6-b609-d07dafbb84f5@huitema.net>
In-Reply-To: <cfbaf15f-d3f7-99e6-b609-d07dafbb84f5@huitema.net>
From: "Chris Box (BT)" <chris.box.ietf@gmail.com>
Date: Wed, 7 Oct 2020 18:04:46 +0100
Message-ID: <CACJ6M17iU0mRfRT6VNWyHo+FWqp7uST7DittfDZG0RuKq1==ow@mail.gmail.com>
To: "Vinny Parla (vparla)" <vparla=40cisco.com@dmarc.ietf.org>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002aa26105b117b79c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/5xOzN99c9qdXRW145RCgm4rm-60>
Subject: Re: [dns-privacy] DNS and QUIC,HTTP/3 Long term vision...
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Oct 2020 17:05:03 -0000

Vinny,

Christian makes a number of good points. I will just add that your original
question assumes that the client wishes to send most or all of its DNS
queries directly to the content provider it is talking to. The ADD working
group is founded on the concept of needing to discover recursive resolvers,
and very often these are not the same endpoints that the web content is
served from. This implies that reuse of an existing HTTP/3 connection that
was established for retrieving web content, will not be the end goal for
DNS queries. Sometimes it'll happen, yes, but certainly not all the time.
It is far more likely that DNS will continue to be an independent layer,
served by its own set of servers that has only *some* overlap with the set
that serves web content.

Chris



On Wed, 7 Oct 2020 at 17:25, Christian Huitema <huitema@huitema.net> wrote:

> There is indeed some extra per request overhead for Doh over HTTP3 versus
> Dns over QUIC, but I don't think that is the deciding factor. I think that
> the two other decision factors are for the client the privacy risks linked
> to cookies and other forms of HTTP tracking, and for the server the
> additional attack surface caused by adding an HTTP server stack to the DNS
> service. These factors may play out differently in the stub to recursive
> scenario and in the recursive to authoritative scenario.
>
> In HTTP-3, each DNS request would be carried by as a POST command, which
> requires a Header Frame to carry the HTTP header parameters and a Data
> Frame that carries the actual data. Each reply also requires a Header Frame
> and a Data Frame. In the fairly minimal implementation of HTTP-3 in
> Picoquic, the HTTP header carries the name of the Request URL, the name of
> the Http Server, and the content type. The Data Frame header carries the
> content length. The typical overhead for a request would be 16 to 32 bytes,
> depending on the length of server name and URL; the overhead per response
> will be 21 bytes. A full implementation of HTTP-3 would use header
> compression to reduce the size of the query overhead, but might use an
> additional set of HTTP header elements, including cookies, so the Header
> Frames might be larger in both directions, with a range of header size from
> a few dozen to a few hundred bytes.
>
> Running over HTTP brings to the DNS the privacy issues of HTTP. Cookies
> and other headers are used to manage content and caches, but also identify
> the users and enable a variety of surveillance scenarios. If a DoH query is
> multiplexed inside a regular HTTP session, the query will be associated
> with all the user information gathered in the session, which creates an
> important privacy exposure. This is definitely a greater exposure than a
> regular DNS query, in which the main identifying information is an IP
> address.
>
> On the server side, running over HTTP implies running on top of an HTTP
> server engine. This brings in a lot of code, some of it complex. It might
> be well tested and well maintained code, typically much better tested and
> maintained than if a server operator attempted to develop a specialized
> implementation of HTTP, but this is still a very large additional attack
> surface. Moreover, the HTTP code only remains "well maintained" if the
> operators regularly apply updates, which adds an operational constraint.
>
> I think that the exposure and overhead issues imply that solutions like
> DoT or DoQ should be preferred to DoH in recursive to authoritative
> scenarios. They should also be preferred when the stub resolver is part of
> the operating system, because operating system resolvers would normally not
> mix their queries with existing HTTP sessions, and thus don't get any
> advantage from "integrating to the web" -- unless of course firewall
> traversal is a big issue.
>
> -- Christian Huitema
>
>
> On 10/7/2020 8:31 AM, Tommy Pauly wrote:
>
> DoH is designed to be multiplexed with other HTTP requests. This is
> already possible with HTTP/2, and HTTP/3 carries on that ability. In order
> to take advantage of multiplexing, even with QUIC, you need some
> application-layer awareness of the content of the streams, which is why
> this is more practical with DoH than DoQ.
>
> I’m not sure how prevalent the multiplexing is today. For example, in our
> system implementation on iOS/macOS, DoH connections are made by the system
> DNS daemon and thus are not easy to multiplex with requests. However,
> that’s just one model, and there are certainly cases where the application
> would know it could multiplex a priori (and thus do DoH in the
> application), or could recognize that DNS results point to the same address
> as the DoH server, and start multiplexing after the fact.
>
> Thanks,
> Tommy
>
> On Oct 7, 2020, at 7:39 AM, Vinny Parla (vparla) <
> vparla=40cisco.com@dmarc.ietf.org> wrote:
>
> Hi,
>
> What I am driving at in my original question is do we envision mixing
> Content and DNS together in a multiplexed session or will DNS continue to
> be an entirely independent channel (whether over HTTP/2 /3 Do53 DoQ DoH).
>
> -Vinny
>
> *From:* Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>
> *Sent:* Wednesday, October 7, 2020 9:23 AM
> *To:* James <james.ietf@gmail.com>
> *Cc:* Vinny Parla (vparla) <vparla@cisco.com>om>; dns-privacy@ietf.org
> *Subject:* Re: [dns-privacy] DNS and QUIC,HTTP/3 Long term vision...
>
> Can you cite this claim about DNS over HTTP/3? The per-query cost once an
> HTTP/3 connection is established should be minimal. If you’re taking into
> account all setup overhead for an HTTPS connection as a “per query” cost,
> that’s not representative of how DoH is reasonably used (and would be a
> issue with existing DoH).
>
> Thanks,
> Tommy
>
>
> On Oct 6, 2020, at 2:03 PM, James <james.ietf@gmail.com> wrote:
>
> My most recent observations of discussions around DNS over QUIC and HTTP/3
> was that some folks had attempted DNS over HTTP/3, however the overheads
> (~14KiB for a query at worst-case) made it impractical and infeasible. With
> regards to DNS over QUIC, the current dprive working group adopted draft
> [1] is focusing on stub to recursive, but not necessarily as a multiplex
> with an existing QUIC connection.
>
> - J
>
> 1: https://tools.ietf.org/html/draft-ietf-dprive-dnsoquic-00
>
> On Mon, 5 Oct 2020 at 17:31, Vinny Parla (vparla) <vparla=
> 40cisco.com@dmarc.ietf.org> wrote:
>
> Hi,
>
> It was suggested that I ask this question on the 3 lists:
>
> Now that QUIC & HTTP/3 is imminent…
>
> I would like to know what the opinion is of the community on the long term
> view of DNS.
> Would DNS remain an independent channel or would it be subsumed in a
> multiplexed stream via HTTP/3 in some future version?
>
> For example, would a browser perform DNS queries over a QUIC multiplexed
> session?
>  (e.g. similar to how today an http proxy can perform DNS queries on
> behalf of the client using that proxy)
>
> Would love to hear from implementors what their long term view is of this
> in particular.
>
> Thanks,
>
> -Vinny
>
> _______________________________________________
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy
>
> _______________________________________________
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy
>
>
>
> _______________________________________________
> dns-privacy mailing listdns-privacy@ietf.orghttps://www.ietf.org/mailman/listinfo/dns-privacy
>
> _______________________________________________
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy
>