[dns-privacy] Paul Wouters' Discuss on draft-ietf-dprive-unilateral-probing-12: (with DISCUSS and COMMENT)
Paul Wouters via Datatracker <noreply@ietf.org> Tue, 19 September 2023 02:58 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: dns-privacy@ietf.org
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 90F0FC14CE22; Mon, 18 Sep 2023 19:58:44 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Paul Wouters via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-dprive-unilateral-probing@ietf.org, dprive-chairs@ietf.org, dns-privacy@ietf.org, brian@innovationslab.net, tjw.ietf@gmail.com, brian@innovationslab.net
X-Test-IDTracker: no
X-IETF-IDTracker: 11.11.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Paul Wouters <paul.wouters@aiven.io>
Message-ID: <169509232457.44560.14598703024351975328@ietfa.amsl.com>
Date: Mon, 18 Sep 2023 19:58:44 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/P_PUzf06Jh1Wa4RLd_LhU2tzHD8>
Subject: [dns-privacy] Paul Wouters' Discuss on draft-ietf-dprive-unilateral-probing-12: (with DISCUSS and COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.39
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Sep 2023 02:58:44 -0000
Paul Wouters has entered the following ballot position for draft-ietf-dprive-unilateral-probing-12: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dprive-unilateral-probing/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- # SEC AD comments for draft-ietf-dprive-unilateral-probing-12 CC @paulwouters * comment syntax: - https://github.com/mnot/ietf-comments/blob/main/format.md * "Handling Ballot Positions": - https://ietf.org/about/groups/iesg/statements/handling-ballot-positions/ ## DISCUSS ### Leaking probes either or both of DoT and DoQ concurrently. The recursive resolver remembers what opportunistic encrypted transport protocols have worked recently based on a (clientIP, serverIP, protocol) tuple. This makes little sense to me. If the passive attackers sees the outgoing port 53 cleartext query, it doesn't even matter if DoT or DoQ is then established in parallel. The privacy is already lost. I strongly believe that DoT/DoQ should be tried first without unencrypted DNS, and only when that doesn't work in a very short time (eg 3s? 5s?) send out the unencrypted query. ### DNS cache handling It does say anything about what it expects should happen with the cached DNS data through a restart. Note that dropping the cache and restarting, especially on mobile devices, will lead to easy fingerprinting for passive attackets in recognising users when their browser tabs reload (eg if queries to apollo.ns.cloudflare and katelyn.ns.cloudflare.com. happen, even when encrypted, it could be a sign of the mobile device trying to reach the ACLU. If that same IP is trying to reach ken.ns.cloudflare.com. or jill.ns.cloudflare.com, it could be that ietf.org is being looked up. The two of these combined would most likely mean the device on or behind this IP address is dkg) While I understand that DNS cache handling over restarts is kind of out of scope for this document, if this document is being read as "how to run a DNS resolver with maximum privacy on your mobile device" then without this advise, the whole unilateral probing gives us nothing. (note: in Fedora I had this exact issue, where some people insisted on purging DNS cache on interface change, and I insisted on keeping DNS cache, so the NetworkManager got an option to tweak this behaviour). DNS cache handling for DNS resolvers on non-mobile devices, eg those on static IPs shared by many independent clients, might not need to consider this. ### Section 4.6.2 Pseudocode Either I don't understand the pseudo code, or it is wrong: Otherwise: * Remove Q from Do53-queries[X] If R is successful: * If Q is in Do53-queries[X]: [...] Since Q was just removed from Do53-queries, isn't this condition now always false ? Also, what is "R is successful" ? because that seems to happen before "R is further processed". Wouldn't processing be needed to determine if R is successful? But if R is unsuccessful (e.g. timeout or connection closed): But the whole state starts with: "When a response R for query Q arrives" ??? ### Section 4 / Section 7 : Security advise Should it not clearly state the resolver MUST enable query minimalization? Otherwise, sending queries to the root would leak all privacy even if the TLD supports DoT/DoQ. Or the same one level lower if the TLD doesn't support this yet. Possibly it should RECOMMEND (or even REQUIRE) using RFC 8806 to prevent leaking root queries. (I noticed later this was mentioned in the Security Considerations, but I think it would be good to promote those into Section 4 as SHOULDs) ### Zone owner recommendations ? Should zone owners get a recommendation for using out-domain nameservers to reduce leaking at the root and TLD? Eg if nohats.ca uses ns1.example.com and ns1.example.com supports DoT/DoQ, but the root and .com do not, then queries for nohats.ca are not leaked to the root or .com. While when using in-domain nameservers, the target domain is leaked. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- ## Comments ### Section 3: An authoritative server implementing DoT or DoQ MUST authoritatively serve the same zones over all supported transports. If both DoT and DoQ are offered, a nameserver's reply to a particular query MUST be the same on both transports (with the possible exception of how the TC bit is set) I think there might be more differences, eg EDNS0 options related to packet sizes. I think what is meant to be said is: An authoritative server implementing DoT or DoQ MUST populate the repsonse from the same authoritative zone data and the unencryped DNS transports. As encrypted transports have their own characteristic response size that might be different from the unencrypted DNS transports, response sizes and response size related options (eg EDNS0) and flags (eg TC bit) might vary based on the transport. ### Section 3.1 As Éric Vyncke also commented, a third option could be to ensure that the load balancer knows/probes which ports/services are available on the servers being load-balanced, and only sends queries for those ports to the authoritative servers responding to that same port. ### Section 3.2 The simplest deployment would simply provide a self-issued, regularly-updated X.509 certificate. Why does it need to be regularly-updated? The even more simplest solution would simply generate a certificate once only and use that forever. Although perhaps it should be made abundantly clear that any DoT or DoQ TLS ciphersuite MUST be one with Ephemeral DH. (so passive attackers cannot be given a list of known certs private keys for instant decryption) ### Section 4.2 ICMP port closed message should be "ICMP port destination unreachable" ? ### Section 4.3 A damping value of 1 day seems very long. What discussion lead to this value instead of say, 1 hour ? Is a factor 24 that important? ### Section 4.4: MTI To follow this guidance, a recursive resolver MUST implement at least one of either DoT or DoQ in its capacity as a client of authoritative nameservers. A recursive resolver SHOULD implement the client side of DoT. A recursive resolver SHOULD implement the client side of DoQ. That's a pretty odd way of saying: To follow this guidance, a recursive resolver MUST implement at least one of DoT or DoQ but SHOULD implement both, in its capacity as a client of authoritative nameservers. (I think the "in its capacity as [...]" can also safely be removed. ### Section 4.4: localhost SHOULD also accept queries from its clients over some encrypted transport. Maybe add: unless it only accept queries from localhost ### Section 4.6.1 As stated in my DISCUSS, I still think a 3-5 second delay for unencrypted DNS packets is required, or the gain of unilateral probing becomes next to nothing (at least unless the entire world uses cloudflare as auth servers) ### Section 4.6.3: If the recursive resolver has a preferred encrypted transport, but only a different transport is in the established state, it MAY also initiate a new connection to X over its preferred transport while concurrently sending the query over the established transport E. I am confused by "preferred encrypted transport" and "established transport". Is this trying to talk about only encrypted transports and less and more preferred ones? Or does this include unencrypted transports? If the latter is included, 1) see my above comments on delays on do53, and 2) a UDP 53 transport is not "established", only TCP 53 is. In which case, "but what about UDP then" ? ### Section 6.1: Would it make sense to recommend an SNI using the IP address in presentation format as the SNI host_name? eg I assume that would be the same as the SNI for a request to https://192.0.2.1/ ? I'm not sure if it is well supported these days to omit an SNI in TLS libraries or not. ### Section 7 See my DISCUSS on leaking do53 and localroot / query minimalization It does list the leaking happy eyeballs. I still believe as mentioned earlier, that at least a brief attempt should be made to avoid leaking over port 53 immediately for every new nameserver contacted. Ahh, I see now that local root and query minimalization are mentioned. I think these deserve to be more than just Security Considerations, and be part of the rough specification of unilateral probing as this document defines. ### ection 8 and the system would need to be able to differentiate queries for recursive answers from queries for authoritative answers. Isn't that just core DNS functionality (eg the Recursion Desired (RD) flag and the query ID) ? I don't think this is an operational consideration for unilateral probing. ### NITS: awkward sentence: The simplest deployment would simply [...] with two A records -> with two address records This document uses the notation E-foo to refer to the foo parameter for the encrypted transport E. For example DoT-persistence [...] This took me a few reads before I understood this. I recommend: This document uses the notation <transport>-foo to refer to the foo parameter for the encrypted transport <transport>. For example DoT-persistence [...]
- [dns-privacy] Paul Wouters' Discuss on draft-ietf… Paul Wouters via Datatracker
- Re: [dns-privacy] Paul Wouters' Discuss on draft-… Rob Wilton (rwilton)
- Re: [dns-privacy] Paul Wouters' Discuss on draft-… Paul Wouters
- Re: [dns-privacy] [Ext] Paul Wouters' Discuss on … Paul Hoffman