[DNSOP] DNS Privacy Use Cases, Requirements and Constraints.

Phillip Hallam-Baker <hallam@gmail.com> Sat, 08 March 2014 18:06 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 5904F1A02D9 for <dnsop@ietfa.amsl.com>; Sat, 8 Mar 2014 10:06:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.1
X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 1j-j4iLsO2qj for <dnsop@ietfa.amsl.com>; Sat, 8 Mar 2014 10:06:46 -0800 (PST)
Received: from mail-lb0-x234.google.com (mail-lb0-x234.google.com [IPv6:2a00:1450:4010:c04::234]) by ietfa.amsl.com (Postfix) with ESMTP id EA2361A02DE for <dnsop@ietf.org>; Sat, 8 Mar 2014 10:06:44 -0800 (PST)
Received: by mail-lb0-f180.google.com with SMTP id 10so3683636lbg.11 for <dnsop@ietf.org>; Sat, 08 Mar 2014 10:06:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=iTV692g55Nq9fJ4/4qHI3xKfpRtIf8V1re3UQN2PLhg=; b=QGTZieYyOB0PO0NTg6Iv/Cw3P7Eza3xFPZ1fDGHejl8rMJ0aq/gN3sFWyI2obHTlXn sLu2XRxS6IjPtOh8w2Uu4YjsMbq3TOM4Yg1tQD1BV3GNxcBB/LTL6m6upAo5dja77wVs bNB1JBC1jbGqdMlvaKEqnCMBXTvm8SPXH58jGOlArzO6E7V9sQIqp2YiLRN7Bw+ZOcM8 FEUUMFir2u5yOskGimow1IKlwyTtHKl18Xo72BPeLUYr/kyFeTMHC6GNRz61LsDg3SYn CgTbrLp6jbAdDTUGMBgFUlu1c7dPFvlNAbI5KlJ7PCEP1pPeE96R7MSTWRK9HC6+ByMR XXEg==
MIME-Version: 1.0
X-Received: by with SMTP id o6mr16425249laj.7.1394301999392; Sat, 08 Mar 2014 10:06:39 -0800 (PST)
Received: by with HTTP; Sat, 8 Mar 2014 10:06:39 -0800 (PST)
Date: Sat, 8 Mar 2014 13:06:39 -0500
Message-ID: <CAMm+Lwjd0zQsCc3ZSjZp-aJSBL-9uz7ngur97w5jTAbUCyCoWg@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: "dnsop@ietf.org" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary=089e0160b618622ab404f41c3be4
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/GdQHZ5BBqk6-5KfrBl0m7aEZjPI
Subject: [DNSOP] DNS Privacy Use Cases, Requirements and Constraints.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Mar 2014 18:06:50 -0000

I think we need some use cases to ground discussion. These are the use
cases I have been considering:

A) Alice, surfing the Web from her own machine at home does not want her
Web browsing history to be revealed to other parties.

A1) Note here that Alice might also use the same machine to access her
employer's Intranet under a BYOD program.

B) Bob, accessing the Internet from a machine provided by his employer. His
employer does not want the existence of machines within the corporate
enterprise under a 'split DNS' configuration to be revealed to other

B1) Note here that Bob might also use the same machine for personal use and
not want his employer to know that he is using it to surf the Web.
Depending on the circumstances, this may or may not be acceptable. If the
machine is in the control system of a nuclear power station then his
employer may reasonably wish to prevent him using it to view 'bigboobies.com'.
The issue here then is notice. A 'captive configuration' may be acceptable
but not if it is imposed covertly.

C) Carol's Coffee pot, an embedded device accesses the Internet to download
current prices and order supplies.

The point of this use case is that the coffee pot does not have an
affordance for a user interface suitable for configuring trust interfaces.
Ergo the device is going to be operating under control of a DNSSEC trust
policy that is specified externally, whether this is in the form of a
static policy description file downloaded into the device periodically or
imposed externally at the resolver.

Within these use cases we have a number of trusted actors and different
privacy concerns with respect to each. Note here that 'trusted' does not
mean 'trustworthy'.


Any resolver can observe and correlate DNS request traffic, in particular
tracking users by the IP addresses that they present. While countermeasures
may reduce the extent to which this is possible, eliminating this is very

1) Promiscuous Resolver

If we are to improve DNS security at all, the lowest handing fruit is to
kill the crazy idea of taking DNS service from the nearest server.
Regardless of whether DNSSEC is fully deployed and every domain is signed
or not, this is a shoot-yourself-in-the-foot configuration.

A resolver can always mount a denial of service attack on the client and
the best a client can do is to determine that either it is under attack or
someone has blundered in their DNSSEC configuration.

This configuration, though the default case today does not satisfy any of
the use cases and is therefore strongly deprecated.

1a) Captive resolver

Even more annoying is the resolver that substitutes itself for the
preferred resolver chosen by the user. This is commonly used in WiFi
portals to establish network connections. Although the specific solution to
this use case is out of scope, any DNS privacy implementation is going to
have to cope with the imposition of captivv resolvers as a constraint.

2) Selected Resolver

An improvement on the selected resolver is the case that the resolver
service is chosen by the user or administrator of the machine.

In the case that a zone does not deploy DNSSEC (currently the vast
majority) such a resolver is trusted not to perform an integrity attack.

In the case that a zone has DNSSEC deployed, deployment may follow either
of the patterns established in XKMS and later SCVP. Such a resolver will
always perform path discovery (i.e. resolution) and validate the path
discovered. But the client may or may not re-validate the discovered path
to verify that it chains to a root of trust.

There are security arguments to be made for both deployments in different
use cases. For example, the Coffee pot (use case C) is probably better
served by a validating resolver controlled by Carol rather than performing
complex path validation in the embedded device.

2a) Selected Resolver (Discovery)

A discovery only resolver is less trusted than a validating resolver.

2b) Selected Resolver (Validating)

Since a validating resolver is absolutely trusted by the client, such a
resolver is only acceptable when it is trustworthy. This would typically
mean that the resolver is operated by the relying party directly. For
example a resolver operated by an enterprise for the enterprise network. In
the home, a validating resolver might be operated by the homeowner as part
of their 'home automation' infrastructure.

3) Authoritative server

The Authoritative server is the ultimate source of a DNS assertion. When
considering the privacy implications of such services, there are two
important subclasses:

3a) Public aggregated service

Many DNS commercial providers support a large number of domains, from
thousands to hundreds of millions.

3b) Corporate service

Other DNS servers support only one enterprise with a small number of
related domains.

Privacy of authoritative service queries and responses.

One of the main challenges in designing an efficient mechanism to protect
privacy of queries made to authoritative servers is that the number of
servers is very large and it is arguably impractical for a resolver to
establish a security session with every server it contacts.

This objection may be moot however if traffic analysis attacks are
considered. Traffic analysis reveals very little about the requestor
contacting a public aggregated service because there is a large forrest of
queries amongst which privacy sensitive queries can hide. But queries
directed to a corporate service reveal much more. At the limit, traffic
analysis of a query directed to a service that only supports one domain
discloses as much as content disclosure.

If we limit the requirement to encrypt queries to public aggregated
servers, the key management problem becomes quite tractable. While there
are millions of authoritative servers, the number of large scale public
servers is in the hundreds or thousands.


1) Latency

Browser vendors are adamant that they will not accept any increase in DNS
response latency

2) Denial of Service

Performing public key operations imposes a significant processing load on a
server. An attacker could easily perform a DoS attack on a resolver or
server by directing a stream of requests to initiate a key exchange.

3) Captive portal

A client must be capable of functioning when behind a captive portal even
if the DNS service imposed by the captive portal is only used to establish
a network connection and will be ignored subsequently.

Website: http://hallambaker.com/