Re: [Doh] Mozilla's plans re: DoH

Eric Rescorla <ekr@rtfm.com> Wed, 27 March 2019 09:25 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40A45120526 for <doh@ietfa.amsl.com>; Wed, 27 Mar 2019 02:25:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.101
X-Spam-Level:
X-Spam-Status: No, score=-1.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MIME_BOUND_DIGITS_15=0.798, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZlsFTh3YiS8G for <doh@ietfa.amsl.com>; Wed, 27 Mar 2019 02:25:09 -0700 (PDT)
Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 040BB1202BA for <doh@ietf.org>; Wed, 27 Mar 2019 02:25:09 -0700 (PDT)
Received: by mail-lj1-x234.google.com with SMTP id h16so9232044ljg.11 for <doh@ietf.org>; Wed, 27 Mar 2019 02:25:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=k8O/UWkZKJKTRc6Gy0CLT9OxbR7k2OaG/J7eN89goLc=; b=J16n1aXS3w21Juy/o0gOZSwnmxg46/FAx9Au+RkOIlo7Bye8ru8GzCUo/6ydD8y8U3 +alpdVLidGW5cNm+rf1FmSsIFoCr4aXMEhQtBE+7x7PjEC8AI6jEVjvSQ81gTpy+bRqw sbzx0WZMJrN+CcRQSI9Iin9gu2ZJoDguUq9C0gpmOSXzzJyrRICfQyRFYS77G3EBgPaN HxlmU0xCtSZ/GF2/fBay4oyAxEqL5RONnEAcAFy6rJ/U9Nx1Qk6sD8R4/3gWSlry3Dv9 1+WG0ZnTyg4LS1iepOXuBuz61VzTKacaPE11/eha99XyC8MykGU2a3fmUbdEjwpwxyMv zk5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=k8O/UWkZKJKTRc6Gy0CLT9OxbR7k2OaG/J7eN89goLc=; b=qIQBblcJWkRrm+xB4rBJjaGCpdbVaGwFVfZ1r/m9cGpxDlSeP0zdW82L0d+b8TJlL6 iLuIE23WdZS2uicfIBMdGSjGPqsx955K15j4eGk1v4govS9E02ZrcTLWuB9gjaVFxeHF yOVMXP9daaNYx8urA1cNVkrdB0YIyvzjjLJEmDMkDVIOLtQ8hksfcdIAD/BWXdCx72tv W2/xE7asgANEwX7EvZGWVM3gwDPSd1syU4xucvmNU9y+ZQn0rMt3QH7xt8giwlTqkAOB xoIwFxHcGtm/dYkFiTdBO143fVSuV0tF9TduNS5thxgHMpZxHYHBNhl6JQ5j9dKhHNbJ 6VKQ==
X-Gm-Message-State: APjAAAUhft0d++9LocBZQC5Z79Wo9pqOSsdBfY/dp0YTs8R2TL7/7S41 7b4aj+dSXdr6nLk/2PFQd9ZdXH/YwtNy/T8b7t+/ARkLo48=
X-Google-Smtp-Source: APXvYqx6KejG0SjwKXzYaClQxySGz/2NG2fvIriigPcnXhMLIoTs71gAAx88Pi9bWu8ObdwLuz0nQg+/7Si9X8V8kJo=
X-Received: by 2002:a2e:81da:: with SMTP id s26mr7329042ljg.86.1553678706562; Wed, 27 Mar 2019 02:25:06 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBOk5bM+3G2Jd3Lu33Z08gc=AeoZ8UFHzN6AYk4f_hjZ8Q@mail.gmail.com>
In-Reply-To: <CABcZeBOk5bM+3G2Jd3Lu33Z08gc=AeoZ8UFHzN6AYk4f_hjZ8Q@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 27 Mar 2019 02:24:28 -0700
Message-ID: <CABcZeBPUh6x=D+GfKg11+4bRouZdm1LcZvLm1jd4UUEJA832BQ@mail.gmail.com>
To: DoH WG <doh@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006668770585100371"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/HdCYfhOwTEvpicW8vgCfCi6pTKk>
Subject: Re: [Doh] Mozilla's plans re: DoH
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2019 09:25:20 -0000

Now with the numbered lists correctly formatted:

I’ve heard a number of questions about Mozilla’s plans around
DoH. We’ve made a number of public statements, but it might be useful
to try to put this all in one place.

In context, the problem we are attempting to solve here is attack on
the user’s name resolution from an attacker with full or partial
control of the network, as contemplated by Section 3 of BCP 72 as well
as BCP 188. There’s ample evidence of monitoring/manipulation of user
traffic via this vector [0][1][2]. Importantly, this includes cases
where the entity which owns the network infrastructure monitors and/or
modifies DNS requests and responses without the user’s consent.


With that problem statement, here are our plans:

We have implemented DNS over HTTPS [RFC8484] and would like to
deploy it by default for our users. We intend to select a set of
Trusted Recursive Resolvers (TRRs) that we will use for DoH
resolution. TRRs will be required to conform to a specific set of
policies intended to protect user privacy. We’re still refining the
final policy but we expect it to roughly match the one that Cloudflare
has already agreed to use
(https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/).While
we expect the initial set of TRRs to be small, we’re interested in
adding new providers who are able to comply with these policies.
The precise details of the user interface are TBD, but we expect
something like the following:

    1. Copies of Firefox will be configured with a set of TRRs. Different
    regions may have different TRR sets or different defaults. In addition
    we may have DoH/TRR on by default in some regions and not others,
    especially initially.

    2. The user will be informed that we have enabled use of a TRR and
    have the opportunity to turn it off at that time, but will not be
    required to opt-in to get DoH with a TRR.

    3. Any given client will automatically select a resolver out of that
    set and use that for all resolutions [with the two exceptions noted
    below.]

    4. At any time, the user will have the option to select a
    different resolver out of the list, specify their own resolver, or
    disable DoH entirely.

We have heard a number of concerns about the ability of the network to
control the client’s resolver behavior. As noted above, just allowing
the network to dictate the DoH resolver would obviate the security
objective listed above. However, there are two more restricted cases
in which we do think some network control of the resolver is
reasonable.

In cases where the network has a preferred resolver that is on our
approved list we might want a mechanism like
draft-ietf-doh-resolver-associated-doh to guide resolver
selection. We’re watching that document’s progression carefully.

    1. In cases where the network also controls the client (e.g., they are
    able to remotely manage it via MDM), then they should be able to
    select the resolver themselves, disable DoH, etc.

    2. We realize that in the short run, the need for resolvers to be on
    our list creates some challenges for resolver operators.  We would be
    open to discussing how to adapt our security constraints to suit the
    needs of multiple applications, so that as more systems deploy
    DoH/TRR, they can share a list of resolvers vetted to a common
    standard.

There are still a few open issues that we have to sort out, but if
some of the above isn’t clear, I’m happy to try to explain. One thing
I am not able to provide is a detailed timeline. We are still
performing measurements [3] to determine whether users will experience
problems with DoH/TRR enabled, as well as figuring out precisely how
we intend to deal with split horizon DNS, and will need to address
these issues prior to shipping.

-Ekr

[0]
https://cdt.org/blog/dns-strengthening-the-weakest-link-in-internet-privacy/
[1]
https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-pearce.pdf
[2] Many networks redirect NXDOMAIN to a search/advertising page.
[3] For some of our previous experiments, see:
https://blog.mozilla.org/futurereleases/2018/09/13/dns-over-https-doh-testing-on-beta/
https://blog.nightly.mozilla.org/2018/08/28/firefox-nightly-secure-dns-experimental-results/








On Wed, Mar 27, 2019 at 2:16 AM Eric Rescorla <ekr@rtfm.com>; wrote:

> I’ve heard a number of questions about Mozilla’s plans around
> DoH. We’ve made a number of public statements, but it might be useful
> to try to put this all in one place.
>
> In context, the problem we are attempting to solve here is attack on
> the user’s name resolution from an attacker with full or partial
> control of the network, as contemplated by Section 3 of BCP 72 as well
> as BCP 188. There’s ample evidence of monitoring/manipulation of user
> traffic via this vector [0][1][2]. Importantly, this includes cases
> where the entity which owns the network infrastructure monitors and/or
> modifies DNS requests and responses without the user’s consent.
>
>
> With that problem statement, here are our plans:
>
>     1. We have implemented DNS over HTTPS [RFC8484] and would like to
>     deploy it by default for our users. We intend to select a set of
>     Trusted Recursive Resolvers (TRRs) that we will use for DoH
>     resolution. TRRs will be required to conform to a specific set of
>     policies intended to protect user privacy. We’re still refining the
>     final policy but we expect it to roughly match the one that Cloudflare
>     has already agreed to use
>     (
> https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/).While
>     we expect the initial set of TRRs to be small, we’re interested in
>     adding new providers who are able to comply with these policies.
>
>     2. The precise details of the user interface are TBD, but we expect
>     something like the following:
>
>     3. Copies of Firefox will be configured with a set of TRRs. Different
>     regions may have different TRR sets or different defaults. In addition
>     we may have DoH/TRR on by default in some regions and not others,
>     especially initially.
>
>     4. The user will be informed that we have enabled use of a TRR and
>     have the opportunity to turn it off at that time, but will not be
>     required to opt-in to get DoH with a TRR.
>
>     5. Any given client will automatically select a resolver out of that
>     set and use that for all resolutions [with the two exceptions noted
>     below.]  At any time, the user will have the option to select a
>     different resolver out of the list, specify their own resolver, or
>     disable DoH entirely.
>
> We have heard a number of concerns about the ability of the network to
> control the client’s resolver behavior. As noted above, just allowing
> the network to dictate the DoH resolver would obviate the security
> objective listed above. However, there are two more restricted cases
> in which we do think some network control of the resolver is
> reasonable.
>
> In cases where the network has a preferred resolver that is on our
> approved list we might want a mechanism like
> draft-ietf-doh-resolver-associated-doh to guide resolver
> selection. We’re watching that document’s progression carefully.
>
>     1. In cases where the network also controls the client (e.g., they are
>     able to remotely manage it via MDM), then they should be able to
>     select the resolver themselves, disable DoH, etc.
>
>     2. We realize that in the short run, the need for resolvers to be on
>     our list creates some challenges for resolver operators.  We would be
>     open to discussing how to adapt our security constraints to suit the
>     needs of multiple applications, so that as more systems deploy
>     DoH/TRR, they can share a list of resolvers vetted to a common
>     standard.
>
> There are still a few open issues that we have to sort out, but if
> some of the above isn’t clear, I’m happy to try to explain. One thing
> I am not able to provide is a detailed timeline. We are still
> performing measurements [3] to determine whether users will experience
> problems with DoH/TRR enabled, as well as figuring out precisely how
> we intend to deal with split horizon DNS, and will need to address
> these issues prior to shipping.
>
> -Ekr
>
> [0]
> https://cdt.org/blog/dns-strengthening-the-weakest-link-in-internet-privacy/
> [1]
> https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-pearce.pdf
> [2] Many networks redirect NXDOMAIN to a search/advertising page.
> [3] For some of our previous experiments, see:
>
> https://blog.mozilla.org/futurereleases/2018/09/13/dns-over-https-doh-testing-on-beta/
>
> https://blog.nightly.mozilla.org/2018/08/28/firefox-nightly-secure-dns-experimental-results/
>
>
>
>
>
>