IETF Logo Mail Archive

Re: [perpass] DNS confidentiality

"Christian Huitema" <huitema@huitema.net> Wed, 13 November 2013 07:32 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3124B11E8117 for <perpass@ietfa.amsl.com>; Tue, 12 Nov 2013 23:32:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.844
X-Spam-Level:
X-Spam-Status: No, score=-2.844 tagged_above=-999 required=5 tests=[AWL=-0.245, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FZFTbuDEie-n for <perpass@ietfa.amsl.com>; Tue, 12 Nov 2013 23:32:10 -0800 (PST)
Received: from xsmtp03.mail2web.com (xsmtp23.mail2web.com [168.144.250.186]) by ietfa.amsl.com (Postfix) with ESMTP id C0C4A11E8118 for <perpass@ietf.org>; Tue, 12 Nov 2013 23:32:01 -0800 (PST)
Received: from [10.5.2.13] (helo=xmail03.myhosting.com) by xsmtp03.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1VgUt1-00057M-Tn for perpass@ietf.org; Wed, 13 Nov 2013 02:31:58 -0500
Received: (qmail 2911 invoked from network); 13 Nov 2013 07:29:14 -0000
Received: from unknown (HELO HUITEMA5) (Authenticated-user:_huitema@huitema.net@[24.16.156.113]) (envelope-sender <huitema@huitema.net>) by xmail03.myhosting.com (qmail-ldap-1.03) with ESMTPA for <mellon@fugue.com>; 13 Nov 2013 07:29:14 -0000
From: Christian Huitema <huitema@huitema.net>
To: 'Yoav Nir' <ynir@checkpoint.com>, 'Ted Lemon' <mellon@fugue.com>
References: <20131111121027.GA31723@sources.org> <CEA6999F.25B2C%gwiley@verisign.com> <CA+9kkMDTYZ8tKnGigojWQDuDM3K0uPyoW2fesH1ueAFbTZMBrQ@mail.gmail.com> <CABkgnnVuX3bV1XMKsY1g6GOkZmhfxo=Zt9iUryt0wt+9K8tFkA@mail.gmail.com> <5282D6A3.5060205@cs.tcd.ie> <4AE06389-A46C-4F14-849E-62DC9FA7F128@fugue.com> <335D1A6F-A44C-444A-9379-7D03D873F543@checkpoint.com>
In-Reply-To: <335D1A6F-A44C-444A-9379-7D03D873F543@checkpoint.com>
Date: Tue, 12 Nov 2013 23:29:12 -0800
Message-ID: <01b501cee042$0dd836a0$2988a3e0$@huitema.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQHMMPQ/jT06VJ5UBicR1g/ghkW8WAJTDAK3Ah78sc0CYGISVALD7f2NAXR3BWsCDCTjUpm/ZUhQ
Content-Language: en-us
Cc: 'perpass' <perpass@ietf.org>
Subject: Re: [perpass] DNS confidentiality
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The perpass list is for discussion of the privacy properties of IETF protocols and concrete ways in which those could be improved. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Nov 2013 07:32:40 -0000

> I'm one of those that made that argument. I do think we should fix this in
TLS, but realistically, browsers are going to continue sending SNI in the 
> clear for at least another 10 years. Yes, we should fix this now, because
whenever we start, that's when the 10-year countdown begins. The same is >
true for any modification to DNS, except the timeframe is likely to be even
longer.

Even if TLS is not fixed, there is still value in improving DNS privacy.
Stephane makes the point in his draft:

   What also makes the DNS traffic different is that it may take a
   different path than the communication between the initiator and the
   recipient.  For instance, an eavesdropper may be unable to tap the
   wire between the initiator and the recipient but may have access to
   the wire going to the resolver, or to the authoritative name servers.

Suppose that a host sends a query for
"_bittorrent-tracker._tcp.domain.example.com." If it does not have a cached
copy of the NS record for "example.com," the query will go the ".com"
server. Because the query carries the entire QNAME, anyone who eavesdrop on
the TLD server would learn that the host is attempting to contact a bit
torrent server at "domain.example.com." They would learn that even if they
are not able to eavesdrop on the direct path between the host and
"domain.example.com."

Now suppose that instead of sending a query with the full QNAME, the host
just sends to the ".com" server a query for the NS record of "example.com."
Once it receives the response, the host can send the full query directly to
"ns.example.com." Clearly, that too can be eavesdropped, but only if the
eavesdropper has a tap on the direct path between the client and the bit
torrent server. And if it has such a tap, it will find anyhow that there is
TCP-IP traffic between the host and the bittorrent server at
"domain.example.com," which means that parsing the DNS query would not
provide extra information.

So we have here a simple way to prevent leakage of information. It can
actually be implemented unilaterally by resolvers, and does not require a
change in the DNS protocol. It does require that the resolver somehow learn
the "zone cuts," but that is not impossible to learn.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email