1 of 22

DNS over HTTPS & DNS over TLS

Barry Leiba / Suzanne Woolf | ICANN67 | March 2020

| 1

2 of 22

Agenda

SSAC

Overview

Overview of SAC1XX: Implications of DoH & DoT

Perspectives on DoH & DoT

Implications to the Namespace

1

2

4

5

Comparisons of the Technologies

3

Q & A

6

| 2

3 of 22

Security and Stability Advisory Committee (SSAC)

Who We Are

What We Do

What is Our Expertise

How We Advise

  • 34 Members

  • Appointed by the ICANN Board

Role: Advise the ICANN community and Board on matters relating to the security and integrity of the Internet’s naming and address allocation systems.

108 Publications since 2002

  • Addressing and Routing
  • Domain Name System (DNS)
  • DNS Security Extensions (DNSSEC)
  • Domain Registry/Registrar Operations
  • DNS Abuse & Cybercrime
  • Internationalization �(Domain Names and Data)
  • Internet Service/Access Provider
  • ICANN Policy and Operations

| 3

| 3

4 of 22

Security and Stability Advisory Committee (SSAC)

ICANN’s Mission & Commitments

  • To ensure the stable and secure operation of the Internet's unique identifier systems.
  • Preserving and enhancing the operational stability, reliability, security and global interoperability, resilience, and openness of the DNS and the Internet.

SSAC Publication Process

Consideration of SSAC Advice

(to the ICANN Board)

SSAC Submits Advice to ICANN Board

Board Acknowledges & Studies the Advice

Board Takes Formal Action on the Advice

1. Policy Development Process

3. Dissemination of Advice to Affected Parties

2. Staff Implementation with Public Consultation

4. Chose different solutions (explain why advice is not followed)

Publish

Form

Work Party

Review and Approve

Research and Writing

| 4

| 4

5 of 22

SAC1XX: The Implications of DNS over HTTPS and DNS over TLS

| 5

| 5

6 of 22

SAC1XX: Implications of DNS over HTTPS and DNS over TLS

  • Explanation and comparison of DNS over HTTPS (DoH) and DNS over TLS (DoT), focusing on the standardization and deployment status
  • Exploration of the effects on and perspectives of several different groups of stakeholders: parents, enterprise network managers, dissidents and protesters, and Internet service providers
  • Examination of application resolver choice and what implications arise from these decisions
  • Potential implications on the namespace due to DNS stub resolution moving to applications

| 6

7 of 22

SAC1XX: What NOT to expect

  • Declaration of universally agreed-upon “right” and “wrong” labels with respect to DoH and DoT, their implementation, and deployment choices
  • Strong statements such as, “More privacy is always better,” or “More encryption is always better”
  • Strong statements about trust models that we cannot all all agree with, because we all have different perspectives
  • Recommendations to the ICANN Board

| 7

8 of 22

SAC1XX: Conclusions

  • Evaluations of DoH or DoT rely on the perspective of the evaluator.
    • How they are implemented, how they are deployed, what default settings are configured, and who uses them, are the questions that this report focuses on.
  • Regardless of perspective, the deployment of DoT and DoH will be disruptive, mainly in the implementation and deployment of the technology.
  • Application-specific DNS resolution via DoH and DoT presents a host of challenges:
    • How networks and endpoints work.
    • Who has access to DNS query data.
    • How to protect and manage networks in this new model.

| 8

9 of 22

Comparison of DNS over HTTPS and DNS over TLS

| 9

| 9

10 of 22

Three Technologies

  • Traditional DNS
    • Unencrypted transport using UDP / TCP port 53
  • DNS over HTTPS
    • Encrypted transport of DNS traffic over Secure Hyper Text Transfer Protocol (HTTPS)
    • Uses TCP port 443, the same as other HTTPS traffic
    • Only used for stub to recursive queries
  • DNS over TLS
    • Encrypted transport of DNS queries over Transport Layer Security (TLS)
    • Uses TCP port 853, unique port reserved for this purpose
    • Only used for stub to recursive queries

| 10

11 of 22

Possible Traditional DNS Deployment

(green dashes show unencrypted paths)

| 11

12 of 22

Possible DNS over TLS Deployment in a Home Network

(red solids show encrypted paths)

| 12

13 of 22

Possible DNS over TLS Deployment in an Enterprise Network

| 13

14 of 22

Possible DNS over HTTPS Deployment

| 14

15 of 22

Different Perspectives on DNS over HTTPS and DNS over TLS

| 15

| 15

16 of 22

Parents

  • Some parents may wish to control their children’s access to the Internet, and the DNS can be an effective control point for this.
  • Services have always existed to provide this type of blocking.
  • Just as children have often been skilled enough to work around them.
  • DoH will make this kind of blocking more difficult.

| 16

17 of 22

Enterprise Network Managers

  • Many different types of organizations can be considered enterprise networks:
    • corporations, municipalities, university campuses, hospitals, military bases
  • Often have a positive obligation to understand and control the traffic on their networks for regulatory or security reasons.
  • DNS is an important control point for enterprise network control.
  • The introduction of new DNS transports, and DoH in particular, threatens to upend this model of network control and management.

| 17

18 of 22

Dissidents, Protesters, and Others

  • The Internet is an important vehicle for dissidents and protesters to spread alternative views, critique politics, and shed light on corruption and human rights abuses.
  • By encrypting DNS queries and resolution, DoH and DoT can help shield users from being tracked by their ISPs or governments.
  • There has always been Virtual Private Network (VPN) software, and ToR.
  • Not a panacea. Even with DoH or DoT, the ability of citizens to express political dissent without reprisal is greatly influenced by their governments.

| 18

19 of 22

Internet Service Providers (ISPs)

  • Many governments obligate ISPs to block traffic using DNS as a control point.
  • The introduction of DoH and DoT may mean that ISPs now become obligated to block traffic using other means.
  • Some ISPs may resort to blocking all DoT traffic or offer their own DoH or DoT services.
  • ISPs may blacklist known DoH servers based on known IP addresses, but this will not work 100%.

| 19

20 of 22

Implications to the Namespace

| 20

| 20

21 of 22

Implications to the Namespace

  • Applications performing DNS functions themselves may cause other disruptions which may or may not be visible to users of those applications.
  • One industry concern with respect to applications providing DNS functionality is that they will undermine the usefulness of DNS as a generic, protocol-neutral naming system for the Internet.
  • Namespaces may become tailored to the requirements of a particular application.
  • Web browsers have begun to cache web content per-origin.
    • In practice, this means each browser tab now has its own cached versions of content.

| 21

22 of 22

Thank you

| 22

| 22