DNS加密協(xié)議發(fā)展及部署現(xiàn)狀

1、DNS加密協(xié)議發(fā)展及部署現(xiàn)狀技術(shù)創(chuàng)新，變革未來An End-to-End, Large-Scale Measurement of DNS-over-Encryption:How Far Have We Come?Chaoyi Lu, Baojun Liu, Zhou Li, Shuang Hao, Haixin Duan, Mingming Zhang, Chunying Leng, Ying Liu, Zaifeng Zhang, Jianping WuThe start of Internet activities.which says a lot about you.Domain Nam

2、e SystemDNS ClientResolverA?server31?DNS PrivacyDNS ClientResolverAuthoritativeMITMinterceptionWhere are the risks?Rogue serverEavesdropperserver4People could be watching our queries.DNS PrivacyRFC 7626 onDNS privacy5The MORECOWBELLsurveillance program of NSADNS PrivacyPeople could be watc

3、hing our queries. And do stuff like:Device Fingerprinting Chang 15User behavior AnalysisKim 15User Tracking Kirchler 166DNS Privacy: What Has Been Done?Three IETF WGs.Three standardized protocols.More implementations and tests coming.IETF DPRIVE WGSept. 14Before 14DNSCurve & DNSCryptRFC 7258Pervasiv

4、e MonitoringMay. 14Jan. 15NSAsIs an Attack MORECOWBELLrevealedRFC 7626DNS Privacy ConsiderationsAug. 15RFC 7858DNS-over-TLS (DoT)May. 16Feb. 17RFC 8094DNS-over-DTLSSept. 17IETFDoH WGRFC 8310Usage Profile of DoTMar. 18RFC 8484 DNS-over-HTTPS(DoH)Oct 18Jun. 18Mozillas test of DoHMar. 16RFC 7816 QNAMEM

5、inimizationDNS-over-QUIC,initial draftApr. 17Mar. 19Drafts on DoH deploymentDNS zone transfers using TLS, draftNov. 19Feb. 20IETF ADD WG7DNS-over-TLS (DoT, RFC 7858, May 2016)Uses TLS to wrap DNS messages. Dedicated port 853.Stub resolver update needed.DNS-over-HTTPS (DoH, RFC 8484, Oct 2018)Embeds

6、DNS packets into HTTP messages.Shared port 443. More user-space friendly.8DNS-over-Encryption: Standard ProtocolsIssuing DNS-over-HTTPS queries in a browser.DNS-over-Encryption: Standard ProtocolsIssuing DNS-over-TLS queries with kdig.$ kdig +tls ;TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-12

7、8-GCM);-HEADER 60% DoT traffic 95% netblocks: Active for one weekDNS-over-HTTPS TrafficData: Passive DNS dataset, monthly query volume.Big players dominate. Also a growing trend.37Traffic Observed by DNS ProvidersDoT and DoH usage has grown significantly.Cloudflare: 8% of its queries are encrypted (

8、May 2019)Qihoo 360:360 DoH used by 1.2M clients (July 2020)38Recommendation39Protocol designersReuse well-developed protocols.Service providersCorrect misconfigurations. Keep servers under regular maintenance.DNS clientsEducation on benefits of encryption.Dataset & code releasePlease visit .Recent R

9、elated WorksEncryption is not the silver bullet for privacy.Houser 19DoT Traffic AnalysisSiby 20DoH Traffic Analysis40Recent Related WorksDoH Downgrade Attacks.Qing FOCI2041Summary: Key Observations42Open DNS-over-Encryption resolversA number of small providers less-known.28% resolvers use invalid TLS certificates.Client-side usabilityCurrently good reachability (99%). Tolerable performance overhead with reused connections.Real-world trafficHas been growing significantly.An End-to-End, Large-Scale Measurement of DNS-over-Encryption:How Far