dns in applications - datatracker.ietf.org · an important value of a single communications network...
TRANSCRIPT
![Page 1: DNS in Applications - datatracker.ietf.org · An important value of a single communications network ... It’s a race to the bottom. One main reason DNS is an effective control point](https://reader034.vdocument.in/reader034/viewer/2022050608/5faeeea2cc5e1b14024667ae/html5/thumbnails/1.jpg)
DNS in ApplicationsOne Application’s Perspective
![Page 2: DNS in Applications - datatracker.ietf.org · An important value of a single communications network ... It’s a race to the bottom. One main reason DNS is an effective control point](https://reader034.vdocument.in/reader034/viewer/2022050608/5faeeea2cc5e1b14024667ae/html5/thumbnails/2.jpg)
Why
![Page 3: DNS in Applications - datatracker.ietf.org · An important value of a single communications network ... It’s a race to the bottom. One main reason DNS is an effective control point](https://reader034.vdocument.in/reader034/viewer/2022050608/5faeeea2cc5e1b14024667ae/html5/thumbnails/3.jpg)
Mission Statement
Individuals’ security and privacy on the internet are fundamental and must not be treated as optional.
-- Mozilla Manifesto
![Page 4: DNS in Applications - datatracker.ietf.org · An important value of a single communications network ... It’s a race to the bottom. One main reason DNS is an effective control point](https://reader034.vdocument.in/reader034/viewer/2022050608/5faeeea2cc5e1b14024667ae/html5/thumbnails/4.jpg)
HTTPS
Securing HTTP has been a huge challenge
![Page 5: DNS in Applications - datatracker.ietf.org · An important value of a single communications network ... It’s a race to the bottom. One main reason DNS is an effective control point](https://reader034.vdocument.in/reader034/viewer/2022050608/5faeeea2cc5e1b14024667ae/html5/thumbnails/5.jpg)
Mission Accomplished (Mostly)
HTTPS page load %, Firefox, 2014-2019
![Page 6: DNS in Applications - datatracker.ietf.org · An important value of a single communications network ... It’s a race to the bottom. One main reason DNS is an effective control point](https://reader034.vdocument.in/reader034/viewer/2022050608/5faeeea2cc5e1b14024667ae/html5/thumbnails/6.jpg)
Attention moves to new problems
Bad site behaviour (tracking, breaches, etc…)
Hardening (SPECTRE and friends, ...)
Gaps in encryption (traffic analysis, unencrypted content, ...)
![Page 7: DNS in Applications - datatracker.ietf.org · An important value of a single communications network ... It’s a race to the bottom. One main reason DNS is an effective control point](https://reader034.vdocument.in/reader034/viewer/2022050608/5faeeea2cc5e1b14024667ae/html5/thumbnails/7.jpg)
ESNI and Encrypted DNS
Encrypting DNS is good
But we also care about who gets the information
![Page 8: DNS in Applications - datatracker.ietf.org · An important value of a single communications network ... It’s a race to the bottom. One main reason DNS is an effective control point](https://reader034.vdocument.in/reader034/viewer/2022050608/5faeeea2cc5e1b14024667ae/html5/thumbnails/8.jpg)
Trusted Recursive Resolver Principle
Individual control, with strong privacy properties for defaults
![Page 9: DNS in Applications - datatracker.ietf.org · An important value of a single communications network ... It’s a race to the bottom. One main reason DNS is an effective control point](https://reader034.vdocument.in/reader034/viewer/2022050608/5faeeea2cc5e1b14024667ae/html5/thumbnails/9.jpg)
Why not
![Page 10: DNS in Applications - datatracker.ietf.org · An important value of a single communications network ... It’s a race to the bottom. One main reason DNS is an effective control point](https://reader034.vdocument.in/reader034/viewer/2022050608/5faeeea2cc5e1b14024667ae/html5/thumbnails/10.jpg)
DNS is not a single coherent namespace
An important value of a single communications network resides within the concept of a single referential framework, where my reference to some network resource can be passed to you and still refer to the same resource.
-- Geoff Huston
![Page 11: DNS in Applications - datatracker.ietf.org · An important value of a single communications network ... It’s a race to the bottom. One main reason DNS is an effective control point](https://reader034.vdocument.in/reader034/viewer/2022050608/5faeeea2cc5e1b14024667ae/html5/thumbnails/11.jpg)
Lots of reasons for applications not to do DNSContent filtering
Malware detection and blocking
Captive portals
Enterprise service access
Network specific service access
Routing policies
Regulatory mandates
Applications will screw it up
DoH providers will screw it up
It’s a race to the bottom
![Page 12: DNS in Applications - datatracker.ietf.org · An important value of a single communications network ... It’s a race to the bottom. One main reason DNS is an effective control point](https://reader034.vdocument.in/reader034/viewer/2022050608/5faeeea2cc5e1b14024667ae/html5/thumbnails/12.jpg)
One main reason
DNS is an effective control point
![Page 13: DNS in Applications - datatracker.ietf.org · An important value of a single communications network ... It’s a race to the bottom. One main reason DNS is an effective control point](https://reader034.vdocument.in/reader034/viewer/2022050608/5faeeea2cc5e1b14024667ae/html5/thumbnails/13.jpg)
Not a good reason
DNS is was an effective control point
![Page 14: DNS in Applications - datatracker.ietf.org · An important value of a single communications network ... It’s a race to the bottom. One main reason DNS is an effective control point](https://reader034.vdocument.in/reader034/viewer/2022050608/5faeeea2cc5e1b14024667ae/html5/thumbnails/14.jpg)
Alternative name resolution happens
Application-layer resolution happens; e.g., RFC 7838
Effective control requires covering these also
No effective control without engaging with endpoints
![Page 15: DNS in Applications - datatracker.ietf.org · An important value of a single communications network ... It’s a race to the bottom. One main reason DNS is an effective control point](https://reader034.vdocument.in/reader034/viewer/2022050608/5faeeea2cc5e1b14024667ae/html5/thumbnails/15.jpg)
DNS for captive portals
IETF capport working group formed for the same problem:
People started encrypting web traffic,... and it became harder to intercept and redirect to a portal
Using DNS here is worse than using cleartext HTTP
![Page 16: DNS in Applications - datatracker.ietf.org · An important value of a single communications network ... It’s a race to the bottom. One main reason DNS is an effective control point](https://reader034.vdocument.in/reader034/viewer/2022050608/5faeeea2cc5e1b14024667ae/html5/thumbnails/16.jpg)
Content filtering by DNS name
Works only in the broadest sense
Using DNS results in under- or over-blockinge.g., blocking all of a host that has one censored page
Endpoint cooperation is necessary to be fully effective
![Page 17: DNS in Applications - datatracker.ietf.org · An important value of a single communications network ... It’s a race to the bottom. One main reason DNS is an effective control point](https://reader034.vdocument.in/reader034/viewer/2022050608/5faeeea2cc5e1b14024667ae/html5/thumbnails/17.jpg)
DNS is NOT an effective control surface
![Page 18: DNS in Applications - datatracker.ietf.org · An important value of a single communications network ... It’s a race to the bottom. One main reason DNS is an effective control point](https://reader034.vdocument.in/reader034/viewer/2022050608/5faeeea2cc5e1b14024667ae/html5/thumbnails/18.jpg)
DNS is plumbing
This is not a problem you can fix with UX
Most people don’t care about plumbing until it stops working
They should not need to care
![Page 19: DNS in Applications - datatracker.ietf.org · An important value of a single communications network ... It’s a race to the bottom. One main reason DNS is an effective control point](https://reader034.vdocument.in/reader034/viewer/2022050608/5faeeea2cc5e1b14024667ae/html5/thumbnails/19.jpg)
Where from here
![Page 20: DNS in Applications - datatracker.ietf.org · An important value of a single communications network ... It’s a race to the bottom. One main reason DNS is an effective control point](https://reader034.vdocument.in/reader034/viewer/2022050608/5faeeea2cc5e1b14024667ae/html5/thumbnails/20.jpg)
In the long term
Applications will encrypt what they can
Applications will choose who they trust with data
Entities looking to exert control will have to engage with owners of endsystems
![Page 21: DNS in Applications - datatracker.ietf.org · An important value of a single communications network ... It’s a race to the bottom. One main reason DNS is an effective control point](https://reader034.vdocument.in/reader034/viewer/2022050608/5faeeea2cc5e1b14024667ae/html5/thumbnails/21.jpg)
In the short term
People still rely (heavily) on DNS for many of these use cases
Disable application DNS where controls are in place… use an unauthenticated signal for this
Agree that this is a stop-gap