I was out sick yesterday for that session, but I did a tech talk with
NARALO on DoH and DoT as well as a lot of technical discussions on the
topic. I do want to add some additional two cents on this beyond what
the above addresses and am around today if anyone wants to pick my
brain on these topics.
In addition to the resources added above, there are concerns with both
these technologies as they tie DNS to the WebPKI ecosystem and
revocation. While it is possible to issue an SSL certificate for an IP
address (avoiding a bootstrapping issue), you add a massive nightmare
regarding revocation and expiration of SSL certificates as OCSP and
CRL download locations universally use domain names and not IP
addresses so you can't bootstrap yourself to determine if a
certificate for a given server is valid or not. This is further
complicates that different web browsers accept different CA roots as
well as operating systems having their own CA stores which drastically
complicate the amount of machinery that is required for DoT/DoH to
work.
DoH/DoT also don't fix what is known as as the last mile problem, and
this problem is bad glossed over by the Open Rights Group report.
While DNSSEC provides proper authentication of DNS records from the
root down, DoH/DoT doesn't change the core DNS protocol at all. In
normal DNS, DNSSEC validation is checked by the recursive resolver and
RRSIG records are never seen by the end-user devices (authentication
is marked as a single bit in the DNS options flags). DoH/DoT doesn't
resolve this issue at all; a DoH/DoT server can lie about DNS records
so it doesn't actually add any level of validation if a DNS record
sent to a client.
DoH also opens a new security risk as it makes it possible for
browser-level javascript to make arbitrary DNS requests. That means
that by browsing to a given website, the browser can be set to make
random DNS queries or send DNS UPDATE queries which can act as a type
of nearly impossible to detect tracking cookie or a method of
information leak which can be indistinguishable from other (legit) DoH
traffic that may be on the network.
In my personal opinion, whlie DoH/DoT is a net improvement to the
status quo, neither of these technologies provide any real improvement
over basic DNS aside from basic protection of eavsdropping, and may
cause a false sense of security. If there is going to be work in
having proper and secure DNS, DoH/DoT is a starting point at best.
Michael
On Tue, Jun 25, 2019 at 5:34 PM James Gannon <[log in to unmask]> wrote:
>
> Agreed please take incredibly interested parties take on this topic with a large block of salt.
>
> On 25.06.19, 17:32, "NCSG-Discuss on behalf of Mueller, Milton L" <[log in to unmask] on behalf of [log in to unmask]> wrote:
>
> To be honest, I found Vittorio's comments at today's session rather incoherent. Lots of scare talk about concentration but remember he works for a CDN company that will, as he said himself, "lose insight" into DNS query data.
>
> -----Original Message-----
> From: NCSG-Discuss <[log in to unmask]> On Behalf Of Collin Kurre
> Sent: Tuesday, June 25, 2019 11:55 AM
> To: [log in to unmask]
> Subject: Additional resources on DoH / DoT
>
> Dear all,
>
> Following up on the high-interest session about DoH / DoT just now, I'd like to share with you a brand new report by the Open Rights Group entitled DNS Security, getting it right: Recommendations for policy makers and technologists." Find it here:
> https://www.openrightsgroup.org/about/reports/dns-security-getting-it-right
>
> Michele also mentioned CENTR's recent report (which is much shorter if you haven't got much time):
> https://centr.org/news/news/centr-publishes-issue-paper-on-doh.html
>
> And here is a wonderful presentation Vittorio Bertola made at last week's EuroDIG meeting:
> https://bertola.eu/file/ig/The%20DoH%20dilemma%20-%20EuroDIG%202019.pdf
>
> Kind regards,
> Collin
>
> --
> Collin Kurre
> Digital Program Officer
> ARTICLE 19
>
>
|
