dns over tcp and tls
play

DNS over TCP and TLS draft-hzhwm-dprive-start-tls-for-dns-00 John - PowerPoint PPT Presentation

Jul 09, 2023 •267 likes •781 views

DNS over TCP and TLS draft-hzhwm-dprive-start-tls-for-dns-00 John Heidemann and Sara Dickinson Joint work with Liang Zhu, Zi Hu, Duane Wessels, Allison Mankin, Willem Toorop USC/ISI, Verisign Labs, and Sinodun in collaboration with NLnet Labs,

  1. DNS over TCP and TLS draft-hzhwm-dprive-start-tls-for-dns-00 John Heidemann and Sara Dickinson Joint work with Liang Zhu, Zi Hu, Duane Wessels, Allison Mankin, Willem Toorop USC/ISI, Verisign Labs, and Sinodun in collaboration with NLnet Labs, getdns IETF91 / 11 November 2014

  2. Our Goals • DNS protocol changes – encouraging TCP – STARTTLS to initiate TLS • implementation choices for good performance • performance study to confirm costs – client latency: only modestly more – server memory: well within current hardware DNS over TCP and TLS 2

  3. Why DNS over TCP and TLS • here: protecting privacy – encrypt stub-to-recursive queries • use of TCP helps in other regards – defanging DoS • prevent attacks on the DNS server: use existing TCP anti-DoS (SYN cookies) • reducing attacks on others: TCP avoids amplification attacks – relaxing limits of UDP packet sizes: TCP DNS over TCP and TLS 3

  4. Protocol Changes: Goals • minimize change (as boring • reuse existing approaches as possible) • follow IETF norms • implications: – reuse TLS: Transport Layer Security – add a STARTTLS-like “upgrade” – look at implementation choices DNS over TCP and TLS 4

  5. Protocol Changes: Goals • minimize change (as boring • reuse existing approaches as possible) • follow IETF norms • implications: – reuse TLS: Transport Layer Security – add a STARTTLS-like “upgrade” – dedicated port too, if that is acceptable under IANA Port Review (RFC 6335) – innovation: careful implementation DNS over TCP and TLS 5

  6. SMTP before STARTTLS C & S: open TCP connection S: 220 mail.imc.org SMTP service ready C: EHLO mail.example.com S: 250-mail.imc.org hi, extensions are: -8BITMIME -STARTTLS DSN problem: cleartext C: STARTTLS S: 220 Go ahead mail is snoop-able C & S: <negotiate a TLS session, in binary, using the TLS protocol> C: EHLO mail.example.com (fix: TLS) S: 250-mail.imc.org hello, extensions are: -8BITMIME DSN C: MAIL FROM:<sender@mail.example.com> S: 250 2.1.0 <sender@mail.example.com>... Sender OK C: RCPT TO:<destination@mail.example.com> S: 250 2.1.5 <destination@mail.example.com> C: <send mail contents> DNS over TCP and TLS 6

  7. SMTP with STARTTLS (RFC-3207) prologue: in clear C & S: open TCP connection S: 220 mail.imc.org SMTP service ready (no privacy here) C: EHLO mail.example.com S: 250-mail.imc.org hi, extensions are: -8BITMIME -STARTTLS DSN C: STARTTLS transition to TLS S: 220 Go ahead C & S: <negotiate a TLS session with a new session key, in binary> contents now private C: EHLO mail.example.com S: 250-mail.imc.org hello, extensions are: -8BITMIME DSN C: MAIL FROM:<sender@mail.example.com> S: 250 2.1.0 <sender@mail.example.com>... Sender OK C: RCPT TO:<destination@mail.example.com> S: 250 2.1.5 <destination@mail.example.com> C: <send mail contents> this example: SMTP; idea used for IMAP, POP3, FTP, XMPP, LDAP, NNTP… 7

  8. Our STARTTLS for DNS (draft-hzhwm-dprive-start-tls-for-dns-00) prologue C & S: open TCP connection transition to TLS C: QNAME=“STARTTLS”, QCLASS=CH, QTYPE=TXT with the new TO bit set in EDNS options S: RCODE=0, TXT=“STARTTLS”, with the TO bit set C & S: <negotiate a TLS session, get new session key, in binary> contents now private C: <send actual query> S: <reply to actual query> pros: no new port (from IANA, or in firewalls) cons: extra RTT; middleboxes may not like encrypted traffic (other signaling approaches are possible) DNS over TCP and TLS 8

  9. Protocol Details • keeps standard DNS framing before and after TLS upgrade – allows easy retrofit to existing resolver software • use dummy query to avoid leaking information • i-d says TO bit is only signaling • pre-IANA, we use STARTTLS QNAME and no TO bit in our implementations DNS over TCP and TLS 9

  10. Our Goals • DNS protocol changes – encouraging TCP – STARTTLS add TLS • implementation choices for good performance • performance study to confirm costs – client latency: only modestly more – server memory: well within current hardware DNS over TCP and TLS 10

  11. Careful Implementation Choices • problem: no tuning of DNS TCP for queries (until now!) – see draft-dickinson-dnsop-5966-bis-00 (on DNSOP agenda today) • connection reuse (or restart) – persistent connections – TCP fast open – TLS resumption • query pipelining • query reordering (out-of-order processing) details in Sara’s talk, and supplemental slides DNS over TCP and TLS 11

  12. Our Goals • DNS protocol changes – encouraging TCP – STARTTLS add TLS • implementation choices for good performance • performance study to confirm costs – client latency: only modestly more – server memory: well within current hardware details in tech report: “T-DNS: Connection-Oriented DNS to Improve Privacy and Security (extended)”, ISI- TR-2014-693, http://www.isi.edu/~johnh/PAPERS/ Zhu14b.pdf DNS over TCP and TLS 12

  13. Connection Reuse Helps? (YES!) what fraction of queries find open TCP connections? 120s timeout => method : replay 3 traces: >94% connection reuse recursive (DNSchanger, (reuse is effective!) Level3) and authoritative (B-Root) (graph shows medians, quartiles are tiny) conclusion: connection reuse is we propose 20s/60s (conservative) => still >85% connection reuse often helpful DNS over TCP and TLS 13

  14. Cost of Connection Reuse? (ok!) 120s timeout => 16 to 40GB RAM how many connections? how much memory? method : replay same 3 traces (here we show 2 biggest) experimental estimate of memory: 360kB/connection (very conservative) (graph shows medians and quartiles) conclusion: connection reuse is we propose 20s/60s (conservative) often helpful and it’s not too costly => 3.6GB from study for recursive (L3), 7.4GB for root (B) (easy to add server parallelism if needed) DNS over TCP and TLS 14

  15. Latency: CPU Cost • we used micro-benchmarks to study CPU cost TLS setup is noticeable, but RTT (40-100+ms) more impt. DNS over TCP and TLS 15

  16. Latency: Stub to Recursive TCP and TLS vs. UDP? effects of implementation choices? TCP and TLS: with short (1ms, left) and as fast as UDP medium (35ms, right) RTTs (why? 1ms RTT is ~free) method : live experiments of random 140 names from Alexa top 1000; stub-recursive RTT=1ms (graph shows medians and quartiles) DNS over TCP and TLS 16

  17. Latency: Stub to Recursive query reordering (out- no pipelining: TCP and TLS vs. UDP? of-order processing) head-of-line blocking effects of implementation avoids HOL blocking choices? with short (1ms, left) and medium (35ms, right) RTTs method : live experiments of (different random 140 names from Alexa scale) top 1000 (graph shows medians and quartiles) DNS over TCP and TLS 17

  18. End-to-End Latency: Methodology • controlled experiments are hard – variable stub query timing – caching at recursive resolver – different RTTs (many stubs and authoritatives) • approach: model expected latency – i.e., just averages – median connection reuse from trace replay – other parameters from experiments DNS over TCP and TLS 18

  19. End-to-End Latency: Results protocol choices: stub- recursive and recursive- authoritative method : modeling; vary stub-recursive RTT; assumes all optimizations (TCP FO, TLS resumption, pipelining, OOOP) (graph shows expected values, plus slowdown relative to case (a), UDP/ UDP) TLS (s-r, 60s t.o.) + UDP (r-a) 5 to 34% slower: modest cost -> most benefit DNS over TCP and TLS 19

  20. Our Goals • DNS protocol changes – encouraging TCP – STARTTLS add TLS • implementation choices for good performance • performance study to confirm costs – client latency: only modestly more – server memory: well within current hardware DNS over TCP and TLS 20

  21. T-DNS Implementation Project Recap • Aim: Running T-DNS code! • People: Verisign Labs, Sinodun, NLnet Labs, getdns team, USC-ISI, ….. • Implementation Website: https://portal.sinodun.com/wiki/display/TDNS/T-DNS+Project+Homepage • Past Presentations: DNSE at IETF89 http://www.ietf.org/proceedings/89/slides/slides-89-dnse-3.pdf DNS-OARC Spring 2014 Workshop https://indico.dns-oarc.net//contributionDisplay.py?contribId=11&confId=19 DNS over TCP and TLS 21

  22. Implementation Status • initial prototyping – http://www.isi.edu/ant/software/index.html – digit: t-DNS client queries – (also client and server-side proxies; supports full protocol and cert authentication, but not for production use) • current phase: targeting production software – LDNS (drill) / Unbound / NSD (NLnet Labs) – getdns (http://getdnsapi.net/) • next phase includes BIND • implementation notes – current code uses only dummy query (qname=STARTTLS, CH/TXT) to negotiate • use of TO bit pending IANA allocation – TLS-1.1 or better only (not SSL) as per UTA BCP – work-in-progress, still to do: certificate authentication DNS over TCP and TLS 22

  23. Performance and Functionality • current focus: functionality – T-DNS (TLS) – TCP Fast open (reduces latency) – TCP connection re-use, and pipelining – query reordering (out-of-order processing) DNS over TCP and TLS 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

DNS Privacy in Practice and Preparation B Y Casey Deccio and Jacob Davis S andia Nat ional

DNS Privacy in Practice and Preparation B Y Casey Deccio and Jacob Davis S andia Nat ional

DNS Privacy in Practice and Preparation B Y Casey Deccio and Jacob Davis S andia Nat ional Laborat ories is a mult imission laborat ory managed and operat ed by Nat ional Technology &amp; Engineering S olut ions of S andia, LLC, a wholly

405 views • 19 slides
CBRE GROUP, INC. First Quarter 2017: Earnings Conference Call APRIL 27, 2017 FORWARD-LOOKING

CBRE GROUP, INC. First Quarter 2017: Earnings Conference Call APRIL 27, 2017 FORWARD-LOOKING

CBRE GROUP, INC. First Quarter 2017: Earnings Conference Call APRIL 27, 2017 FORWARD-LOOKING STATEMENTS This presentation contains statements that are forward looking within the meaning of the Private Securities Litigation Reform Act of 1995.

782 views • 29 slides
Liquidsoap Audio &amp; Video Streaming Language 1 / 73 What is Liquidsoap? 2 / 73 What is

Liquidsoap Audio &amp; Video Streaming Language 1 / 73 What is Liquidsoap? 2 / 73 What is

Liquidsoap Audio &amp; Video Streaming Language 1 / 73 What is Liquidsoap? 2 / 73 What is Liquidsoap? A language to create audio and video streams 3 / 73 What is Liquidsoap? A language to create audio and video streams myplaylist =

1.08k views • 73 slides
How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic

How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic

Department of Informatics Security and Privacy Maximilian Blochberger How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic pitfalls by design Goal Raise awareness of cryptographic misuse Disclaimer

910 views • 29 slides
System-on-Chip Design Microprocessor Interfaces Hao Zheng Comp Sci &amp; Eng U of South Florida

System-on-Chip Design Microprocessor Interfaces Hao Zheng Comp Sci &amp; Eng U of South Florida

System-on-Chip Design Microprocessor Interfaces Hao Zheng Comp Sci &amp; Eng U of South Florida 1 Basic Elements of HW/SW Interfaces 1. On-chip communica&gt;on fabrics, ex. buses 2 Memory Mapped Interfaces To resolve simultaneous writes

722 views • 25 slides
Lecture 13: Introduction to Networking Networking is simply communicating between two computers

Lecture 13: Introduction to Networking Networking is simply communicating between two computers

Lecture 13: Introduction to Networking Networking is simply communicating between two computers connected on a network. You can actually set up a network connection on a single computer, as well. A network requires one computer to act as the

388 views • 9 slides
Maritime Administration Port Infrastructure Development Grant Opportunity March 9, 2020

Maritime Administration Port Infrastructure Development Grant Opportunity March 9, 2020

Maritime Administration Port Infrastructure Development Grant Opportunity March 9, 2020 Maritime Administration 1200 New Jersey Ave., SE | Washington, DC | 20590 w w w . d o t . g o v Port Infrastructure Development Grant Overview

929 views • 24 slides
Cryogenic Instrumentation &amp; Slow Controls (CISC) Overview &amp; Status Sowjanya Gollapinni

Cryogenic Instrumentation &amp; Slow Controls (CISC) Overview &amp; Status Sowjanya Gollapinni

Cryogenic Instrumentation &amp; Slow Controls (CISC) Overview &amp; Status Sowjanya Gollapinni (UTK) CISC Scope Review Meeting CERN, June 19, 2019 CISC Primary goals DUNE CPV and other physics goals require at least a decade of running the

799 views • 47 slides
Lake County Port Investment Task Force February 10, 2020 AGENDA Welcome &amp; Introductions

Lake County Port Investment Task Force February 10, 2020 AGENDA Welcome &amp; Introductions

Lake County Port Investment Task Force February 10, 2020 AGENDA Welcome &amp; Introductions Task Force &amp; Project Overview Project Update Local Revenue Feasibility Study Questions Recommendations &amp; Next Steps TASK FORCE Purpose:

680 views • 31 slides
BasicComputerConcepts(2) Chapter4 Objec=ves15 SWBAT

BasicComputerConcepts(2) Chapter4 Objec=ves15 SWBAT

9/4/08 BasicComputerConcepts(2) Chapter4 Objec=ves15 SWBAT Studentswillbeableto Definethetermcomputer Iden=fythefourbasiccompu=ngfunc=ons

445 views • 8 slides
Software Defined Networking OpenFlow and NOX ECE/CS598HPN Radhika Mittal Acknowledgements:

Software Defined Networking OpenFlow and NOX ECE/CS598HPN Radhika Mittal Acknowledgements:

Software Defined Networking OpenFlow and NOX ECE/CS598HPN Radhika Mittal Acknowledgements: Yashar Ganjali, Univ. of Toronto Software Defined Network (SDN) Feature Feature Network OS Packet Forwarding Packet Forwarding Packet

772 views • 36 slides
Hardwired Networks on Chip in FPGAs to Unify Functional and Con fi guration Interconnects Kees

Hardwired Networks on Chip in FPGAs to Unify Functional and Con fi guration Interconnects Kees

Hardwired Networks on Chip in FPGAs to Unify Functional and Con fi guration Interconnects Kees Goossens 1,2 Martijn Bennebroek 3 Jae Young Hur 2 Muhammad Aqeel Wahlah 2 1 Research, NXP Semiconductors 2 Computer Engineering, Delft University

389 views • 25 slides
Device Programming Nima Honarmand Spring 2017 :: CSE 506 Device Interface (Logical View)

Device Programming Nima Honarmand Spring 2017 :: CSE 506 Device Interface (Logical View)

Spring 2017 :: CSE 506 Device Programming Nima Honarmand Spring 2017 :: CSE 506 Device Interface (Logical View) Device Interface Components: DRAM Device registers read/write DMA CPU Device Memory Buffer DMA buffers

631 views • 26 slides
An introduction to the Mesos Framework Zoo Benjamin Bannier Benjamin Bannier

An introduction to the Mesos Framework Zoo Benjamin Bannier Benjamin Bannier

An introduction to the Mesos Framework Zoo Benjamin Bannier Benjamin Bannier benjamin.bannier@mesosphere.io Software engineer at Mesosphere working on Mesos Distributed columnar databases at ParStream (now Cisco ParStream) Experimental High

755 views • 32 slides
10/21/2015 1 10/21/2015 Challenges Integration tests fails due to unreliable dependency

10/21/2015 1 10/21/2015 Challenges Integration tests fails due to unreliable dependency

10/21/2015 1 10/21/2015 Challenges Integration tests fails due to unreliable dependency servers Hard to test different test data permutations for dependency servers Need to do resiliency testing 2 10/21/2015 Our Solution

633 views • 19 slides
Constraint Programming Justin Pearson Uppsala University 1st July 2016 Special thanks to Pierre

Constraint Programming Justin Pearson Uppsala University 1st July 2016 Special thanks to Pierre

Constraint Programming Justin Pearson Uppsala University 1st July 2016 Special thanks to Pierre Flener, Joseph Scott and Jun He CP MiniZinc Strings Other Final Outline Introduction to Constraint Programming (CP) 1 Introduction to

1.31k views • 91 slides
Tutorial # 7: Decision Aid Methodology 29 th May, 2012 MATERIAL TRANSPORTATION FOR SICO Background

Tutorial # 7: Decision Aid Methodology 29 th May, 2012 MATERIAL TRANSPORTATION FOR SICO Background

Tutorial # 7: Decision Aid Methodology 29 th May, 2012 MATERIAL TRANSPORTATION FOR SICO Background : SICO is one of the leading manufacturers of finished steel in world. You have been hired as the Operational Consultant by SICO to help them

446 views • 6 slides
Thomas Garnier SkyRecon Systems Recon 2008 05/23/2008 Overview Introduction LPC

Thomas Garnier SkyRecon Systems Recon 2008 05/23/2008 Overview Introduction LPC

Windows privilege escalation Thomas Garnier SkyRecon Systems Recon 2008 05/23/2008 Overview Introduction LPC interface details MS08-002: LSASS privilege escalation Demo: LSASS exploitation Protection against LPC privilege

681 views • 46 slides
10703 Deep Reinforcement Learning Policy Gradient Methods Tom Mitchell October 1, 2018 Reading:

10703 Deep Reinforcement Learning Policy Gradient Methods Tom Mitchell October 1, 2018 Reading:

10703 Deep Reinforcement Learning Policy Gradient Methods Tom Mitchell October 1, 2018 Reading: Barto &amp; Sutton, Chapter 13 Used Materials Much of the material and slides for this lecture were taken from Chapter 13 of Barto &amp; Sutton

586 views • 35 slides
Deep Prolog: End-to-end Differentiable Proving in Knowledge Bases Tim Rockt aschel University

Deep Prolog: End-to-end Differentiable Proving in Knowledge Bases Tim Rockt aschel University

Deep Prolog: End-to-end Differentiable Proving in Knowledge Bases Tim Rockt aschel University College London Computer Science 2nd Conference on Artificial Intelligence and Theorem Proving 26th of March 2017 Overview Machine Learning

714 views • 40 slides
Linking Emissions Trading Systems: Paving the way toward a low-carbon future Damien MEADOWS

Linking Emissions Trading Systems: Paving the way toward a low-carbon future Damien MEADOWS

Linking Emissions Trading Systems: Paving the way toward a low-carbon future Damien MEADOWS Directorate General for Climate Action European Commission 15 November 2017 Context of carbon pricing post-Paris Paris Agreement created momentum

304 views • 6 slides
Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks Nicolas

Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks Nicolas

Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks Nicolas Papernot , Patrick McDaniel, Xi Wu, Somesh Jha, and Ananthram Swami May 24th, 2016 @ 37th IEEE Symposium on Security and Privacy @NicolasPapernot 1 M

1.38k views • 39 slides
Relational Deep Learning: A Deep Latent Variable Model for Link Prediction Hao Wang, Xingjian

Relational Deep Learning: A Deep Latent Variable Model for Link Prediction Hao Wang, Xingjian

Relational Deep Learning: A Deep Latent Variable Model for Link Prediction Hao Wang, Xingjian Shi, Dit-Yan Yeung Motivation Bayesian Deep Learning Relational Deep Learning Parameter Learning Experiments Conclusion

577 views • 40 slides
Deep-Learning: Unsupervised Generative models Deep Belief Networks Deep Stacked AutoEncoders

Deep-Learning: Unsupervised Generative models Deep Belief Networks Deep Stacked AutoEncoders

Deep-Learning: Unsupervised Generative models Deep Belief Networks Deep Stacked AutoEncoders Generative Adversarial Networks Pr. Fabien MOUTARDE Center for Robotics MINES ParisTech PSL Universit Paris Fabien.Moutarde@mines-paristech.fr

777 views • 23 slides

More recommend