dns privacy
play

DNS Privacy dnsprivacy.org Sara Dickinson Sinodun sara@sinodun.com - PowerPoint PPT Presentation

Feb 09, 2024 •417 likes •1.06k views

DNS Privacy dnsprivacy.org Sara Dickinson Sinodun sara@sinodun.com RMLL, Saint-tienne, France July 2017 Overview The problem: Why Internet privacy and DNS Privacy are

  1. DNS Privacy dnsprivacy.org Sara Dickinson Sinodun sara@sinodun.com RMLL, Saint-Étienne, France July 2017

  2. Overview • The problem: Why Internet privacy and DNS Privacy are important (DNS leakage) • Recent Progress: Chart progress during last 3-4 years (DPRIVE) in open standards and open source software • Where are we now? Present current status and tools DNS Privacy @ RMLL July 2017 2

  3. 
 IETF Open Standards and Privacy March 2011 I-D: Privacy Considerations for Internet Protocols (IAB) Snowdon What timing! June 2013 revelations RFC6973: Privacy Considerations for Internet Protocols July 2013 RFC7258 : Pervasive Monitoring is an Attack: 
 “ PM is an attack on the privacy of Internet users May 2014 and organisations .” DNS Privacy @ RMLL July 2017 3

  4. DNS Privacy - A brief history DNS Privacy @ RMLL July 2017 4

  5. DNS is part of the Internet ‘leaky boat’ problem DNS Privacy @ RMLL July 2017 5

  6. DNS Privacy (in 2013) • DNS is 30 year old! [RFC1034/5 (1987)] • Original design: availability, redundancy and speed! • DNS is an ‘enabler’ • DNS standards: DNS sent in clear text • UDP (99% of traffic to root) NSA: MORECOWBELL • TCP only for ‘fallback’ (pre 2010) • Perception: The DNS is public, right? It is not sensitive/personal information….it doesn’t need to be protected/encrypted DNS Privacy @ RMLL July 2017 6

  7. DNS Disclosure Example 1 Root Rec Auth for .org Auth for ietf.org DNS Privacy @ RMLL July 2017 7

  8. DNS Disclosure Example 1 Root Rec Auth for .org Auth for Stub ietf.org DNS Privacy @ RMLL July 2017 7

  9. DNS Disclosure Example 1 Root Rec Auth for .org Auth for Stub Recursive ietf.org DNS Privacy @ RMLL July 2017 7

  10. DNS Disclosure Example 1 Root Rec Auth for .org Auth for Stub Recursive ietf.org Authoritative DNS Privacy @ RMLL July 2017 7

  11. DNS Disclosure Example 1 Root Rec Auth for .org Auth for ietf.org DNS Privacy @ RMLL July 2017 7

  12. DNS Disclosure Example 1 Root Rec datatracker.ietf.org Auth for .org Auth for ietf.org DNS Privacy @ RMLL July 2017 7

  13. DNS Disclosure Example 1 datatracker.ietf.org Root Rec datatracker.ietf.org Auth datatracker.ietf.org for .org Auth for ietf.org datatracker.ietf.org DNS Privacy @ RMLL July 2017 7

  14. DNS Disclosure Example 1 datatracker.ietf.org datatracker.ietf.org Leak information Root Rec datatracker.ietf.org Auth datatracker.ietf.org datatracker.ietf.org for .org Auth for ietf.org datatracker.ietf.org DNS Privacy @ RMLL July 2017 7

  15. EDNS0 problem • RFC6891 (2013): Extension Mechanisms for DNS (EDNS0) Intended to enhance DNS protocol capabilities • But…. mechanism enabled addition of end-user data into DNS queries (non-standard options) 8 DNS Privacy @ RMLL July 2017

  16. EDNS0 problem • RFC6891 (2013): Extension Mechanisms for DNS (EDNS0) Intended to enhance DNS protocol capabilities • But…. mechanism enabled addition of end-user data into DNS queries (non-standard options) ISP justification: Parental Filtering (per user) CDN justification: Faster content (geo location) 8 DNS Privacy @ RMLL July 2017

  17. DNS Disclosure Example 2 Parental Filtering ietf.org ? [00:00:53:00:53:00] Auth Rec Stub CPE [User src address] MAC address or id in DNS query DNS Privacy @ RMLL July 2017 9

  18. DNS Disclosure Example 2 Parental Filtering CDN Geo-location ietf.org ? ? ietf.org ? [00:00:53:00:53:00] [192.168.1] Auth Rec Stub CPE [User src address] Client Subnet (RFC7871) MAC address or id contains source subnet in DNS query in DNS query DNS Privacy @ RMLL July 2017 9

  19. DNS Disclosure Example 2 Auth Rec Stub CPE Even behind a NAT, Even behind a recursive do do not have not have anonymity! anonymity! DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul 10

  20. DNS Disclosure Example 2 afnic.fr ? parisinfo.com ? dnsreactions.tumblr.com? Auth Rec Stub CPE Even behind a NAT, Even behind a recursive do do not have not have anonymity! anonymity! DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul 10

  21. DNS Disclosure Example 2 afnic.fr ? afnic.fr ? parisinfo.com ? parisinfo.com ? dnsreactions.tumblr.com? dnsreactions.tumblr.com? Auth Rec Stub CPE Even behind a NAT, Even behind a recursive do do not have not have anonymity! anonymity! DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul 10

  22. 
 DNS: It’s not just for names • MX records (email domain) • SRV records (services) • OPENPGPKEY (email addresses) • …this is only going to increase…. 
 DNS Privacy @ RMLL July 2017 11

  23. 
 DNS: It’s not just for names • MX records (email domain) • SRV records (services) • OPENPGPKEY (email addresses) • …this is only going to increase…. 
 DNS Privacy @ RMLL July 2017 11

  24. DNS Disclosure Example 3 • (AUTH) Who monitors or has access here ISP/ government/NSA/Passive DNS? • (AUTH) Does my ISP sell my (anonymous) data? • (UNAUTH) How safe is this data? Root Rec Auth for .org • When at home… • When in a coffee shop… DNS Privacy @ RMLL July 2017 12

  25. DNS Disclosure Example 3 • (AUTH) Who monitors or has access here ISP/ Who monitors or has government/NSA/Passive DNS? access here? • (AUTH) Does my ISP sell my (anonymous) data? • (UNAUTH) How safe is this data? Root Rec Auth for .org • When at home… • When in a coffee shop… Who monitors or has access here? DNS Privacy @ RMLL July 2017 12

  26. DNS - leakage • Basic problem is leakage of meta data • Allows fingerprinting and re-identification of individuals • Even without user meta data traffic analysis is possible based just on timings and cache snooping • Operators see (and log) your 
 DNS queries DNS Privacy Tutorial @ IETF 97 13 Nov 2016, Seoul

  27. DNS - leakage • Basic problem is leakage of meta data • Allows fingerprinting and re-identification of individuals • Even without user meta data traffic analysis is possible based just on timings and cache snooping • Operators see (and log) your 
 DNS queries DNS Privacy Tutorial @ IETF 97 13 Nov 2016, Seoul

  28. 
 
 DNS Risk Matrix In-Flight At Rest Risk Stub => Rec Rec => Auth At 
 At 
 Recursive Authoritative Passive Monitoring Active Monitoring Other Disclosure Risks e.g. Data breaches DNS Privacy @ RMLL July 2017 14

  29. DPRIVE WG et al. DNS Privacy @ RMLL July 2017 15

  30. 
 IETF DPRIVE WG • DPRIVE WG create in 2014 
 Charter: Primary Focus is Privacy 
 for Stub to recursive Why not tackle whole problem? • • Don’t boil the ocean, stepwise solution • Stub to Rec reveals most information • Rec to Auth is a particularly hard problem DNS Privacy @ RMLL July 2017 16

  31. Problem statement: RFC 7626 DNS Privacy Considerations: 
 Expert coverage of risks throughout DNS ecosystem • Rebuts “alleged public nature of DNS data” • The data may be public, but a DNS 
 ‘ transaction ’ is not/should not be. “A typical example from outside the DNS world is: the web site of Alcoholics Anonymous is public; the fact that you visit it should not be.” DNS Privacy @ RMLL July 2017 17

  32. Stub/Rec Encryption Options Pros Cons • Port 53 • Downgrade attack on negotiation • Known technique • Port 53 - middleboxes blocking? STARTTLS • Incrementation deployment • Latency from negotiation • New DNS port 
 TLS • New port assignment (no interference with port 53) • Scalability? (new port) • Existing implementations • Truncation of DNS messages • UDP based DTLS (just like UDP) • Not as widely used/ ➡ Fallback to TLS or clear text (new port) deployed ❌ Can’t be standalone solution DNS Privacy @ RMLL July 2017 18

  33. Stub/Rec Encryption Options Pros Cons • Port 53 • Downgrade attack on negotiation • Known technique • Port 53 - middleboxes blocking? STARTTLS • Incrementation deployment • Latency from negotiation • New DNS port 
 TLS • New port assignment (no interference with port 53) • Scalability? (new port) • Existing implementations • Truncation of DNS messages • UDP based DTLS (just like UDP) • Not as widely used/ ➡ Fallback to TLS or clear text (new port) deployed ❌ Can’t be standalone solution DNS Privacy @ RMLL July 2017 18

  34. Stub/Rec Encryption Options Pros Cons • Port 53 • Downgrade attack on negotiation • Known technique • Port 53 - middleboxes blocking? STARTTLS • Incrementation deployment • Latency from negotiation • New DNS port 
 TLS • New port assignment (no interference with port 53) • Scalability? (new port) • Existing implementations • Truncation of DNS messages • UDP based DTLS (just like UDP) • Not as widely used/ ➡ Fallback to TLS or clear text (new port) deployed ❌ Can’t be standalone solution DNS Privacy @ RMLL July 2017 18

  35. Encrypted DNS ‘TODO’ list 1. Get a new port 2. DNS-over-TCP/TLS: Address issues in standards and implementations 3. Tackle authentication of DNS servers (bootstrap problem) 4. What about traffic analysis of encrypted traffic - msg size & timing still tell a lot! DNS Privacy @ RMLL July 2017 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

Presentation Slides $ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that involves the rights of individuals in relation to information about them that is circulating in society. why privacy is an

318 views • 13 slides
Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks; Security and Cooperation in Wireless Networks Georg-August University Gttingen Chapter outline 1 Important privacy related

1.12k views • 33 slides
Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

CISPA Center for IT Security, Privacy and Accountabiltiy Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals, groups, or institutions to determine for themselves when,

573 views • 26 slides
$ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy

$ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy

Presentation Slides $ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy that involves the rights of individuals in relation to information about them that is circulating in society. why privacy is an

429 views • 13 slides
CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies

CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies

CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies US Privacy Laws Sources: Baase: A Gift of Fire and Quinn: Ethics for the Information Age Ethics Spring 2010 Privacy 1 Privacy The original

725 views • 45 slides
Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals,

Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals,

Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is

1.01k views • 76 slides
Data privacy: an introduction (part 1) Klara Stokes What is privacy? Privacy has been defined in

Data privacy: an introduction (part 1) Klara Stokes What is privacy? Privacy has been defined in

Data privacy: an introduction (part 1) Klara Stokes What is privacy? Privacy has been defined in many ways over the years. Usually privacy is concerned with the individual human being. We may talk about privacy as the control over your own

230 views • 21 slides
Engineering privacy by design Privacy by Design Let's have it! Information and Privacy

Engineering privacy by design Privacy by Design Let's have it! Information and Privacy

Engineering privacy by design Privacy by Design Let's have it! Information and Privacy Commissioner of Ontario https://www.ipc.on.ca/images/resources/7foundationalprinciples.pdf Privacy by Design Let's have it! Article 25 European

1.32k views • 118 slides
Anonymity & Privacy Alice Privacy EU directives (e.g. 95/46/EC) to protect privacy.

Anonymity & Privacy Alice Privacy EU directives (e.g. 95/46/EC) to protect privacy.

Anonymity & Privacy Alice Privacy EU directives (e.g. 95/46/EC) to protect privacy. College Bescherming Persoonsgegevens (CBP) What is privacy? Users must be able to determine for themselves when, how, to what extent and

798 views • 45 slides
Privacy Enhancing Technologies Spring 2006 Outline Privacy Overview Course Topics

Privacy Enhancing Technologies Spring 2006 Outline Privacy Overview Course Topics

ECE598NB Privacy Enhancing Technologies Spring 2006 Outline Privacy Overview Course Topics Course Structure Privacy Define privacy Privacy History Privacy has always existed Cities / large populations have made

173 views • 14 slides
Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance

Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance

Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance Engineering & Public Policy Lorrie Faith Cranor October 29, 2013 y & c S a e v c i u r P r i t e y l b L a a s

245 views • 20 slides
Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance

Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance

Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance Engineering & Public Policy Lorrie Faith Cranor November 11, 2014 y & c S a e v c i u r P r i t e y l b L a a s

555 views • 21 slides
Bridging Privacy Definitions: Differential Privacy and Concepts from Privacy Law & Policy

Bridging Privacy Definitions: Differential Privacy and Concepts from Privacy Law & Policy

Bridging Privacy Definitions: Differential Privacy and Concepts from Privacy Law & Policy Alexandra Wood Berkman Klein Center for Internet & Society at Harvard University DIMACS/Northeast Big Data Hub Workshop on Overcoming Barriers to

964 views • 54 slides
Privacy and Anonymity 1 Privacy Privacy and society Basic individual right & desire

Privacy and Anonymity 1 Privacy Privacy and society Basic individual right & desire

CS 134 Privacy and Anonymity 1 Privacy Privacy and society Basic individual right & desire (Image from geekologie.com) Relevant to corporations & government agencies Recently increased awareness However, general public

171 views • 16 slides
PRIVACY IN UBIQUITOUS PRIVACY IN UBIQUITOUS Understanding Privacy Technical Approaches

PRIVACY IN UBIQUITOUS PRIVACY IN UBIQUITOUS Understanding Privacy Technical Approaches

Marc Langheinrich: Privacy in Ubiquitous Computing 5/29/2010 Todays Menu PRIVACY IN UBIQUITOUS PRIVACY IN UBIQUITOUS Understanding Privacy Technical Approaches COMPUTING Definitions Challenges 1. History and legal aspects 1.

264 views • 13 slides
Privacy in Wireless Networks privacy notions and metrics; privacy in RFID systems; location

Privacy in Wireless Networks privacy notions and metrics; privacy in RFID systems; location

Mobile Networks - Module H2 Privacy in Wireless Networks privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks; privacy preserving routing in ad hoc networks; Slides adapted from Security and

909 views • 55 slides
Privacy and Quaero's Quest for the Perfect Search Engine: Threats and Opportunities Michael

Privacy and Quaero's Quest for the Perfect Search Engine: Threats and Opportunities Michael

Privacy and Quaero's Quest for the Perfect Search Engine: Threats and Opportunities Michael Zimmer, PhD Fellow, Information Society Project Yale Law School Privacy and Quaero's Quest for the Perfect Search Engine: Threats and Opportunities

643 views • 27 slides
DNS Privacy EDU Tutorial dnsprivacy.org Sara Dickinson Sinodun sara@sinodun.com IETF 99

DNS Privacy EDU Tutorial dnsprivacy.org Sara Dickinson Sinodun sara@sinodun.com IETF 99

DNS Privacy EDU Tutorial dnsprivacy.org Sara Dickinson Sinodun sara@sinodun.com IETF 99 Prague, July 2017 Overview The problem: Why Internet privacy and DNS Privacy are important (DNS

916 views • 89 slides
SEEKING Healthy Kids and Families! QTIP Conference Call November 18, 2014 AnMed Health

SEEKING Healthy Kids and Families! QTIP Conference Call November 18, 2014 AnMed Health

SEEKING Healthy Kids and Families! QTIP Conference Call November 18, 2014 AnMed Health Childrens Healthcare Center Staff Carolina Pediatrics Staff Little River Medical Center Staff With Kristine Hobbs Staff to All Agenda Why SEEK?

506 views • 9 slides
THE SECULAR COMING OF AGE INSIDE ALCOHOLICS ANONYMOUS In the 1939 book, Alcoholics Anonymous ,

THE SECULAR COMING OF AGE INSIDE ALCOHOLICS ANONYMOUS In the 1939 book, Alcoholics Anonymous ,

THE SECULAR COMING OF AGE INSIDE ALCOHOLICS ANONYMOUS In the 1939 book, Alcoholics Anonymous , the concept, God as you understand Him including everyone. In 2017 not so much How Many Atheists are there? (last updated May 31,

400 views • 21 slides
WELCOME Governors Advisory Council on Veterans Services AUGUST 19, 2020 Please ensure all

WELCOME Governors Advisory Council on Veterans Services AUGUST 19, 2020 Please ensure all

WELCOME Governors Advisory Council on Veterans Services AUGUST 19, 2020 Please ensure all microphones remain muted. --We will begin shortly-- > community > commonwealth > country COMMITTEE UPDATES > community >

911 views • 70 slides
DNS Privacy dnsprivacy.org Sara Dickinson Sinodun (Salesforce, NLnet Foundation)

DNS Privacy dnsprivacy.org Sara Dickinson Sinodun (Salesforce, NLnet Foundation)

DNS Privacy dnsprivacy.org Sara Dickinson Sinodun (Salesforce, NLnet Foundation) sara@sinodun.com AFNIC JCSA Paris, France (July 2017) Overview The problem: Why Internet privacy and DNS Privacy are important (DNS

1.02k views • 86 slides
Thank you for joining us! The webinar will begin promptly at 10 am PT. Feel free to introduce

Thank you for joining us! The webinar will begin promptly at 10 am PT. Feel free to introduce

Thank you for joining us! The webinar will begin promptly at 10 am PT. Feel free to introduce yourself in the chat window! Changing Developmental Math from a Gatekeeper to a Bridge: The Promise of New Math Pathways Wednesday, May 18, 2016

867 views • 40 slides
CS400 Problem Seminar Fall 2000 Assignment 3: Distributed Calendar Management Handed out:

CS400 Problem Seminar Fall 2000 Assignment 3: Distributed Calendar Management Handed out:

CS400 Problem Seminar Fall 2000 Assignment 3: Distributed Calendar Management Handed out: Sept. 29, 2000 Due: Oct. 13, 2000 TA: Luke Deqing Chen ( lukechen@cs ) 1 Introduction This fortnights assignment is mainly in systems,

388 views • 14 slides

More recommend