edu tutorial dns privacy
play

EDU Tutorial: DNS Privacy Sara Dickinson Sinodun - PowerPoint PPT Presentation

Aug 28, 2022 •247 likes •821 views

EDU Tutorial: DNS Privacy Sara Dickinson Sinodun sara@sinodun.com EDU Tutorial @ IETF_97 Seoul (Nov 2017) Overview Goal: Give audience historical background on why DNS Privacy is an important topic

  1. 
 EDU Tutorial: DNS Privacy Sara Dickinson Sinodun sara@sinodun.com EDU Tutorial @ IETF_97 Seoul (Nov 2017)

  2. Overview • Goal: • Give audience historical background on why DNS Privacy is an important topic • Chart progress during last 3 years • Present current status and tools DNS Privacy Tutorial @ IETF 97 2 Nov 2016, Seoul

  3. Agenda • Internet Privacy - presented by dkg • DNS Privacy - A brief history • DPRIVE WG et al. • Implementation & deployment today • Meet Stubby - a privacy stub resolver • Ongoing & future work DNS Privacy Tutorial @ IETF 97 3 Nov 2016, Seoul

  4. Internet Privacy Daniel Kahn Gillmor ACLU DNS Privacy Tutorial @ IETF 97 4 Nov 2016, Seoul

  5. DNS Privacy - A brief history DNS Privacy Tutorial @ IETF 97 5 Nov 2016, Seoul

  6. IETF Privacy activity March 2011 I-D: Privacy Considerations for Internet Protocols (IAB) Snowdon revelations June 2013 What timing! RFC6973: Privacy Considerations for Internet Protocols July 2013 RFC7258 : Pervasive Monitoring is an Attack May 2014 August 2015 RFC7624 : Confidentiality in the Face of Pervasive Surveillance: A Threat model and Problem Statement Much other ongoing work….. DNS Privacy Tutorial @ IETF 97 6 Nov 2016, Seoul

  7. RFC 7258 “The IETF community's technical assessment is that PM is an attack on the privacy of Internet users and organisations .” “The IETF community has expressed strong agreement that PM is an attack that needs to be mitigated where possible, via the design of protocols that make PM significantly more expensive or infeasible. “ DNS Privacy Tutorial @ IETF 97 7 Nov 2016, Seoul

  8. DNS Privacy in 2013? • DNS [RFC1034/5 - 1987] - original design availability, redundancy and speed! • DNS standards: DNS sent in clear text => NSA: ‘MORECOWBELL’ • UDP (99% of traffic to root) DNS monitoring • TCP only for ‘fallback’ when UDP MTU exceeded and XFR (support only mandatory from 2010) • Perception: The DNS is public, right? It is not sensitive/personal information….it doesn’t need to be encrypted 8 DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul

  9. DNS Disclosure Example 1 datatracker.ietf.org datatracker.ietf.org Leak information Root Rec datatracker.ietf.org Auth datatracker.ietf.org datatracker.ietf.org for .org Auth for ietf.org datatracker.ietf.org DNS Privacy Tutorial @ IETF 97 9 Nov 2016, Seoul

  10. DNS Privacy in 2013? • RFC6891 : Extension Mechanisms for DNS (EDNS0) Intended to enhance DNS protocol capabilities • But…. mechanism enabled addition of end-user data into DNS queries (non-standard options) • Client subnet (RFC7871*) CDN justification: Faster content (geo location) • User MAC addresses or 
 ISP justification: Parental Filtering (per device) user name/id * Informational 10 DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul

  11. DNS Disclosure Example 2 ietf.org ? ? ietf.org ? [00:00:53:00:53:00] [192.168.1] Auth Rec Stub CPE [User src address] Client Subnet option MAC address contains source subnet in DNS query in DNS query DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul 11

  12. DNS Disclosure Example 2 ietf.org ? conradhotels.hilton.com ? ba.com ? ietfmemes.tumblr.com ? Auth Rec Stub CPE Even behind a NAT, Even behind a recursive do do not have not have anonymity! anonymity! DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul 12

  13. DNS Disclosure Example 3 Who monitors or has access here? Root Rec Who monitors or has Auth access here? for .org • When at home… • When in a coffee shop… Who monitors or has access here? DNS Privacy Tutorial @ IETF 97 13 Nov 2016, Seoul

  14. DNS - complications • Basic problem is leakage of meta data • Allows re-identification of individuals • But.. legal requirements on providers regarding access to user data (country specific) • Traffic analysis is possible based just on timings and cache snooping • DNS Filtering is becoming more prevalent 
 DNS Privacy Tutorial @ IETF 97 14 Nov 2016, Seoul

  15. 
 
 DNS Risk Matrix In-Flight At Rest Risk Stub => Rec Rec => Auth At 
 At 
 Recursive Authoritative Passive Monitoring Active Monitoring Other Disclosure Risks e.g. Data breaches DNS Privacy Tutorial @ IETF 97 15 Nov 2016, Seoul

  16. Run a local resolver? • Some users chose to run a local resolver on their client machine (e.g. Unbound) for increased privacy • bypass intermediate resolvers • have local DNSSEC validation • But still sending queries in clear text, still querying authoritative servers DNS Privacy Tutorial @ IETF 97 16 Nov 2016, Seoul

  17. DNS Privacy options (2013) • DNSCurve Recursive-Auth • Daniel J. Bernstein, initial interest but not adoption Stub-Recursive • DNSCrypt • Many implementations, several open DNSCrypt Resolvers (OpenDNS), [Yandex browser] 
 • Authentication with some privacy Anti-spoofing, anti DoS • Documented but not standard DNS Privacy Tutorial @ IETF 97 17 Nov 2016, Seoul

  18. 
 
 DNS Privacy options (2014) • DNSTrigger (NLNet Labs) • Client software to enable DNSSEC • Used TLS on port 443 as last ditch attempt to enable DNSSEC • So… there was a DNS-over-TLS implementation in Unbound recursive resolver 
 Goal was DNSSEC, not Privacy! DNS Privacy Tutorial @ IETF 97 18 Nov 2016, Seoul

  19. DPRIVE WG et al. DNS Privacy Tutorial @ IETF 97 19 Nov 2016, Seoul

  20. 
 DPRIVE WG • DPRIVE WG create in 2014 
 Charter: Primary Focus is Stub to recursive Why not tackle whole problem? • • Don’t boil the ocean • Rec to Auth is a particularly hard problem • Step-by-step solution DNS Privacy Tutorial @ IETF 97 20 Nov 2016, Seoul

  21. DNS Privacy problem Relationship: Root 1 to ‘a few’ some of whom are know (ISP) Relationship:1 to many most of whom are not known Rec => Authentication is hard Auth for .org DNS Privacy Tutorial @ IETF 97 21 Nov 2016, Seoul

  22. RFC 7626 - DNS Privacy Considerations Worth a read - many interesting issues here! • Problem statement: Expert coverage of risks throughout DNS ecosystem • Rebuts “alleged public nature of DNS data” • The data may be public, but a DNS ‘transaction’ 
 is not/should not be. “A typical example from outside the DNS world is: the web site of Alcoholics Anonymous is public; the fact that you visit it should not be.” DNS Privacy Tutorial @ IETF 97 22 Nov 2016, Seoul

  23. Choices, choices… • So… we know the problem but what mechanism to use for encrypting DNS? • STARTTLS • TLS Drafts submitted on all these solutions to the working group • DTLS • Confidential DNS draft DNS Privacy Tutorial @ IETF 97 23 Nov 2016, Seoul

  24. Encryption Options Pros Cons • Port 53 • Downgrade attack on negotiation • Known technique • Port 53 - middleboxes blocking? STARTTLS • Incrementation deployment • Latency from negotiation • New DNS port 
 TLS • New port assignment (no interference with port 53) • Scalability? (new port) • Existing implementations • Truncation of DNS messages • UDP based DTLS (just like UDP) • Not as widely used/ ➡ Fallback to TLS or clear text (new port) deployed ❌ Can’t be standalone solution DNS Privacy Tutorial @ IETF 97 24 Nov 2016, Seoul

  25. Encrypted DNS ‘TODO’ list Get a new port • DNS-over-TLS: Address issues with DNS- • over-TCP in standards and implementations Tackle authentication of DNS Privacy • servers What about traffic analysis of encrypted • traffic (padding, etc.) DNS Privacy Tutorial @ IETF 97 25 Nov 2016, Seoul

  26. Get a new port! Oct 2015 - 853 is the magic number • Your request has been processed. We have assigned the following system port number as an early allocations per RFC7120, with the DPRIVE Chairs as the point of contact: domain-s 853 tcp DNS query-response protocol run over TLS/DTLS domain-s 853 udp DNS query-response protocol run over TLS/DTLS DNS Privacy Tutorial @ IETF 97 26 Nov 2016, Seoul

  27. DNS + TCP/TLS? TCP/TLS is a new challenge for DNS operators • DNS-over-TCP history: • • typical DNS clients do ‘one-shot’ TCP • DNS servers have very basic TCP capabilities • No attention paid to TCP tuning, robustness • Performance tools based on one-shot TCP 
 DNS Privacy Tutorial @ IETF 97 27 Nov 2016, Seoul

  28. Fix DNS-over-TCP/TLS Goal How? TFO Fast Open Optimise set up & TLS session resumption resumption [TLS 1.3] RFC7766 (bis of RFC5966) - March 2016: Client pipelining (not one-shot!), Amortise cost of Server concurrent processing, TCP/TLS setup Out-of-order responses 
 RFC7858: Persistent connections (Keepalive) Servers handle many connections Learn from HTTP world! robustly DNS Privacy Tutorial @ IETF 97 28 Nov 2016, Seoul

  29. Performance (RFC7766) Client - pipeline requests, keep connection open and handle out-of-order response Server - concurrent processing of requests sending of out of order responses in-order concurrent, OOOR R A R A q1, q2 q1 q1, q2 q1 q2 q2 q2 delayed waiting for q1 0 extra a2 (+1 RTT) RTT a1 a1 reply as soon stub as possible a2 29 DNS Privacy Tutorial @ IETF 97 Nov 2016, Seoul

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

I nternet Privacy and P3 P WWW10 Tutorial May 1, 2001 Marc Langheinrich ETH Zurich,

I nternet Privacy and P3 P WWW10 Tutorial May 1, 2001 Marc Langheinrich ETH Zurich,

I nternet Privacy and P3 P WWW10 Tutorial May 1, 2001 Marc Langheinrich ETH Zurich, Switzerland www.inf.ethz.ch/~langhein/ Outline Part I WWW10 Tutorial May 1, 2001 ! What is Privacy? ! Solutions Definitions Privacy

1.59k views • 143 slides
DNS Privacy EDU Tutorial dnsprivacy.org Sara Dickinson Sinodun sara@sinodun.com IETF 99

DNS Privacy EDU Tutorial dnsprivacy.org Sara Dickinson Sinodun sara@sinodun.com IETF 99

DNS Privacy EDU Tutorial dnsprivacy.org Sara Dickinson Sinodun sara@sinodun.com IETF 99 Prague, July 2017 Overview The problem: Why Internet privacy and DNS Privacy are important (DNS

916 views • 89 slides
A Short Tutorial on Differential Privacy Borja Balle Amazon Research Cambridge The Alan Turing

A Short Tutorial on Differential Privacy Borja Balle Amazon Research Cambridge The Alan Turing

A Short Tutorial on Differential Privacy Borja Balle Amazon Research Cambridge The Alan Turing Institute January 26, 2018 Outline 1. We Need Mathematics to Study Privacy? Seriously? 2. Differential Privacy: Definition, Properties and Basic

868 views • 75 slides
ICANN Tutorial Tutorial Agenda Who am I ? History 5-7 years ago Current day

ICANN Tutorial Tutorial Agenda Who am I ? History 5-7 years ago Current day

Changes in the expiry process ICANN Tutorial Tutorial Agenda Who am I ? History 5-7 years ago Current day practices How it effects: RGP UDRP Transfers Registrar Silos Privacy Services Renewal practices

248 views • 22 slides
5. Simulate the n-bit modular adder/subtracter architecture The modular adder/subtracter performs

5. Simulate the n-bit modular adder/subtracter architecture The modular adder/subtracter performs

Summer School on Real-world Crypto and Privacy Hardware tutorial June 14, 2018, ibenik, Croatia Nele Mentens (KU Leuven) Pedro Maat Costa Massolino (Radboud University) TUTORIAL INSTRUCTIONS In this tutorial, we will design and simulate a

74 views • 4 slides
CS573 Data Privacy and Security Differential Privacy Real World Deployments Li Xiong

CS573 Data Privacy and Security Differential Privacy Real World Deployments Li Xiong

CS573 Data Privacy and Security Differential Privacy Real World Deployments Li Xiong Applying Differential Privacy Real world deployments of differential privacy OnTheMap RAPPOR Module 4 Tutorial: Differential Privacy in the Wild

617 views • 30 slides
A Tutorial on Techniques for Scalable Privacy-preserving Record Linkage Peter Christen 1 ,

A Tutorial on Techniques for Scalable Privacy-preserving Record Linkage Peter Christen 1 ,

A Tutorial on Techniques for Scalable Privacy-preserving Record Linkage Peter Christen 1 , Vassilios Verykios 2 , and Dinusha Vatsalan 1 1 Research School of Computer Science, ANU College of Engineering and Computer Science, The Australian

1.7k views • 101 slides
Location Privacy CompSci 590.03 Instructor: Ashwin Machanavajjhala Some slides are from a

Location Privacy CompSci 590.03 Instructor: Ashwin Machanavajjhala Some slides are from a

news.consumerreports.org Location Privacy CompSci 590.03 Instructor: Ashwin Machanavajjhala Some slides are from a tutorial by Mohamed Mokbel (ICDM 2008) Lecture 19: 590.03 Fall 12 1 Outline Location based services Location Privacy

920 views • 46 slides
$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

Presentation Slides $ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that involves the rights of individuals in relation to information about them that is circulating in society. why privacy is an

318 views • 13 slides
Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks; Security and Cooperation in Wireless Networks Georg-August University Gttingen Chapter outline 1 Important privacy related

1.12k views • 33 slides
Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

CISPA Center for IT Security, Privacy and Accountabiltiy Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals, groups, or institutions to determine for themselves when,

573 views • 26 slides
$ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy

$ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy

Presentation Slides $ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy that involves the rights of individuals in relation to information about them that is circulating in society. why privacy is an

429 views • 13 slides
CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies

CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies

CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies US Privacy Laws Sources: Baase: A Gift of Fire and Quinn: Ethics for the Information Age Ethics Spring 2010 Privacy 1 Privacy The original

725 views • 45 slides
Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals,

Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals,

Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is

1.01k views • 76 slides
Data privacy: an introduction (part 1) Klara Stokes What is privacy? Privacy has been defined in

Data privacy: an introduction (part 1) Klara Stokes What is privacy? Privacy has been defined in

Data privacy: an introduction (part 1) Klara Stokes What is privacy? Privacy has been defined in many ways over the years. Usually privacy is concerned with the individual human being. We may talk about privacy as the control over your own

230 views • 21 slides
Engineering privacy by design Privacy by Design Let's have it! Information and Privacy

Engineering privacy by design Privacy by Design Let's have it! Information and Privacy

Engineering privacy by design Privacy by Design Let's have it! Information and Privacy Commissioner of Ontario https://www.ipc.on.ca/images/resources/7foundationalprinciples.pdf Privacy by Design Let's have it! Article 25 European

1.32k views • 118 slides
Zajmavosti ze systmovho programovn Pavel imerda pavlix@pavlix.net C API File I/O

Zajmavosti ze systmovho programovn Pavel imerda pavlix@pavlix.net C API File I/O

Zajmavosti ze systmovho programovn Pavel imerda pavlix@pavlix.net C API File I/O Lets start with shell Use cat to read a file Use strace to trace the syscalls Use ltrace to trace the library calls Call ANSI

189 views • 16 slides
System-Level I/O 15-213: Introduc0on to Computer Systems

System-Level I/O 15-213: Introduc0on to Computer Systems

Carnegie Mellon System-Level I/O 15-213: Introduc0on to Computer Systems 14 th Lecture, Oct. 12, 2010 Instructors: Randy Bryant and Dave OHallaron 1

517 views • 47 slides
BioLinux on HPC Bio: Jenny Wu jiew5@uci.edu Linux: Harry Mangalam harry.mangalam@uci.edu

BioLinux on HPC Bio: Jenny Wu jiew5@uci.edu Linux: Harry Mangalam harry.mangalam@uci.edu

BioLinux on HPC Bio: Jenny Wu jiew5@uci.edu Linux: Harry Mangalam harry.mangalam@uci.edu Linux: Adam Brenner aebrenne@uci.edu Good Judgment comes from Experience Experience comes from Bad Judgment Before We Begin You know Linux at a

1.06k views • 68 slides
CSSE132 Introduc0on to Computer Systems 28 : System I/O

CSSE132 Introduc0on to Computer Systems 28 : System I/O

Adapted from Carnegie Mellon 15-213 CSSE132 Introduc0on to Computer Systems 28 : System I/O April 25, 2013 1 Today Unix I/O RIO package

632 views • 45 slides
Linking People in Videos with Their Names Using Coreference Resolution Vignesh Ramanathan, Armand

Linking People in Videos with Their Names Using Coreference Resolution Vignesh Ramanathan, Armand

Linking People in Videos with Their Names Using Coreference Resolution Vignesh Ramanathan, Armand Joulin, Percy Liang, and Li Fei-Fei Stanford University Images from Ramanathan et al. (2014) Yukun Zhu CSC2523 1 / 17 Task Missy points to the

459 views • 31 slides
Programming Languages Third Edition Chapter 7 Basic Semantics Objectives Understand

Programming Languages Third Edition Chapter 7 Basic Semantics Objectives Understand

Programming Languages Third Edition Chapter 7 Basic Semantics Objectives Understand attributes, binding, and semantic functions Understand declarations, blocks, and scope Learn how to construct a symbol table Understand name

1k views • 96 slides
Vytautas Valancius, Nick Feamster, Akihiro Nakao, and Jennifer Rexford Cloud computing is on

Vytautas Valancius, Nick Feamster, Akihiro Nakao, and Jennifer Rexford Cloud computing is on

Vytautas Valancius, Nick Feamster, Akihiro Nakao, and Jennifer Rexford Cloud computing is on the rise Provides computing resources and storage in cloud data centers Hosting on the steroids for Internet services 2 ISP1 Hosted

368 views • 21 slides
Seamless Mobility over ICN Ravi Ravindran (ravi.ravindran@huawei.com) FG-IMT 2020, Demo Day

Seamless Mobility over ICN Ravi Ravindran (ravi.ravindran@huawei.com) FG-IMT 2020, Demo Day

Seamless Mobility over ICN Ravi Ravindran (ravi.ravindran@huawei.com) FG-IMT 2020, Demo Day Geneva, Dec, 2016 Outline Mobility Objectives Current Approach 5G-ICN Architecture AI/NI Name Space Split in ICN ICN Mobility

686 views • 14 slides

More recommend