The Camel’s Back: Recursive to Authoritative DNS with Encryption
With the mushrooming deployment of encrypted DNS transport protocols like DNS over HTTPS (DoH) and DNS over TLS (DoT), one might be seduced into thinking that in-flight confidentiality of DNS queries is a problem done and dusted. A comprehensive modeling of the security threats, however, reveals otherwise.
In a talk at the DNS Privacy Workshop 2021, Daniel Kahn Gillmor likened DNS Privacy to armour for a camel. DoH and DoT provide confidentiality for DNS queries going from a user to a recursive resolver, and only cover the front half of the camel’s body. Recursive resolvers, on the other hand, send these queries to authoritative servers in a way largely unshielded from onlookers.
Motivated attackers monitoring plaintext traffic between a recursive resolver and an authoritative server can still make sensitive inferences about a user’s online activity. For instance, on-path observers can correlate the timing of a user’s encrypted query (to a recursive resolver) with the consequent unencrypted query (from the recursive resolver to an authoritative server), and easily draw conclusions about what websites the user is browsing.
At the very least, this unencrypted and unauthenticated communication allows for attackers to intercept or modify responses to queries, and pretend to be the authoritative server. As Gillmor put it, it is time for the IETF to explore how to armour “the back half of the camel”.
(Interestingly, this is not the first time someone has called the DNS a camel. In 2008, Bert Hubert decried the increasing complexity of DNS records, and worried that adding another feature to the DNS will be the straw that breaks the camel’s back. Further back in history though, Randy Bush raised similar issues in 2000 and asked if the IETF was “overloading the saddlebags on an old horse”. Observing this gradual change in metaphor, one may be tempted to conclude that a camel is a horse designed by an IETF working group.)
While there have been conversations about encrypting recursive to authoritative DNS queries since 2019, the DNS Privacy Exchange (DPRIVE) working group only adopted a concrete proposal in February 2021. At the meeting of the working group at IETF110, Peter van Dijk presented this proposal, Recursive to Authoritative DNS with Encryption, which describes a way for recursive resolvers to discover whether authoritative servers support encrypted DNS. This is achieved simply by checking for the existence of a DNS TLSA record for an authoritative server, which specifies the keys to be used for that domain’s TLS server.
The Internet Draft outlines a protocol supporting two use cases. The first, fully-authenticated encryption, is for recursive resolvers that only want to send encrypted queries, and therefore fail if they cannot succeed in contacting an authoritative server using an encrypted connection. The second use case is based on the principle of opportunistic security, i.e. some protection is preferred even if full protection all the time is not possible or available. In this case, recursive resolvers support encrypted queries to authoritative servers, but may not always default to it or enforce it.
A key factor that can influence the deployment of the proposal is likely to be the level of control that authoritative servers are afforded in how they signal support for encryption.
The proposal is already facing pushback from operators of root servers. In a statement issued on March 30, they questioned the benefits of encrypting queries to root name servers. This is understandable, given that the privacy risk of an exposed query to a root server is much lower than that of a query to an authoritative server for second level domains.
The statement goes on to say that switching from unencrypted stateless protocols (UDP) to connection-based encrypted protocols (like TLS) will create an undesirable performance overhead. They also contend that the additional network and computation costs will make the servers more vulnerable to denial-of-service attacks.
Commenting on the statement, Daniel Kahn Gillmor told CENTR: “While it's disappointing that the root server operators don't have the technical capacity to deploy any of the standardized encrypted DNS mechanisms in the near future, I was pleased to see their strong endorsements of QNAME minimization and aggressive DNSSEC caching, both of which provide substantial additional privacy benefits to users and domains alike”.
Gillmor added that, “it seems fitting that the root server operators are willing to follow the leadership of other segments of the DNS hierarchy in deploying encrypted authoritative DNS”.
Lower in the hierarchy, amongst authoritative servers for second level domains, there still does not seem to be a clear consensus about the viability of the proposal. The following few months will tell us whether performance concerns will trump the need for greater security and privacy. For, sometimes, it is easier for a camel to go through the eye of a needle than for a security-enhancing solution to gain popular deployment.
This article was written for CENTR by Gurshabad Grover, a technologist and legal researcher based in Bangalore, India, where he is Senior Researcher at the Centre for Internet and Society. His writing focuses on network security, privacy and censorship.