The Domain Name System (DNS) is a plain-text service that lets anyone who can see “the wire” capture a user's DNS traffic and work out whether they're asking for naughty.com or nice.com. So to help enhance its privacy a group of researchers has proposed a more "Oblivious DNS” protocol.
However, as the group explained here, even encrypted DNS (for example, DNS over TLS) is still exposed at the recursive resolver (that is, the DNS component most directly connected to the client), because that server decrypts the user request so it can fetch the IP address of the site the user wants.
In other words, whether you use your ISP's resolver, or one provided by a third party like Google or Cloudflare, at some point you have to trust the resolver with your DNS requests.
[...] To get around this, Oblivious DNS is designed to operate without any change to the existing DNS. As its designers write, it “allows current DNS servers to remain unchanged and increases privacy for data in motion and at rest”.
Instead it introduces two infrastructure components that would be deployed alongside current systems: a resolver “stub” between the recursive resolver and the client; and a new authoritative name server, .odns at the same level in the hierarchy as the root and TLD servers (see image).
In this model:
- The stub server accepts the user query ("what's the IP address of foo.com?"), and encrypts it with a session key/public key combination;
- The recursive name server receives the request (with .odns appended) and the session key, both encrypted;
- The .odns tells the resolver to pass the request up to the ODNS authoritative server, which decrypts the request and acts as a recursive resolver (that is, it passes requests up the DNS hierarchy in the normal fashion);
- The ODNS encrypts the response and passes it back down to the stub, which sends the response to the client.
The authors explained that this decouples the user's identity from their request.
The recursive resolver a user connects to knows the IP address of the user, but not the query; while the ODNS resolver can see the query, but only knows the address of the recursive resolver the user connects to, not the user.
Similarly, an attacker with access to a name server never sees the user's IP address, because the request is coming from the ODNS server.
The group has posted a conference presentation from late March here [PDF], and emphasises that Oblivious DNS is a “work in progress”.
(Score: 3, Interesting) by bradley13 on Wednesday April 11 2018, @12:22PM (5 children)
It's a clever idea, since it avoids any changes to existing infrastructure. However, it seems to me that there are two weaknesses:
- First, at the first recursive name server, when .odns is appended - the anonymity of the users depends on their queries being lost in the masses. There need to be a lot of users and a lot of queries.
- Second, the duplicate .odns name servers - are these going to become a bottleneck?
Everyone is somebody else's weirdo.
(Score: 2) by zocalo on Wednesday April 11 2018, @02:47PM
UNIX? They're not even circumcised! Savages!
(Score: 2) by KiloByte on Wednesday April 11 2018, @03:55PM
The first name server sits on ::1, which can't possibly reduce your security (if it gets pwned, your browser is pwned too).
Ceterum censeo systemd esse delendam.
(Score: 3, Interesting) by bob_super on Wednesday April 11 2018, @04:44PM (2 children)
- Third: Your ISP want to monetize you. Without Net Neutrality, they can block the IP of any DNS that is not theirs ("for security reasons" or "just because we can, and you have no choice").
(Score: 2) by frojack on Wednesday April 11 2018, @06:52PM (1 child)
Except they don't, which suggests they know they can't.
https://inpropriapersona.com/articles/making-dns-work-isp-blocks-port-53/ [inpropriapersona.com]
No, you are mistaken. I've always had this sig.
(Score: 2) by bob_super on Wednesday April 11 2018, @07:26PM
> my ISP (which happens to be my university, since I’m on their network)
Yes, because a university is totally the same thing as Comcast, next month as soon as the rules are in effect, blocking whatever the [bleep] they feel like for maximum profit.
If Comcast says "we'll block all alternative DNS providers, you must use ours", 99% of their customers will either not realize or not be able to do anything about it. Whether they'll bother to play cat-and-mouse with seemingly random IPs having traffic that look like encrypted DNS packets is the question.