-
Notifications
You must be signed in to change notification settings - Fork 100
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add support for pure randomization of DNS upstream server #95
Comments
Hi @monperrus, thanks for the request. I'm not saying we won't add this feature (we probably will) but I'd like to see more research on the threat analysis of spreading queries across multiple servers and how that varies with the number of servers. Without a sophisticated algorithm based on the query content then I think in the end, you either trust a server you are using to see some or all of your queries, or you don't.... |
One argument is that over time (days, weeks) any resolver you use (either in round robin or with a
random distribution) will likely acquire enough information about an end user to profile that user
because over time it will see the entire query profile (we are creatures of habit and tend to
visit the same sites).
Excellent point. I've never considered this.
What's the best solution then, deterministic sharding based on domain names? (based on first letter?
on hash?)
|
Sadly I don't have a clear answer for you at the moment apart from to limit your server selection to only those you trust to see all your queries... it is possible that a resolver that sees just a slice of your DNS queries could generate a profile based on correlating looks ups (if they cared enough). As an aside.... This is one of the arguments for using DNS-over-HTTPS (DoH) within browser tabs: if you do all the DNS lookups for a site to the DNS resolver of that site then you don't leak anything they don't already know. Also - have you seen the proposal for Oblivious DNS? It seems we need something like this to have technical solution for end-to-end privacy for DNS. |
@saradickinson That would be a solution for web browser, but not all DNS traffic is web browser-generated. ;) ODNS OTOH looks promising, but they are missing encryption of the answer (at least in their abstract). |
BTW - I believe there will be an IETF I-D submitted soon on ODNS for discussion in DPRIVE. |
I'm not sure to understand. AFAIU, with DoH, all your traffic goes to the same server, which itself may be compromised. Could you elaborate on what you mean by "if you do all the DNS lookups for a site to the DNS resolver of that site"? |
@monperrus After some bit of thinking, I’m not sure anymore what @saradickinson has in mind here. I first thought that the idea would be to ask the DNS authoritative server of the website directly, but this suppose already knowing it, which could be done using qname-minimization to reduce leaked information. But then you’re not using a STUB resolver anymore, you’re using a plain recursive resolver that communicates with DNS authoritative servers directly. Which I would love to do (and used to before Stubby existed), but of course cannot because most of them don’t speak DNS-over-TLS (or HTTPS). |
@monperrus @ArchangeGabriel Hi Both, I was referring to some of the discussion around early use cases for DoH where it was proposed that for a given website/application there could be a discovery mechanism to determine if the host offered DoH and if so that host resolver would be used for DNS queries by that website/application (e.g. your twitter app uses the twitter resolver for all queries). However the only current implementation I know if is in Firefox and that does indeed currently send all queries to the (single) configured DoH resolver ( or 'DNS API server' as it is described in the DoH draft). |
around early use cases for DoH where it was proposed that for a given website/application there
could be a discovery mechanism to determine if the host offered DoH and if so that host resolver
would be used for DNS queries by that website/application (e.g. your twitter app uses the twitter
resolver for all queries).
Interesting, thanks for sharing this insider information!
However the only current implementation I know if is in Firefox and that does indeed currently
send all queries to the (single) configured DoH resolver
OK, we're along the same line, this is also how I understand FF DOH.
|
FYI, just published a post on this topic: https://www.monperrus.net/martin/randomization-encryption-dns-requests |
Nice - thanks! |
Very interesting implementation choice by @dimkr's nss-tls
|
I'm not a security professional, but in my head, the "best" attack on round-robin goes something like this:
The benefit to the attacker is seeing 100% of "real" DNS queries, instead of e.g. 50%, but at the cost of e.g. doubling the amount of DNS traffic with a pattern that is very easy to spot (each attacker-controlled query would happen shortly after a "real" query). While I don't know the motives of these hypothetical attackers, I'd imagine that the risk of the attack being discovered outweighs the benefit of seeing a greater fraction of queries. For ~deterministic random selection, there are a bunch of considerations:
A potential algorithm goes something like this:
(FWIW, nss-tls uses |
That's true, it re-randomizes when you add an extra server. However, it is assumed that the user changes the servers list only rarely or just once (when nss-tls is installed), and nss-tls doesn't fall back to another server if the psuedo-randomly chosen server fails to resolve a domain. |
Dear stubby team,
I want my DNS requests to be spread over different servers. For this, option
round_robin_upstreams
is a first step. However, it is weak if the attacker gets to make fake DNS requests so that all the interesting requests to be spied are sent to the same server.For overcoming this problem, what about adding an option for pure randomization when selecting the server:
The text was updated successfully, but these errors were encountered: