,DNS加密协议发展及部署现状,技术创新，变革未来,An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come?,Chaoyi Lu, Baojun Liu, Zhou Li, Shuang Hao, Haixin Duan, Mingming Zhang, Chunying Leng, Ying Liu, Zaifeng Zhang, Jianping Wu,The start of Internet activities. .which says a lot about you.,Domain Name System,DNS Client,Resolver,Authoritative,?,server,3,42.81.56.61,?,?,?,DNS Privacy,DNS Client,Resolver,Authoritative,MITM interception,Where are the risks? Rogue server Eavesdropper,server,4,People could be watching our queries.,DNS Privacy,RFC 7626 on DNS privacy,5,The MORECOWBELL surveillance program of NSA,DNS Privacy,People could be watching our queries. And do stuff like: Device Fingerprinting Chang 15,User behavior Analysis Kim 15,User Tracking Kirchler 16,6,DNS Privacy: What Has Been Done?,Three IETF WGs. Three standardized protocols. More implementations and tests coming.,IETF DPRIVE WG,Sept. 14,Before 14,DNSCurve & DNSCrypt,RFC 7258 Pervasive Monitoring,May. 14Jan. 15,NSAs,Is an Attack MORECOWBELL revealed,RFC 7626 DNS Privacy Considerations,Aug. 15,RFC 7858 DNS-over-TLS (DoT),May. 16,Feb. 17,RFC 8094 DNS-over-DTLS,Sept. 17,IETF,DoH WG,RFC 8310,Usage Profile of DoT,Mar. 18,RFC 8484 DNS-over-HTTPS,(DoH),Oct 18,Jun. 18,Mozillas test of DoH,Mar. 16,RFC 7816 QNAME Minimization,DNS-over-QUIC, initial draft,Apr. 17,Mar. 19,Drafts on DoH deployment,DNS zone transfers using TLS, draft,Nov. 19,Feb. 20,IETF ADD WG,7,DNS-over-TLS (DoT, RFC 7858, May 2016) Uses TLS to wrap DNS messages. Dedicated port 853. Stub resolver update needed. DNS-over-HTTPS (DoH, RFC 8484, Oct 2018) Embeds DNS packets into HTTP messages. Shared port 443. More user-space friendly.,8,DNS-over-Encryption: Standard Protocols,Issuing DNS-over-HTTPS queries in a browser.,DNS-over-Encryption: Standard Protocols,Issuing DNS-over-TLS queries with kdig. $ kdig 1.1.1.1 +tls ,9,The Rapid Development of DoE,Widely getting support from the industry. DNS server software Operating Systems Web Browsers Public DNS resolvers,10,Recent updates from service providers & vendors.,The Rapid Development of DoE,Windows: DoH available for insiders,Chrome: DoH support Firefox: DoH by default for US users,Apple: DoT and DoH support added recently 11,Questions: from Users Perspective,How many DoE servers are there? Methodology: Internet-wide scanning. How are the reachability and performance of DoE servers? Methodology: Large-scale client-side measurement. What does the real-world usage of DoE look like? Methodology: Analysis on passive traffic.,12,Q1:,How many servers are there?,DoE Server Discovery,DNS-over-TLS (DoT)DNS-over-HTTPS (DoH),Runs over dedicated port 853.,Uses common URI templates. (e.g., /dns-query),Internet-wide Scan,URL database Inspection,14,DNS-over-TLS Resolvers,Internet-wide probing with ZMap, getdns & OpenSSL.,Zmap Internet-wide scan Port 853,getdns DoT query,OpenSSL Verify certificate chain,15,DNS-over-TLS Resolvers Feb May 19: 2K open DoT resolvers in the wild. Several big players dominate in the count of servers.,16,DNS-over-TLS Resolvers,Feb May 19: 2K open DoT resolvers in the wild. Several big players dominate in the count of servers. Jul 20: rises to 7.8k resolvers operated by 1.2K providers,17,DoT Resolver Certificates,18,Authentication relies on PKIX certificates RFC 8310. Invalid certificates still poses as a problem.,DoT Resolver Certificates,Authentication relies on PKIX certificates RFC 8310. Invalid certificates still poses as a problem.,Broken certificate chains,19,Self-signed 70%,Expired 15%,15%,Firewalls & TLS inspection devices,1/3 expired before 2020,(As of Jul 01, 2020),DNS-over-HTTPS Providers,Large-scale URL dataset inspection. May 19: 17 providers found, mostly known in lists. Found 2 providers beyond the list: (DoH list maintained by the curl project),20,DNS-over-HTTPS Providers,21,Large-scale URL dataset inspection. May 19: 17 providers found, mostly known in lists. Jul 20: 50+ URIs operated by 37 providers. 合,https:/1111.cloudflare- https:/8888.google/dns-query https:/doh.defaultroutes.de/dns-query https:/ns-doh.licoho.de/dns-query,Examples: https:/public.dns.iij.jp/dns-query ,Q2:,Are popular services reachable?,Reachability to DoE Servers,Measurement platform built on SOCKS5 proxy network.,Measurement Client,Super Proxy,DNS/TCP, DoT, DoH,Public DNS resolver,Exit nodes,DNS/TCP, DoT, DoH,Proxy Network,forward,23,Reachabili