Jump to content
Main menu
Main menu
move to sidebar
hide
Navigation
Main page
Recent changes
Random page
Help about MediaWiki
Special pages
Niidae Wiki
Search
Search
Appearance
Create account
Log in
Personal tools
Create account
Log in
Pages for logged out editors
learn more
Contributions
Talk
Editing
Domain Name System
(section)
Page
Discussion
English
Read
Edit
View history
Tools
Tools
move to sidebar
hide
Actions
Read
Edit
View history
General
What links here
Related changes
Page information
Appearance
move to sidebar
hide
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Transport protocols== From the time of its origin in 1983 the DNS has used the [[User Datagram Protocol]] (UDP) for transport over IP. Its limitations have motivated numerous protocol developments for reliability, security, privacy, and other criteria, in the following decades. ===Conventional: DNS over UDP and TCP ports 53 (Do53)=== # UDP reserves port number 53 for servers listening to queries.<ref name="rfc1035" /> Such a query consists of a clear-text request sent in a single UDP packet from the client, responded to with a clear-text reply sent in a single UDP packet from the server. When the length of the answer exceeds 512 bytes and both client and server support [[Extension Mechanisms for DNS]] (EDNS), larger UDP packets may be used.<ref>{{IETF RFC|2671}}, ''Extension Mechanisms for DNS (EDNS0)'', P. Vixie (August 1999)</ref> Use of DNS over UDP is limited by, among other things, its lack of transport-layer encryption, authentication, reliable delivery, and message length. In 1989, RFC 1123 specified optional [[Transmission Control Protocol]] (TCP) transport for DNS queries, replies and, particularly, [[DNS zone transfer|zone transfers]]. Via fragmentation of long replies, TCP allows longer responses, reliable delivery, and re-use of long-lived connections between clients and servers. For larger responses, the server refers the client to TCP transport. ===DNS over TLS (DoT)=== [[DNS over TLS]] emerged as an IETF standard for encrypted DNS in 2016, utilizing Transport Layer Security (TLS) to protect the entire connection, rather than just the DNS payload. DoT servers listen on TCP port 853. {{IETF RFC|7858}} specifies that opportunistic encryption and authenticated encryption may be supported, but did not make either server or client authentication mandatory. ===DNS over HTTPS (DoH)=== [[DNS over HTTPS]] was developed as a competing standard for DNS query transport in 2018, tunneling DNS query data over HTTPS, which transports HTTP over TLS. DoH was promoted as a more web-friendly alternative to DNS since, like DNSCrypt, it uses TCP port 443, and thus looks similar to web traffic, though they are easily differentiable in practice without proper padding.<ref>{{cite web |last1=Csikor |first1=Levente |last2=Divakaran |first2=Dinil Mon |title=Privacy of DNS over HTTPS: Requiem for a Dream? |url=https://raw.githubusercontent.com/cslev/doh_ml/main/DNS_over_HTTPS_identification.pdf |publisher=National University of Singapore |date=February 2021 |quote=We investigate whether DoH traffic is distinguishable from encrypted Web traffic. To this end, we train a machine learning model to classify HTTPS traffic as either Web or DoH. With our DoH identification model in place, we show that an authoritarian ISP can identify β97.4% of the DoH packets correctly while only misclassifying 1 in 10,000 Web packets.}}</ref> ===DNS over QUIC (DoQ)=== RFC 9250, published in 2022 by the [[Internet Engineering Task Force]], describes DNS over [[QUIC]]. It has "privacy properties similar to DNS over TLS (DoT) [...], and latency characteristics similar to classic DNS over UDP". This method is not the same as DNS over [[HTTP/3]].<ref>{{cite IETF|last1=Huitema |first1=Christian |last2=Dickinson |first2=Sara |last3=Mankin |first3=Allison |title=DNS over Dedicated QUIC Connections |rfc=9250 |publisher=Internet Engineering Task Force |date=May 2022}}</ref> ===Oblivious DoH (ODoH) and predecessor Oblivious DNS (ODNS)=== Oblivious DNS (ODNS) was invented and implemented by researchers at [[Princeton University]] and the [[University of Chicago]] as an extension to unencrypted DNS,<ref>{{Cite journal|last1=Schmitt|first1=Paul|last2=Edmundson|first2=Anne|last3=Feamster|first3=Nick|title=Oblivious DNS: Practical Privacy for DNS Queries|url=https://petsymposium.org/2019/files/papers/issue2/popets-2019-0028.pdf |archive-url=https://web.archive.org/web/20220121210624/https://petsymposium.org/2019/files/papers/issue2/popets-2019-0028.pdf |archive-date=2022-01-21 |url-status=live|journal=Privacy Enhancing Technologies |date=2019|volume=2019 |issue=2 |pages=228β244 |doi=10.2478/popets-2019-0028 |arxiv=1806.00276 |s2cid=44126163 }}</ref> before DoH was standardized and widely deployed. Apple and Cloudflare subsequently deployed the technology in the context of DoH, as Oblivious DoH (ODoH).<ref>{{cite web |title=Oblivious DNS Deployed by Cloudflare and Apple |date=9 December 2020 |url=https://medium.com/noise-lab/oblivious-dns-deployed-by-cloudflare-and-apple-1522ccf53cab |access-date=27 July 2022}}</ref> ODoH combines ingress/egress separation (invented in ODNS) with DoH's HTTPS tunneling and TLS transport-layer encryption in a single protocol.<ref>{{cite web |last1=Pauly |first1=Tommy |title=Oblivious DNS Over HTTPS |url=https://datatracker.ietf.org/doc/draft-pauly-dprive-oblivious-doh/|publisher=IETF |date=2 September 2021}}</ref> ===DNS over Tor=== DNS may be run over [[virtual private network]]s (VPNs) and [[tunneling protocol]]s. The privacy gains of Oblivious DNS can be garnered through the use of the preexisting [[Tor (network)|Tor]] network of ingress and egress nodes, paired with the transport-layer encryption provided by TLS.<ref>{{cite web |last1=Muffett |first1=Alec |title="No Port 53, Who Dis?" A Year of DNS over HTTPS over Tor |url=https://www.ndss-symposium.org/wp-content/uploads/dnspriv21-03-paper.pdf |archive-url=https://web.archive.org/web/20210321110839/https://www.ndss-symposium.org/wp-content/uploads/dnspriv21-03-paper.pdf |archive-date=2021-03-21 |url-status=live |publisher=Network and Distributed System Security Symposium |date=February 2021 |quote=DNS over HTTPS (DoH) obviates many but not all of the risks, and its transport protocol (i.e. HTTPS) raises concerns of privacy due to (e.g.) 'cookies.' The Tor Network exists to provide TCP circuits with some freedom from tracking, surveillance, and blocking. Thus: In combination with Tor, DoH, and the principle of "Don't Do That, Then" (DDTT) to mitigate request fingerprinting, I describe DNS over HTTPS over Tor (DoHoT).}}</ref> ===DNSCrypt=== The [[DNSCrypt]] protocol, which was developed in 2011 outside the [[Internet Engineering Task Force|IETF]] standards framework, introduced DNS encryption on the downstream side of recursive resolvers, wherein clients encrypt query payloads using servers' public keys, which are published in the DNS (rather than relying upon third-party certificate authorities) and which may in turn be protected by [[DNSSEC]] signatures.<ref>{{Cite web |last=Ulevitch |first=David |date=6 December 2011 |title=DNSCrypt β Critical, fundamental, and about time. |url=https://umbrella.cisco.com/blog/dnscrypt-critical-fundamental-and-about-time |url-status=live |archive-url=https://web.archive.org/web/20200701221715/https://umbrella.cisco.com/blog/dnscrypt-critical-fundamental-and-about-time |archive-date=1 July 2020 |website=Cisco Umbrella |language=en-US}}</ref> DNSCrypt uses either TCP port 443, the same port as [[HTTPS]] encrypted web traffic, or UDP port 443. This introduced not only privacy regarding the content of the query, but also a significant measure of firewall-traversal capability. In 2019, DNSCrypt was further extended to support an "anonymized" mode, similar to the proposed "Oblivious DNS", in which an ingress node receives a query which has been encrypted with the public key of a different server, and relays it to that server, which acts as an egress node, performing the recursive resolution.<ref name="Anonymized DNSCrypt specification">{{Cite web |title=Anonymized DNSCrypt specification |url=https://raw.githubusercontent.com/DNSCrypt/dnscrypt-protocol/master/ANONYMIZED-DNSCRYPT.txt |url-status=live |archive-url=https://web.archive.org/web/20191025094649/https://raw.githubusercontent.com/DNSCrypt/dnscrypt-protocol/master/ANONYMIZED-DNSCRYPT.txt |archive-date=25 October 2019 |website=[[GitHub]] |publisher=DNSCrypt}}</ref> Privacy of user/query pairs is created, since the ingress node does not know the content of the query, while the egress nodes does not know the identity of the client. DNSCrypt was first implemented in production by [[OpenDNS]] in December 2011. There are several free and open source software implementations that additionally integrate ODoH.<ref name="ODoH_(2022)">{{cite web |title=Oblivious DoH Β· DNSCrypt/dnscrypt-proxy Wiki |url=https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Oblivious-DoH |website=GitHub |publisher=DNSCrypt project |access-date=28 July 2022 |language=en}}</ref> It is available for a variety of operating systems, including Unix, Apple iOS, Linux, Android, and Windows.
Summary:
Please note that all contributions to Niidae Wiki may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
Encyclopedia:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Search
Search
Editing
Domain Name System
(section)
Add topic
