-
Notifications
You must be signed in to change notification settings - Fork 5
/
draft-ietf-dprive-bcp-op-02.txt
1904 lines (1225 loc) · 69.4 KB
/
draft-ietf-dprive-bcp-op-02.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
dprive S. Dickinson
Internet-Draft Sinodun IT
Intended status: Best Current Practice B. Overeinder
Expires: September 12, 2019 R. van Rijswijk-Deij
NLnet Labs
A. Mankin
Salesforce
March 11, 2019
Recommendations for DNS Privacy Service Operators
draft-ietf-dprive-bcp-op-02
Abstract
This document presents operational, policy and security
considerations for DNS operators who choose to offer DNS Privacy
services. With these recommendations, the operator can make
deliberate decisions regarding which services to provide, and how the
decisions and alternatives impact the privacy of users.
This document also presents a framework to assist writers of DNS
Privacy Policy and Practices Statements (analogous to DNS Security
Extensions (DNSSEC) Policies and DNSSEC Practice Statements described
in [RFC6841]).
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 12, 2019.
Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved.
Dickinson, et al. Expires September 12, 2019 [Page 1]
Internet-Draft DNS Privacy Service Recommendations March 2019
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Privacy related documents . . . . . . . . . . . . . . . . . . 5
4. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
5. Recommendations for DNS privacy services . . . . . . . . . . 6
5.1. On the wire between client and server . . . . . . . . . . 7
5.1.1. Transport recommendations . . . . . . . . . . . . . . 7
5.1.2. Authentication of DNS privacy services . . . . . . . 7
5.1.3. Protocol recommendations . . . . . . . . . . . . . . 9
5.1.4. Availability . . . . . . . . . . . . . . . . . . . . 10
5.1.5. Service options . . . . . . . . . . . . . . . . . . . 11
5.1.6. Impact on Operators . . . . . . . . . . . . . . . . . 11
5.1.7. Limitations of using a pure TLS proxy . . . . . . . . 12
5.2. Data at rest on the server . . . . . . . . . . . . . . . 12
5.2.1. Data handling . . . . . . . . . . . . . . . . . . . . 12
5.2.2. Data minimization of network traffic . . . . . . . . 13
5.2.3. IP address pseudonymization and anonymization methods 14
5.2.4. Pseudonymization, anonymization or discarding of
other correlation data . . . . . . . . . . . . . . . 15
5.2.5. Cache snooping . . . . . . . . . . . . . . . . . . . 16
5.3. Data sent onwards from the server . . . . . . . . . . . . 16
5.3.1. Protocol recommendations . . . . . . . . . . . . . . 16
5.3.2. Client query obfuscation . . . . . . . . . . . . . . 17
5.3.3. Data sharing . . . . . . . . . . . . . . . . . . . . 18
6. DNS privacy policy and practice statement . . . . . . . . . . 19
6.1. Recommended contents of a DPPPS . . . . . . . . . . . . . 19
6.1.1. Policy . . . . . . . . . . . . . . . . . . . . . . . 19
6.1.2. Practice . . . . . . . . . . . . . . . . . . . . . . 20
6.2. Current policy and privacy statements . . . . . . . . . . 21
6.3. Enforcement/accountability . . . . . . . . . . . . . . . 21
7. IANA considerations . . . . . . . . . . . . . . . . . . . . . 22
8. Security considerations . . . . . . . . . . . . . . . . . . . 22
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22
10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 22
11. Changelog . . . . . . . . . . . . . . . . . . . . . . . . . . 22
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 24
Dickinson, et al. Expires September 12, 2019 [Page 2]
Internet-Draft DNS Privacy Service Recommendations March 2019
12.1. Normative References . . . . . . . . . . . . . . . . . . 24
12.2. Informative References . . . . . . . . . . . . . . . . . 26
12.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Appendix A. Documents . . . . . . . . . . . . . . . . . . . . . 29
A.1. Potential increases in DNS privacy . . . . . . . . . . . 29
A.2. Potential decreases in DNS privacy . . . . . . . . . . . 29
A.3. Related operational documents . . . . . . . . . . . . . . 30
Appendix B. Encryption and DNSSEC . . . . . . . . . . . . . . . 30
Appendix C. IP address techniques . . . . . . . . . . . . . . . 30
C.1. Google Analytics non-prefix filtering . . . . . . . . . . 31
C.2. dnswasher . . . . . . . . . . . . . . . . . . . . . . . . 32
C.3. Prefix-preserving map . . . . . . . . . . . . . . . . . . 32
C.4. Cryptographic Prefix-Preserving Pseudonymisation . . . . 32
C.5. Top-hash Subtree-replicated Anonymisation . . . . . . . . 33
C.6. ipcipher . . . . . . . . . . . . . . . . . . . . . . . . 33
C.7. Bloom filters . . . . . . . . . . . . . . . . . . . . . . 33
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 34
1. Introduction
The Domain Name System (DNS) is at the core of the Internet; almost
every activity on the Internet starts with a DNS query (and often
several). However the DNS was not originally designed with strong
security or privacy mechanisms. A number of developments have taken
place in recent years which aim to increase the privacy of the DNS
system and these are now seeing some deployment. This latest
evolution of the DNS presents new challenges to operators and this
document attempts to provide an overview of considerations for
privacy focused DNS services.
In recent years there has also been an increase in the availability
of "public resolvers" [I-D.ietf-dnsop-terminology-bis] which users
may prefer to use instead of the default network resolver because
they offer a specific feature (e.g. good reachability, encrypted
transport, strong privacy policy, filtering (or lack of), etc.).
These open resolvers have tended to be at the forefront of adoption
of privacy related enhancements but it is anticipated that operators
of other resolver services will follow.
Whilst protocols that encrypt DNS messages on the wire provide
protection against certain attacks, the resolver operator still has
(in principle) full visibility of the query data and transport
identifiers for each user. Therefore, a trust relationship exists.
The ability of the operator to provide a transparent, well
documented, and secure privacy service will likely serve as a major
differentiating factor for privacy conscious users if they make an
active selection of which resolver to use.
Dickinson, et al. Expires September 12, 2019 [Page 3]
Internet-Draft DNS Privacy Service Recommendations March 2019
It should also be noted that the choice of a user to configure a
single resolver (or a fixed set of resolvers) and an encrypted
transport to use in all network environments has both advantages and
disadvantages. For example the user has a clear expectation of which
resolvers have visibility of their query data however this resolver/
transport selection may provide an added mechanism to track them as
they move across network environments. Commitments from operators to
minimize such tracking are also likely to play a role in user
selection of resolvers.
More recently the global legislative landscape with regard to
personal data collection, retention, and pseudonymization has seen
significant activity. It is an untested area that simply using a DNS
resolution service constitutes consent from the user for the operator
to process their query data. The impact of recent legislative
changes on data pertaining to the users of both Internet Service
Providers and public DNS resolvers is not fully understood at the
time of writing.
This document has two main goals:
o To provide operational and policy guidance related to DNS over
encrypted transports and to outline recommendations for data
handling for operators of DNS privacy services.
o To introduce the DNS Privacy Policy and Practice Statement (DPPPS)
and present a framework to assist writers of this document. A
DPPPS is a document that an operator can publish outlining their
operational practices and commitments with regard to privacy
thereby providing a means for clients to evaluate the privacy
properties of a given DNS privacy service. In particular, the
framework identifies the elements that should be considered in
formulating a DPPPS. This document does not, however, define a
particular Policy or Practice Statement, nor does it seek to
provide legal advice or recommendations as to the contents.
Community insight [or judgment?] about operational practices can
change quickly, and experience shows that a Best Current Practice
(BCP) document about privacy and security is a point-in-time
statement. Readers are advised to seek out any errata or updates
that apply to this document.
2. Scope
"DNS Privacy Considerations" [I-D.bortzmeyer-dprive-rfc7626-bis]
describes the general privacy issues and threats associated with the
use of the DNS by Internet users and much of the threat analysis here
is lifted from that document and from [RFC6973]. However this
Dickinson, et al. Expires September 12, 2019 [Page 4]
Internet-Draft DNS Privacy Service Recommendations March 2019
document is limited in scope to best practice considerations for the
provision of DNS privacy services by servers (recursive resolvers) to
clients (stub resolvers or forwarders). Privacy considerations
specifically from the perspective of an end user, or those for
operators of authoritative nameservers are out of scope.
This document includes (but is not limited to) considerations in the
following areas (taken from [I-D.bortzmeyer-dprive-rfc7626-bis]):
1. Data "on the wire" between a client and a server
2. Data "at rest" on a server (e.g. in logs)
3. Data "sent onwards" from the server (either on the wire or shared
with a third party)
Whilst the issues raised here are targeted at those operators who
choose to offer a DNS privacy service, considerations for areas 2 and
3 could equally apply to operators who only offer DNS over
unencrypted transports but who would like to align with privacy best
practice.
3. Privacy related documents
There are various documents that describe protocol changes that have
the potential to either increase or decrease the privacy of the DNS.
Note this does not imply that some documents are good or bad, better
or worse, just that (for example) some features may bring functional
benefits at the price of a reduction in privacy and conversely some
features increase privacy with an accompanying increase in
complexity. A selection of the most relevant documents are listed in
Appendix A for reference.
4. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] and [RFC8174] when, and only when, they appear in all
capitals, as shown here.
DNS terminology is as described in [I-D.ietf-dnsop-terminology-bis]
with one modification: we restate the clause in the original
definition of Privacy-enabling DNS server in [RFC8310] to include the
requirement that a DNS over (D)TLS server should also offer at least
one of the credentials described in Section 8 and implement the
(D)TLS profile described in Section 9 of [RFC8310].
Dickinson, et al. Expires September 12, 2019 [Page 5]
Internet-Draft DNS Privacy Service Recommendations March 2019
Other Terms:
o DPPPS: DNS Privacy Policy and Practice Statement, see Section 6.
o DNS privacy service: The service that is offered via a privacy-
enabling DNS server and is documented either in an informal
statement of policy and practice with regard to users privacy or a
formal DPPPS.
5. Recommendations for DNS privacy services
We describe two classes of threats:
o 'Privacy Considerations for Internet Protocols' [RFC6973] Threats
* Privacy terminology, threats to privacy and mitigations as
described in Sections 3, 5 and 6 of [RFC6973].
o DNS Privacy Threats
* These are threats to the users and operators of DNS privacy
services that are not directly covered by [RFC6973]. These may
be more operational in nature such as certificate management or
service availability issues.
We describe three classes of actions that operators of DNS privacy
services can take:
o Threat mitigation for well understood and documented privacy
threats to the users of the service and in some cases to the
operators of the service.
o Optimization of privacy services from an operational or management
perspective
o Additional options that could further enhance the privacy and
usability of the service
This document does not specify policy only best practice, however for
DNS Privacy services to be considered compliant with these best
practice guidelines they SHOULD implement (where appropriate) all:
o Threat mitigations to be minimally compliant
o Optimizations to be moderately compliant
o Additional options to be maximally compliant
Dickinson, et al. Expires September 12, 2019 [Page 6]
Internet-Draft DNS Privacy Service Recommendations March 2019
5.1. On the wire between client and server
In this section we consider both data on the wire and the service
provided to the client.
5.1.1. Transport recommendations
[RFC6973] Threats:
o Surveillance:
* Passive surveillance of traffic on the wire
[I-D.bortzmeyer-dprive-rfc7626-bis] Section 2.4.2.
DNS Privacy Threats:
o Active injection of spurious data or traffic
Mitigations:
A DNS privacy service can mitigate these threats by providing service
over one or more of the following transports
o DNS-over-TLS [RFC7858] and [RFC8310]
o DoH [RFC8484]
It is noted that a DNS privacy service can also be provided over DNS-
over-DTLS [RFC8094], however this is an Experimental specification
and there are no known implementations at the time of writing.
It is also noted that DNS privacy service might be provided over
IPSec, DNSCrypt or VPNs. However, use of these transports for DNS
are not standardized and any discussion of best practice for
providing such a service is out of scope for this document.
Whilst encryption of DNS traffic can protect against active injection
this does not diminish the need for DNSSEC, see Appendix B.
5.1.2. Authentication of DNS privacy services
[RFC6973] Threats:
o Surveillance:
* Active attacks that can redirect traffic to rogue servers
[I-D.bortzmeyer-dprive-rfc7626-bis] Section 2.5.3.
Dickinson, et al. Expires September 12, 2019 [Page 7]
Internet-Draft DNS Privacy Service Recommendations March 2019
Mitigations:
DNS privacy services should ensure clients can authenticate the
server. Note that this, in effect, commits the DNS privacy service
to a public identity users will trust.
When using DNS-over-TLS clients that select a 'Strict Privacy' usage
profile [RFC8310] (to mitigate the threat of active attack on the
client) require the ability to authenticate the DNS server. To
enable this, DNS privacy services that offer DNS-over-TLS should
provide credentials in the form of either X.509 certificates or SPKI
pinsets.
When offering DoH [RFC8484], HTTPS requires authentication of the
server as part of the protocol.
NOTE: At this time the reference to the TLS DNSSEC chain extension
draft has been removed as it is no longer considered an active TLS WG
document.
Optimizations:
DNS privacy services can also consider the following capabilities/
options:
o As recommended in [RFC8310] providing DANE TLSA records for the
nameserver
* In particular, the service could provide TLSA records such that
authenticating solely via the PKIX infrastructure can be
avoided.
5.1.2.1. Certificate management
Anecdotal evidence to date highlights the management of certificates
as one of the more challenging aspects for operators of traditional
DNS resolvers that choose to additionally provide a DNS privacy
service as management of such credentials is new to those DNS
operators.
It is noted that SPKI pinset management is described in [RFC7858] but
that key pinning mechanisms in general have fallen out of favor
operationally for various reasons such as the logistical overhead of
rolling keys.
DNS Privacy Threats:
o Invalid certificates, resulting in an unavailable service.
Dickinson, et al. Expires September 12, 2019 [Page 8]
Internet-Draft DNS Privacy Service Recommendations March 2019
o Mis-identification of a server by a client e.g. typos in URLs or
authentication domain names
Mitigations:
It is recommended that operators:
o Follow the guidance in Section 6.5 of [RFC7525] with regards to
certificate revocation
o Choose a short, memorable authentication name for the service
o Automate the generation and publication of certificates
o Monitor certificates to prevent accidental expiration of
certificates
5.1.3. Protocol recommendations
5.1.3.1. DNS-over-TLS
DNS Privacy Threats:
o Known attacks on TLS such as those described in [RFC7457]
o Traffic analysis, for example: Pitfalls of DNS Encryption [1]
o Potential for client tracking via transport identifiers
o Blocking of well known ports (e.g. 853 for DNS-over-TLS)
Mitigations:
In the case of DNS-over-TLS, TLS profiles from Section 9 and the
Countermeasures to DNS Traffic Analysis from section 11.1 of
[RFC8310] provide strong mitigations. This includes but is not
limited to:
o Adhering to [RFC7525]
o Implementing only (D)TLS 1.2 or later as specified in [RFC8310]
o Implementing EDNS(0) Padding [RFC7830] using the guidelines in
[RFC8467]
o Clients should not be required to use TLS session resumption
[RFC5077] or Domain Name System (DNS) Cookies [RFC7873].
Dickinson, et al. Expires September 12, 2019 [Page 9]
Internet-Draft DNS Privacy Service Recommendations March 2019
o A DNS-over-TLS privacy service on both port 853 and 443. This
practice may not be possible if e.g. the operator deploys DoH on
the same IP address.
Optimizations:
o Concurrent processing of pipelined queries, returning responses as
soon as available, potentially out of order as specified in
[RFC7766]. This is often called 'OOOR' - out-of-order responses.
(Providing processing performance similar to HTTP multiplexing)
o Management of TLS connections to optimize performance for clients
using either
* [RFC7766] and EDNS(0) Keepalive [RFC7828] and/or
* DNS Stateful Operations [I-D.ietf-dnsop-session-signal]
Additional options that providers may consider:
o Offer a .onion [RFC7686] service endpoint
5.1.3.2. DoH
DNS Privacy Threats:
o Known attacks on TLS such as those described in [RFC7457]
o Traffic analysis, for example: DNS Privacy not so private: the
traffic analysis perspective [2]
o Potential for client tracking via transport identifiers
Mitigations:
o Clients must be able to forego the use of HTTP Cookies [RFC6265]
and still use the service
o Clients should not be required to include any headers beyond the
absolute minimum to obtain service from a DoH server. (See
Section 6.1 of [I-D.ietf-httpbis-bcp56bis].)
5.1.4. Availability
DNS Privacy Threats:
Dickinson, et al. Expires September 12, 2019 [Page 10]
Internet-Draft DNS Privacy Service Recommendations March 2019
o A failed DNS privacy service could force the user to switch
providers, fallback to cleartext or accept no DNS service for the
outage.
Mitigations:
A DNS privacy service must be engineered for high availability.
Particular care should to be taken to protect DNS privacy services
against denial-of-service attacks, as experience has shown that
unavailability of DNS resolving because of attacks is a significant
motivation for users to switch services. See, for example
Section IV-C of Passive Observations of a Large DNS Service: 2.5
Years in the Life of Google [3].
5.1.5. Service options
DNS Privacy Threats:
o Unfairly disadvantaging users of the privacy service with respect
to the services available. This could force the user to switch
providers, fallback to cleartext or accept no DNS service for the
outage.
Mitigations:
A DNS privacy service should deliver the same level of service as
offered on un-encrypted channels in terms of such options as
filtering (or lack thereof), DNSSEC validation, etc.
5.1.6. Impact on Operators
DNS Privacy Threats:
o Increased use of encryption impacts operator ability to manage
their network [RFC8404]
Many monitoring solutions for DNS traffic rely on the plain text
nature of this traffic and work by intercepting traffic on the wire,
either using a separate view on the connection between clients and
the resolver, or as a separate process on the resolver system that
inspects network traffic. Such solutions will no longer function
when traffic between clients and resolvers is encrypted. There are,
however, legitimate reasons for operators to inspect DNS traffic,
e.g. to monitor for network security threats. Operators may
therefore need to invest in alternative means of monitoring that
relies on either the resolver software directly, or exporting DNS
traffic from the resolver using e.g. dnstap [4].
Dickinson, et al. Expires September 12, 2019 [Page 11]
Internet-Draft DNS Privacy Service Recommendations March 2019
Optimization:
When implementing alternative means for traffic monitoring, operators
of a DNS privacy service should consider using privacy conscious
means to do so (see, for example, the discussion on the use of Bloom
Filters in the #documents appendix in this document).
5.1.7. Limitations of using a pure TLS proxy
DNS Privacy Threats:
o Limited ability to manage or monitor incoming connections using
DNS specific techniques
o Misconfiguration of the target server could lead to data leakage
if the proxy to target server path is not encrypted.
Optimization:
Some operators may choose to implement DNS-over-TLS using a TLS proxy
(e.g. nginx [5], haproxy [6] or stunnel [7]) in front of a DNS
nameserver because of proven robustness and capacity when handling
large numbers of client connections, load balancing capabilities and
good tooling. Currently, however, because such proxies typically
have no specific handling of DNS as a protocol over TLS or DTLS using
them can restrict traffic management at the proxy layer and at the
DNS server. For example, all traffic received by a nameserver behind
such a proxy will appear to originate from the proxy and DNS
techniques such as ACLs, RRL or DNS64 will be hard or impossible to
implement in the nameserver.
Operators may choose to use a DNS aware proxy such as dnsdist [8]
which offer custom options (similar to that proposed in
[I-D.bellis-dnsop-xpf]) to add source information to packets to
address this shortcoming. It should be noted that such options
potentially significantly increase the leaked information in the
event of a misconfiguration.
5.2. Data at rest on the server
5.2.1. Data handling
[RFC6973] Threats:
o Surveillance
o Stored data compromise
Dickinson, et al. Expires September 12, 2019 [Page 12]
Internet-Draft DNS Privacy Service Recommendations March 2019
o Correlation
o Identification
o Secondary use
o Disclosure
Other Threats
o Contravention of legal requirements not to process user data?
Mitigations:
The following are common activities for DNS service operators and in
all cases should be minimized or completely avoided if possible for
DNS privacy services. If data is retained it should be encrypted and
either aggregated, pseudonymized or anonymized whenever possible. In
general the principle of data minimization described in [RFC6973]
should be applied.
o Transient data (e.g. that is used for real time monitoring and
threat analysis which might be held only memory) should be
retained for the shortest possible period deemed operationally
feasible.
o The retention period of DNS traffic logs should be only those
required to sustain operation of the service and, to the extent
that such exists, meet regulatory requirements.
o DNS privacy services should not track users except for the
particular purpose of detecting and remedying technically
malicious (e.g. DoS) or anomalous use of the service.
o Data access should be minimized to only those personnel who
require access to perform operational duties.
Optimizations:
o Consider use of full disk encryption for logs and data capture
storage.
5.2.2. Data minimization of network traffic
Data minimization refers to collecting, using, disclosing, and
storing the minimal data necessary to perform a task, and this can be
achieved by removing or obfuscating privacy-sensitive information in
network traffic logs. This is typically personal data, or data that
Dickinson, et al. Expires September 12, 2019 [Page 13]
Internet-Draft DNS Privacy Service Recommendations March 2019
can be used to link a record to an individual, but may also include
revealing other confidential information, for example on the
structure of an internal corporate network.
The problem of effectively ensuring that DNS traffic logs contain no
or minimal privacy-sensitive information is not one that currently
has a generally agreed solution or any Standards to inform this
discussion. This section presents and overview of current techniques
to simply provide reference on the current status of this work.
Research into data minimization techniques (and particularly IP
address pseudonymization/anonymization) was sparked in the late
1990s/early 2000s, partly driven by the desire to share significant
corpuses of traffic captures for research purposes. Several
techniques reflecting different requirements in this area and
different performance/resource tradeoffs emerged over the course of
the decade. Developments over the last decade have been both a
blessing and a curse; the large increase in size between an IPv4 and
an IPv6 address, for example, renders some techniques impractical,
but also makes available a much larger amount of input entropy, the
better to resist brute force re-identification attacks that have
grown in practicality over the period.
Techniques employed may be broadly categorized as either
anonymization or pseudonymization. The following discussion uses the
definitions from [RFC6973] Section 3, with additional observations
from van Dijkhuizen et al. [9]
o Anonymization. To enable anonymity of an individual, there must
exist a set of individuals that appear to have the same
attribute(s) as the individual. To the attacker or the observer,
these individuals must appear indistinguishable from each other.
o Pseudonymization. The true identity is deterministically replaced
with an alternate identity (a pseudonym). When the
pseudonymization schema is known, the process can be reversed, so
the original identity becomes known again.
In practice there is a fine line between the two; for example, how to
categorize a deterministic algorithm for data minimization of IP
addresses that produces a group of pseudonyms for a single given
address.
5.2.3. IP address pseudonymization and anonymization methods
As [I-D.bortzmeyer-dprive-rfc7626-bis] makes clear, the big privacy
risk in DNS is connecting DNS queries to an individual and the major
vector for this in DNS traffic is the client IP address.
Dickinson, et al. Expires September 12, 2019 [Page 14]
Internet-Draft DNS Privacy Service Recommendations March 2019
There is active discussion in the space of effective pseudonymization
of IP addresses in DNS traffic logs, however there seems to be no
single solution that is widely recognized as suitable for all or most
use cases. There are also as yet no standards for this that are
unencumbered by patents. The following table presents a high level
comparison of various techniques employed or under development today
and classifies them according to categorization of technique and
other properties. The list of techniques includes the main
techniques in current use, but does not claim to be comprehensive.
Appendix C provides a more detailed survey of these techniques and
definitions for the categories and properties listed below.
Figure showing comparison of IP address techniques (SVG) [10]
The choice of which method to use for a particular application will
depend on the requirements of that application and consideration of
the threat analysis of the particular situation.
For example, a common goal is that distributed packet captures must
be in an existing data format such as PCAP [pcap] or C-DNS
[I-D.ietf-dnsop-dns-capture-format] that can be used as input to
existing analysis tools. In that case, use of a format-preserving
technique is essential. This, though, is not cost-free - several
authors (e.g. Brenker & Arnes [11]) have observed that, as the
entropy in an IPv4 address is limited, given a de-identified log from
a target, if an attacker is capable of ensuring packets are captured
by the target and the attacker can send forged traffic with arbitrary
source and destination addresses to that target, any format-
preserving pseudonymization is vulnerable to an attack along the
lines of a cryptographic chosen plaintext attack.
5.2.4. Pseudonymization, anonymization or discarding of other
correlation data
DNS Privacy Threats:
o IP TTL/Hoplimit can be used to fingerprint client OS
o Tracking of TCP sessions
o Tracking of TLS sessions and session resumption mechanisms
o Resolvers _might_ receive client identifiers e.g. MAC addresses
in EDNS(0) options - some CPE devices are known to add them.
o HTTP headers
Mitigations:
Dickinson, et al. Expires September 12, 2019 [Page 15]
Internet-Draft DNS Privacy Service Recommendations March 2019
o Data minimization or discarding of such correlation data
TODO: More analysis here.
5.2.5. Cache snooping
[RFC6973] Threats:
o Surveillance:
* Profiling of client queries by malicious third parties
Mitigations:
o See ISC Knowledge database on cache snooping [12] for an example
discussion on defending against cache snooping
TODO: Describe other techniques to defend against cache snooping
5.3. Data sent onwards from the server
In this section we consider both data sent on the wire in upstream
queries and data shared with third parties.
5.3.1. Protocol recommendations
[RFC6973] Threats:
o Surveillance:
* Transmission of identifying data upstream.
Mitigations:
As specified in [RFC8310] for DNS-over-TLS but applicable to any DNS
Privacy services the server should:
o Implement QNAME minimization [RFC7816]
o Honor a SOURCE PREFIX-LENGTH set to 0 in a query containing the
EDNS(0) Client Subnet (ECS) option and not send an ECS option in
upstream queries.
Optimizations:
o The server should either
* not use the ECS option in upstream queries at all, or
Dickinson, et al. Expires September 12, 2019 [Page 16]
Internet-Draft DNS Privacy Service Recommendations March 2019
* offer alternative services, one that sends ECS and one that
does not.
If operators do offer a service that sends the ECS options upstream
they should use the shortest prefix that is operationally feasible
(NOTE: the authors believe they will be able to add a reference for
advice here soon) and ideally use a policy of whitelisting upstream
servers to send ECS to in order to minimize data leakage. Operators
should make clear in any policy statement what prefix length they
actually send and the specific policy used.
Whitelisting has the benefit that not only does the operator know
which upstream servers can use ECS but also allows the operator to
decide which upstream servers apply privacy policies that the
operator is happy with. However some operators consider whitelisting
to incur significant operational overhead compared to dynamic
detection of ECS on authoritative servers.
Additional options:
o Aggressive Use of DNSSEC-Validated Cache [RFC8198] to reduce the
number of queries to authoritative servers to increase privacy.
o Run a copy of the root zone on loopback [RFC7706] to avoid making
queries to the root servers that might leak information.
5.3.2. Client query obfuscation
Additional options:
Since queries from recursive resolvers to authoritative servers are
performed using cleartext (at the time of writing), resolver services
need to consider the extent to which they may be directly leaking
information about their client community via these upstream queries
and what they can do to mitigate this further. Note, that even when
all the relevant techniques described above are employed there may
still be attacks possible, e.g. [Pitfalls-of-DNS-Encryption]. For
example, a resolver with a very small community of users risks
exposing data in this way and OUGHT obfuscate this traffic by mixing
it with 'generated' traffic to make client characterization harder.
The resolver could also employ aggressive pre-fetch techniques as a
further measure to counter traffic analysis.
At the time of writing there are no standardized or widely recognized
techniques to perform such obfuscation or bulk pre-fetches.
Another technique that particularly small operators may consider is
forwarding local traffic to a larger resolver (with a privacy policy
Dickinson, et al. Expires September 12, 2019 [Page 17]
Internet-Draft DNS Privacy Service Recommendations March 2019
that aligns with their own practices) over an encrypted protocol so
that the upstream queries are obfuscated among those of the large
resolver.
5.3.3. Data sharing
[RFC6973] Threats:
o Surveillance
o Stored data compromise
o Correlation
o Identification
o Secondary use
o Disclosure
DNS Privacy Threats:
o Contravention of legal requirements not to process user data?
Mitigations:
Operators should not provide identifiable data to third-parties
without explicit consent from clients (we take the stance here that
simply using the resolution service itself does not constitute
consent).
Even when consent is granted operators should employ data
minimization techniques such as those described in Section 5.2.1 if
data is shared with third-parties.
Operators should consider including specific guidelines for the
collection of aggregated and/or anonymized data for research
purposes, within or outside of their own organization. See SURFnet's
policy [13] on data sharing for research as an example.
TODO: More on data for research vs operations... how to still
motivate operators to share anonymized data?
TODO: Guidelines for when consent is granted?