ºÝºÝߣ

ºÝºÝߣShare a Scribd company logo

²Ï³Ü²Ô´Ç²µ12-¶Ù±·³§°µºÅ»¯

?
?
Manabu Sonoda
Manabu Sonoda

This document discusses DNS over TLS (DoT) and DNS over HTTPS (DoH). It provides examples of configuring DoT in Unbound, Knot Resolver, Android 9, and systemd-resolved. It also discusses the RFC specifications for DoT and experimental DoD. For DoH, it discusses implementations in Firefox, Intra (Android), curl, Chrome, and using native DoH versus DoT. The document also briefly discusses DNS usage trends with ISPs and "Hyper Giants".

1 of 41
1? Internet Initiative Japan Inc. Qunog12 DNS 812 0
2
3 KSK KSK KSK?2017
4 nlnetlabs RIPE Atlas KSK2017
5
6
7 Manabu Sonoda DNS ? ? ISP L1 L8 ? IIJ ? IIJ ? IIJ DNS DNS ? D.DNS.JP ? DNS
8 ? DNS ? DNS
9 DNS
10 DNSSEC
11 DNSSEC
12 DNSSEC DNS DNSSEC ? ? ? DNS ? ? ?
13 MITM DNS
14 DNS DNS qname minimisation QNAME DNS
15 qname minimisation Qname DNS root jp example.jp www.example.jp jp example.jp www.example.jp www.example.jp www.example.jp Qname minimisation
16
17 IETF 3 ? DNS over TLS (DoT) ? DNS over DTLS (DoD) ? DNS over HTTPS (DoH)
18 RFC7858 Specification for DNS over Transport Layer Security (TLS) DNS over TLS (DoT) ? TLS TCP DNS ? HTTP HTTPS ? 2018 10 IP TCP TLS DNS
19 RFC8094 DNS over Datagram Transport Layer Security (DTLS) DNS over DTLS (DoD) ? DTLS DNS ? DTLS ? Experimental RFC IP UDP DTLS DNS
20 ietf-doh-dns-over-https DNS over HTTPS (DoH) ? ? HTTPS DNS ? GET POST IP TCP TLS HTTP/1 HTTP/2 UDP QUICK HTTP/2 DNS
21 ietf-doh-dns-over-https GET :method = GET :scheme = https :authority = <DoH > :path = /dns-query?dns=<UDP DNS base64uri > Accept = application/dns-message Request Response Content-type = application/dns-message Content-length = <DNS > Cache-control = <DNS TTL > DNS
22 ietf-doh-dns-over-https POST :method = POST :scheme = https :authority = <DoH > :path = /dns-query Accept = application/dns-message Content-type = application/dns-message Content-length = <DNS > DNS Request Response GET
23 DNS over TLS
24 DNS over TLS ? Unbound ? Knot-resolver ? Android 9 ? systemd-resolved
25 DNS over TLS
26 - DoT - Unbound Unbound --with-ssl DoT unbound-1.8.1 $ ./configure --with-libevent ¨Cwith-ssl tls-service-key: ¡°tls.key¡± # tls-service-pem: ¡°tls.crt¡± # server: interface: 127.0.0.1@853 # listen address@port interface: 192.168.0.53@853 # listen address@port 2. listen IP IP interface-automatic 0.0.0.0@853 ::0@853 Listen 1. Server
27 - DoT - knot-resolver Knot-resolver DoT net.tls("tls.cert","tls.key") 1. Kred.conf 2. TLS Listen IP net.listen({¡¯0.0.0.0¡¯,'::'},{tls=true}) 3. Knot-resolver TLS Session Ticket TLS net.tls_sticket_secret(¡®pre-shard secret¡¯)
28 - DoT DoT TCP DNS TLS TLS TCP DNS TLS proxy DoT DoT nginx DNS over TLS https://dnsops.jp/bof/20151119/dnsovertls.pdf BIND DoT IP TCP TLS DNS TLS IP TCP DNS
29 DNS over TLS
30 - DoT - Android9 Andorid9 DNS DoT ? ? ? DHCP DNS DoT DoT
31 - DoT - Android9 ? ? Android OK ? SAN ? MITM ? RFC RFC
32 DNS over HTTPS
33 - DoH DNS over HTTPS ? ? cloudflare knot-resolver ) ? systemd-resolved ? Firefox(Windows,MacOSX,Linux) ? Intra(Android) ? ? curl(master branch) ? Chrome
34 DNS over HTTPS
35 - DoH - Native DoH DoT DoT 1. HTTPS dns 2. UDP 3. TTL TTL Cache-control body BIND DoT IP TCP TLS HTTP DoT IP TCP/UDP DNS
36 DNS over HTTPS
37 - DoH - Firefox Firefox DoH Trusted Recusive Resolver (TRR) about:config ? network.trr.uri DoH ? network.trr.mode 1 about:networking#dns TRR true DoH
38 - DoH - Intra Intra Alphabet Jigsaw Android ? Android4.0 ? Google Public DNS JSON-API Google ? CloudFrare DoH IETF ? DoH IETF
39 DNS ISP
40 DNS DNS DNS DNS ISP DNS Hyper Giants
41

More Related Content

²Ï³Ü²Ô´Ç²µ12-¶Ù±·³§°µºÅ»¯