-
Notifications
You must be signed in to change notification settings - Fork 224
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for EDNS(0) Padding Option #111
Comments
The question: Why 468 bytes? Any RFCs referring to this? For HTTP/2 over TLS with optional compression, it is very hard to precisely control how many bytes to pad. Therefore, there is no clear evidence whether padding can benefit, more RFCs or research results needed for a decision. |
As referenced above, RFC 8467 specifies Padding Policies for Extension Mechanisms for DNS (EDNS(0)).
|
Yeah, that is for DNS over UDP53, not DoH over HTTPS. I would hope there to be more research on this topic before we clearly know how many bytes is suitable for DoH. |
No, this is not the case. It does not make any sense to pad DNS responses that are transmitted in the clear. If you read the referenced RFC 8467, it clearly states directly after the excerpt:
There are also some best practices for resolver operators defined in RFC 8932. The excerpt here is directly for DoH:
Also, the DoH RFC 8484 directly states:
This is true. However, DoH responses from the same resolver will have the same length. As a result, it is more difficult for passive adversaries to detect websites or applications through message size patterns. And, there are studies, which have shown that traffic analysis is more difficult if DoT/DoH responses are padded. Actually, larger DoH resolvers such as Google and Cloudflare support padding already for more than one year. |
Thanks for the responses. Now I understand the points. By the way, I would be really happy if anyone have time to help me add this feature. |
I can give this a try; when we talk about "DNS responses", we refer to the HTTP response |
EDNS allows both the client and server to add random garbage to the request and response in the DNS packet. I guess it's basically |
I have 3 concerns:
Are there any discussion at IETF side regarding padding DoH? The DoH context is important because other deployment like DoT don't address my first and second concerns. |
Hi All, I want to add a sidenote to @m13253's point 3. Since the padding is only relevant if traffic is encrypted either using DoT/DoH. Both of them are on top of TCP, so the traditional amplified reflection attack cannot be achieved (as those are based on Do53/UDP packets). DoQ also requires a handshake before name resolution, so it's not applicable to DoQ either. If you send your query over Do53 with EDNS padding option set, the resolver should not pad the response. Hence, amplification should not be possible via EDNS padding. Another sidenote to point 1. This padding should be EDNS padding because then it is part of the DNS protocol. Hence, no matter what encrypted channels you will use, be it DoT/DoH/DoQ/DoX, all can obey. If you introduce padding as HTTP/2, then it will only work in DoH/DoH3. And EDNS is already supported and understood by resolvers too. Another interesting aspect of the padding is that while it helps against traffic analysis, in the case of DoH, the padding would also help to identify DoH itself. Note that DoH inherently blends into HTTPS (i.e., regular web traffic) thereby increasing the privacy of the users. However, by padding each DoH request/response, it is easier to detect DoH and differentiate it from Web traffic. Note that due to the Opportunistic profiles DNS stub resolvers adapt, once an encrypted DNS connection fails (because of being blocked), your stub resolver seamlessly fallback to plain-text DNS where you will expose your DNS queries. |
Duplicated from email thread.
The text was updated successfully, but these errors were encountered: