A review of DNS over port 80/443
draft-shane-review-dns-over-http-04

Document Type Active Internet-Draft (individual)
Last updated 2016-11-14
Stream (None)
Intended RFC status (None)
Formats plain text xml pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Internet Engineering Task Force                                  S. Kerr
Internet-Draft                                                   L. Song
Intended status: Informational                                    R. Wan
Expires: May 18, 2017                         Beijing Internet Institute
                                                       November 14, 2016

                    A review of DNS over port 80/443
                  draft-shane-review-dns-over-http-04

Abstract

   The default DNS transport uses UDP on port 53.  There are many
   motivations why users or operators may prefer to avoid sending DNS
   traffic in this way.  A common solution is to use port 80 or 443;
   with plain TCP, TLS-encrypted TCP, or full HTTP(S).  This memo
   reviews the possible approaches and delivers some useful information
   for developers.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on May 18, 2017.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of

Kerr, et al.              Expires May 18, 2017                  [Page 1]
Internet-Draft      A review of DNS over port 80/443       November 2016

   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Different Implementations Approaches  . . . . . . . . . . . .   3
     2.1.  DNS over TCP on port 80/443 . . . . . . . . . . . . . . .   3
     2.2.  DNS over TLS on port 443  . . . . . . . . . . . . . . . .   3
     2.3.  DNS Wire-format over HTTP(S)  . . . . . . . . . . . . . .   4
     2.4.  REST HTTP API . . . . . . . . . . . . . . . . . . . . . .   5
   3.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .   6
   4.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   6
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   7

1.  Introduction

   Name servers use port 53, on both UDP and TCP [RFC1035] [RFC5966].
   However, users or operators occasionally find it useful to use an
   alternative way to deliver DNS information, and often pick port 80
   (the default HTTP port) or 443 (the default HTTPS port) for this
   purpose.

   There are several use cases:

   o  Case 1: Firewalls or other middleboxes may interfere with normal
      DNS traffic [RFC3234] [RFC5625] [DOTSE] [SAC035].  In addition,
      some ISPs and hotels block external DNS and perform DNS rewriting
      to send users to advertising or other pages that they did intend,
      or networks may use IP addresses which cause misleading geographic
      location for the user [RFC7871].  Users may want DNSSEC support
      which is not deployed locally in such a case, and so on.

   o  Case 2: Users may use DNS over TLS or HTTPS to protect privacy.
      This also allows the DNS client to authenticate the DNS server.

   o  Case 3: Developers may want a higher level DNS API.  Web
      developers may prefer different abstractions or familiar tools
      like JSON or XML, transmitted using HTTP or HTTPS.

   This memo does not aim to develop standards or tools.  The purpose is
   to review various implementation options as a reference for
   developers.  However, it may be helpful for anyone hoping to develop
   specifications or implementations for DNS over 80/443.

   Note that most of the implementations described in this memo are on
   port 80/443 and combined with TCP/TLS/HTTP(S).  The main focus here

Kerr, et al.              Expires May 18, 2017                  [Page 2]
Internet-Draft      A review of DNS over port 80/443       November 2016
Show full document text