[Search] [txt|pdf|bibtex] [Tracker] [Email] [Nits]

Versions: 00                                                            
Network Working Group                                        K. Fujiwara
Internet-Draft                                                      JPRS
Intended status: Informational                              13 July 2021
Expires: 14 January 2022


                    DNS over HTTPS via HTTP proxies
               draft-fujiwara-dprive-doh-via-httpproxy-00

Abstract

   DNS queries over HTTPS (DoH) hides DNS query information by (HTTPS)
   encryption.  However, DoH providers know both query source IP
   addresses and DNS queries, and it is a privacy issue of DoH.  It is
   possible to hide query source IP addresses from DoH providers by
   existing protocol (HTTP) and implementations (HTTP proxy software).
   This document proposes the use of DoH via HTTP proxy services.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 14 January 2022.

Copyright Notice

   Copyright (c) 2021 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Simplified BSD License text
   as described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Simplified BSD License.



Fujiwara                 Expires 14 January 2022                [Page 1]


Internet-Draft               doh-over-proxy                    July 2021


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Idea to hide query source IP addresses  . . . . . . . . . . .   3
     3.1.  DoH over Carrier Grade NAT (CGN)  . . . . . . . . . . . .   3
     3.2.  DoH over public NAT64 services  . . . . . . . . . . . . .   3
     3.3.  DoH via HTTP proxies  . . . . . . . . . . . . . . . . . .   4
   4.  Proposal: Use of open HTTP proxy services for DoH . . . . . .   4
     4.1.  Details of DNS over HTTPS via HTTP proxy  . . . . . . . .   4
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   5
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   7.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .   5
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   5
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .   5
     8.2.  Informative References  . . . . . . . . . . . . . . . . .   6
   Appendix A.  Example Squid configuration  . . . . . . . . . . . .   7
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   7

1.  Introduction

   DNS clients (stub resolvers) send end users' DNS queries to full-
   service resolvers.

   The queries between stub resolvers and full-service resolvers are not
   encrypted on traditional DNS [RFC1034,RFC1035].  DNS over TLS (DoT)
   [RFC7858] and DNS queries over HTTPS (DoH) [RFC8484] provide the
   encrypted transport (TLS or HTTPS) between stub resolvers and full-
   service resolvers.

   Sensitive data of personal privacy in DNS is a combination of the
   query time, the query source IP address, and the DNS query itself
   (query name, query type, query class).  The dataset indicates when
   (timestamp) and who (IP address) is trying to access the specified
   host (query name).

   DoH providers have the ability to collect the dataset.  Many DNS/DoH
   providers offer decent privacy policies and they usually don't
   actively use privacy information.  However, it is important to
   provide a way to protect personal privacy for self-defense.

   To meet the demand, several methods have been proposed to protect
   personal privacy by hiding query source IP addresses.  One is DNS
   over Tor and the other is Oblivious DNS / DoH
   [I-D.pauly-dprive-oblivious-doh].  However, it is possible to hide
   query source IP addresses from DoH providers by a more simple way
   existing protocols.




Fujiwara                 Expires 14 January 2022                [Page 2]


Internet-Draft               doh-over-proxy                    July 2021


   This document describes some idea to hide the query source IP
   addresses and proposes the use of DoH via HTTP [RFC7231] proxy
   services.

   If multiple providers offer specialized HTTP proxies that relays DoH
   queries to multiple DoH providers, users can hide their query source
   IP addresses from DoH providers.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

   Many of the specialized terms used in this document are defined in
   DNS Terminology [RFC8499].

3.  Idea to hide query source IP addresses

   The IP Network Address Translation (NAT) [RFC3022] is a way to hide
   stub resolvers' IP addresses.  However, NAT public IP address may
   disclose some part of end users' information.  Therefore, additional
   element is required to hide the IP address.

3.1.  DoH over Carrier Grade NAT (CGN)

   There are many low-priced Mobile Virtual Network Operator (MVNO)
   services.  Many of them uses Carrier Grade NAT (CGN) [RFC6888], and
   multiple users share one IPv4 global address.

   If users buy the MVNO services and use them exclusively for name
   resolution, it provides to hide their original IP address from DoH
   providers.

   Pros: people can hide their IP addresses from DoH providers.

   Cons: This idea requires MVNO's costs.

3.2.  DoH over public NAT64 services

   [RFC6146] specified Stateful NAT64: Network Address and Protocol
   Translation from IPv6 Clients to IPv4 Servers.

   Some operators provide public NAT64 services.  NAT64 service rewrites
   query source IPv6 addresses to shared IPv4 addresses.




Fujiwara                 Expires 14 January 2022                [Page 3]


Internet-Draft               doh-over-proxy                    July 2021


   If DoH clients connect to DoH servers' IPv4 addresses via the NAT64
   services, The DoH providers can only know the NAT64 providers' public
   IPv4 addresses.

   Pros: DoH clients can hide their IPv6 addresses from DoH providers.
   Users can use multiple DoH providers and multiple NAT64 prefixes/
   services to increase personal privacy.

   Cons: Public NAT64 service providers are limited.

3.3.  DoH via HTTP proxies

   DNS over HTTPS (DoH) is a simple HTTP protocol.  Therefore, DoH via
   HTTP proxies is also possible.

   HTTP proxies cannot know the DoH queries because HTTP proxies act as
   TCP relay and DNS queries between DoH clients and DoH providers are
   encrypted by HTTPS.  And DoH providers cannot know the original query
   source IP addresses.

   Pros: No need to develop new protocols.

   Cons: Public HTTP proxies may be abused.

4.  Proposal: Use of open HTTP proxy services for DoH

   Prepare open HTTP proxies that relays DoH queries to well-known DoH
   providers only.

   DoH clients send DoH queries to DoH providers via the open HTTP
   proxies.

   User's privacy can be improved by using multiple DoH proxies and
   multiple DoH providers for each query.

   +----------+                    +-------+          +---------+
   |DoH client|                    | HTTP  |          | DoH     |
   |          +--(DoH via proxy)---+ proxy +--(DoH)---+ Provider|
   |          | 1: CONNECT DoH:443 |       |          |         |
   +----------+      HTTP/1.1      +-------+          +---------+
                2: (HTTPS setup)
                3: GET/PUT DoH protocol

4.1.  Details of DNS over HTTPS via HTTP proxy

   1.  A DoH client (that would like to use HTTP proxy) connects to a
       specified HTTP proxy.




Fujiwara                 Expires 14 January 2022                [Page 4]


Internet-Draft               doh-over-proxy                    July 2021


   2.  The DoH client sends "CONNECT doH-server-name:443 HTTP/1.1" to
       the HTTP proxy.

   3.  Then, the HTTP proxy relays TCP connection to the "doh-server-
       name" port 443.

   4.  The DoH client communicate queries by DNS over HTTPS with "doh-
       server-name" via the HTTP proxy.

5.  IANA Considerations

   This document has no IANA actions.

6.  Security Considerations

   HTTP proxies may be abused.

   To reduce abusive use of open HTTP proxies, limit destination port to
   443 and destination host names to popular DoH providers.

   The frequency of connections from each IP address should be limited.

   DoH providers can track end-users' privacy information by using TLS
   session information.  Privacy information may be leaked if
   optimizations such as TLS pinning is used.

   Disconnecting the TCP/TLS session every time may improve privacy,
   however it increases DoH query latency.

7.  Acknowledgments

   The author would like to specifically thank DNS over Tor and
   Oblivious DNS / DoH [I-D.pauly-dprive-oblivious-doh].

8.  References

8.1.  Normative References

   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
              STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
              <https://www.rfc-editor.org/info/rfc1034>.

   [RFC1035]  Mockapetris, P., "Domain names - implementation and
              specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
              November 1987, <https://www.rfc-editor.org/info/rfc1035>.






Fujiwara                 Expires 14 January 2022                [Page 5]


Internet-Draft               doh-over-proxy                    July 2021


   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC3022]  Srisuresh, P. and K. Egevang, "Traditional IP Network
              Address Translator (Traditional NAT)", RFC 3022,
              DOI 10.17487/RFC3022, January 2001,
              <https://www.rfc-editor.org/info/rfc3022>.

   [RFC6146]  Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful
              NAT64: Network Address and Protocol Translation from IPv6
              Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146,
              April 2011, <https://www.rfc-editor.org/info/rfc6146>.

   [RFC7231]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
              Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
              DOI 10.17487/RFC7231, June 2014,
              <https://www.rfc-editor.org/info/rfc7231>.

   [RFC7858]  Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D.,
              and P. Hoffman, "Specification for DNS over Transport
              Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May
              2016, <https://www.rfc-editor.org/info/rfc7858>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [RFC8484]  Hoffman, P. and P. McManus, "DNS Queries over HTTPS
              (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018,
              <https://www.rfc-editor.org/info/rfc8484>.

   [RFC8499]  Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
              Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499,
              January 2019, <https://www.rfc-editor.org/info/rfc8499>.

8.2.  Informative References

   [I-D.pauly-dprive-oblivious-doh]
              Kinnear, E., McManus, P., Pauly, T., Verma, T., and C. A.
              Wood, "Oblivious DNS Over HTTPS", Work in Progress,
              Internet-Draft, draft-pauly-dprive-oblivious-doh-06, 8
              March 2021, <https://www.ietf.org/archive/id/draft-pauly-
              dprive-oblivious-doh-06.txt>.






Fujiwara                 Expires 14 January 2022                [Page 6]


Internet-Draft               doh-over-proxy                    July 2021


   [RFC6888]  Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa,
              A., and H. Ashida, "Common Requirements for Carrier-Grade
              NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888,
              April 2013, <https://www.rfc-editor.org/info/rfc6888>.

   [SQUID]    "Squid: Optimising Web Delivery", n.d.,
              <http://www.squid-cache.org/>.

Appendix A.  Example Squid configuration

   Squid: Optimising Web Delivery [SQUID] is a well-used open source
   caching proxy software for the Web.

   An example squid configuration example that can only connect to some
   DoH servers is here.

   acl SSL_ports port 443
   acl CONNECT method CONNECT
   acl doh dstdomain dns.google
   acl doh dstdomain cloudflare-dns.com
   acl doh dstdomain doh.opendns.com
   acl doh dstdomain dns.quad9.net
   acl doh dstdomain public.dns.iij.jp
   http_access allow doh CONNECT SSL_ports
   http_access deny all

Author's Address

   Kazunori Fujiwara
   Japan Registry Services Co., Ltd.
   Chiyoda First Bldg. East 13F, 3-8-1 Nishi-Kanda, Chiyoda-ku, Tokyo
   101-0065
   Japan

   Phone: +81 3 5215 8451
   Email: fujiwara@jprs.co.jp















Fujiwara                 Expires 14 January 2022                [Page 7]