Unilateral Opportunistic Deployment of Encrypted Recursive‑to‑Authoritative DNS American Civil Liberties Union
125 Broad St. New York NY 10004 United States of America dkg@fifthhorseman.net
Alajuela 20201 Costa Rica joeygsal@gmail.com
ICANN
United States of America paul.hoffman@icann.org
int dprive DNS over TLS DNS over QUIC DoT DoQ encryption unilateral recursive authoritative DNS This document sets out steps that DNS servers (recursive resolvers and authoritative servers) can take unilaterally (without any coordination with other peers) to defend DNS query privacy against a passive network monitor. The protections provided by the guidance in this document can be defeated by an active attacker, but they should be simpler and less risky to deploy than more powerful defenses. The goal of this document is to simplify and speed up deployment of opportunistic encrypted transport in the recursive-to-authoritative hop of the DNS ecosystem. Wider easy deployment of the underlying encrypted transport on an opportunistic basis may facilitate the future specification of stronger cryptographic protections against more-powerful attacks.
Status of This Memo This document is not an Internet Standards Track specification; it is published for examination, experimental implementation, and evaluation. This document defines an Experimental Protocol for the Internet community. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are candidates for any level of Internet Standard; see Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at .
Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents () in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.
Table of Contents
  • .  Introduction
    • .  Requirements Language
    • .  Terminology
  • .  Priorities
    • .  Minimizing Negative Impacts
    • .  Protocol Choices
  • .  Guidance for Authoritative Servers
    • .  Pooled Authoritative Servers behind a Load Balancer
    • .  Authentication
    • .  Server Name Indication
    • .  Resource Exhaustion
    • .  Pad Responses to Mitigate Traffic Analysis
  • .  Guidance for Recursive Resolvers
    • .  High-Level Overview
    • .  Maintaining Authoritative State by IP Address
    • .  Overall Recursive Resolver Settings
    • .  Recursive Resolver Requirements
    • .  Authoritative Server Encrypted Transport Connection State
    • .  Probing Policy
      • .  Sending a Query over Do53
      • .  Receiving a Response over Do53
      • .  Initiating a Connection over Encrypted Transport
      • .  Establishing an Encrypted Transport Connection
      • .  Failing to Establish an Encrypted Transport Connection
      • .  Encrypted Transport Failure
      • .  Handling Clean Shutdown of an Encrypted Transport Connection
      • .  Sending a Query over Encrypted Transport
      • .  Receiving a Response over Encrypted Transport
      • Resource Exhaustion
      • Maintaining Connections
      • Additional Tuning
  • .  IANA Considerations
  • .  Privacy Considerations
    • .  Server Name Indication
    • .  Modeling the Probability of Encryption
  • .  Security Considerations
  • .  Operational Considerations
  • .  References
    • .  Normative References
    • .  Informative References
  • .  Assessing the Experiment
  • .  Defense against Active Attackers
    • .  Signaling Mechanism Properties
    • .  Authentication of Authoritative Servers
    • .  Combining Protocols
  • Acknowledgements
  • Authors' Addresses
Introduction This document aims to provide guidance to DNS implementers and operators who want to simply enable protection against passive network observers. In particular, it focuses on mechanisms that can be adopted unilaterally by recursive resolvers and authoritative servers, without any explicit coordination with the other parties. This guidance provides opportunistic security (see ), that is, encrypting things that would otherwise be in the clear, without interfering with or weakening stronger forms of security. This document also briefly introduces (but does not try to specify) how a future protocol might permit defense against an active attacker in . The protocol described here offers three concrete advantages to the DNS ecosystem:
  • Protection from passive attackers of DNS queries in transit between recursive and authoritative servers.
  • A road map for gaining real-world experience at scale with encrypted protections of this traffic.
  • A bridge to some possible future protection against a more powerful attacker.
Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.
Terminology
Unilateral:
Capable of opportunistic probing without external coordination with any of the other parties.
Do53:
DNS over port 53 () for traditional cleartext transport.
DoQ:
DNS over QUIC ().
DoT:
DNS over TLS ().
Encrypted transports:
DoQ and DoT, collectively.
Priorities The protocol described in this document was developed with two priorities: minimizing negative impacts and retaining flexibility in the underlying encrypted transport protocol.
Minimizing Negative Impacts The protocol described in this document aims to minimize potentially negative impacts caused by the probing of encrypted transports for the systems that adopt the protocol, for the parties that those systems communicate with, and for uninvolved third parties. The negative impacts that this protocol specifically tries to minimize are:
  • excessive bandwidth use,
  • excessive use of computational resources (CPU and memory in particular), and
  • the potential for amplification attacks (where DNS resolution infrastructure is wielded as part of a DoS attack).
Protocol Choices Although this document focuses specifically on strategies used by DNS servers, it does not go into detail on the specific protocols used because those protocols, in particular DoT and DoQ, are described in other documents. The DoT specification () says that it:
...focuses on securing stub-to-recursive traffic, as per the charter of the DPRIVE Working Group. It does not prevent future applications of the protocol to recursive-to-authoritative traffic.
It further says:
It might work equally between recursive clients and authoritative servers...
The DoQ specification () says:
For the recursive to authoritative scenario, authentication requirements are unspecified at the time of writing and are the subject of ongoing work in the DPRIVE WG.
The protocol described in this document specifies the use of DoT and DoQ without authentication of the server. This document does not pursue the use of DNS over HTTPS, commonly called "DoH" (), in this context because a DoH client needs to know the path part of a DoH endpoint URL. Currently, there are no mechanisms for a DNS recursive resolver to predict the path on its own, in an opportunistic or unilateral fashion, without incurring an excessive use of resources. If such mechanisms are later defined, the protocol in this document can be updated to accommodate them.
Guidance for Authoritative Servers The protocol described in this document is OPTIONAL for authoritative servers. An authoritative server choosing to implement the protocol described in this document MUST implement at least one of either DoT or DoQ on port 853. An authoritative server choosing to implement the protocol described in this document MAY require clients to use Application-Layer Protocol Negotiation (ALPN) (see ). The ALPN strings the client will use are given in . An authoritative server implementing DoT or DoQ MUST populate the response from the same authoritative zone data as the unencrypted DNS transports. Encrypted transports have their own characteristic response size that might be different from the unencrypted DNS transports, so response sizes and related options (e.g., Extension Mechanisms for DNS (EDNS0)) and flags (e.g., the TrunCation (TC) bit) might vary based on the transport. In other words, the content of the responses to a particular query MUST be the same regardless of the type of transport.
Pooled Authoritative Servers behind a Load Balancer Some authoritative DNS servers are structured as a pool of authoritatives standing behind a load balancer that runs on a single IP address, forwarding queries to members of the pool. In such a deployment, individual members of the pool typically get updated independently from each other. A recursive resolver following the guidance in and interacting with such a pool likely does not know that it is a pool. If some members of the pool follow the protocol specified in this document while others do not, the recursive client might see the pool as a single authoritative server that sometimes offers and sometimes refuses encrypted transport. To avoid incurring additional minor timeouts for such a recursive resolver, the pool operator SHOULD:
  • ensure that all members of the pool enable the same encrypted transport(s) within the span of a few seconds (such as within 30 seconds), or
  • ensure that the load balancer maps client requests to pool members based on client IP addresses, or
  • use a load balancer that forwards queries/connections on encrypted transports to only those members of the pool known (e.g., via monitoring) to support the given encrypted transport.
Similar concerns apply to authoritative servers responding from an anycast IP address. As long as the pool of servers is in a heterogeneous state, any flapping route that switches a given client IP address to a different responder risks incurring an additional timeout. Frequent changes of routing for anycast listening IP addresses are also likely to cause problems for TLS, TCP, or QUIC connection state as well, so stable routes are important to ensure that the service remains available and responsive. The servers in a pool can share session information to increase the likelihood of successful resumptions.
Authentication For unilateral deployment, an authoritative server does not need to offer any particular form of authentication. One simple deployment approach would just be to provide a self-issued, regularly updated X.509 certificate. Whether the certificates used are short-lived or long-lived is up to the deployment. This mechanism is supported by many TLS and QUIC clients and will be acceptable for any opportunistic connection. The server could provide a normal PKI-based certificate, but there is no advantage to doing so at this time.
Server Name Indication An authoritative DNS server that wants to handle unilateral queries MAY rely on Server Name Indication (SNI) to select alternate server credentials. However, such a server MUST NOT serve resource records that differ based on SNI (or on the lack of an SNI) provided by the client because a probing recursive resolver that offers SNI might or might not have used the right server name to get the records it is looking for.
Resource Exhaustion A well-behaved recursive resolver may keep an encrypted connection open to an authoritative server to amortize the costs of connection setup for both parties. However, some authoritative servers may have insufficient resources available to keep many connections open concurrently. To keep resources under control, authoritative servers should proactively manage their encrypted connections. offers useful guidance for servers managing DoQ connections. offers useful guidance for servers managing DoT connections. An authoritative server facing unforeseen resource exhaustion SHOULD cleanly close open connections from recursive resolvers based on the authoritative server's preferred prioritization. In the case of unanticipated resource exhaustion, close connections until resources are back in control. A reasonable prioritization scheme would be to close connections with no outstanding queries, ordered by idle time (longest idle time gets closed first), then close connections with outstanding queries, ordered by age of outstanding query (oldest outstanding query gets closed first). When resources are especially tight, the authoritative server may also decline to accept new connections over encrypted transport.
Pad Responses to Mitigate Traffic Analysis To increase the anonymity set for each response, the authoritative server SHOULD use a sensible padding mechanism for all responses it sends when possible. The ability for the authoritative server to add padding might be limited, such as by not receiving an EDNS0 option in the query. Specifically, a DoT server SHOULD use EDNS0 padding if possible, and a DoQ server SHOULD follow the guidance in . How much to pad is out of scope of this document, but a reasonable suggestion can be found in .
Guidance for Recursive Resolvers The protocol described in this document is OPTIONAL for recursive resolvers. This section outlines a probing policy suitable for unilateral adoption by any recursive resolver. Following this policy should not result in failed resolutions or significant delays.
High-Level Overview In addition to querying on Do53, the recursive resolver will try DoT, DoQ, or both concurrently. The recursive resolver remembers what opportunistic encrypted transport protocols have worked recently based on a (clientIP, serverIP, protocol) tuple. If a query needs to go to a given authoritative server, and the recursive resolver remembers a recent successful encrypted transport to that server, then it doesn't send the query over Do53 at all. Rather, it only sends the query using the encrypted transport protocol that was recently shown to be good. If the encrypted transport protocol fails, the recursive resolver falls back to Do53 for that serverIP. When any encrypted transport fails, the recursive resolver remembers that failure for a reasonable amount of time to avoid flooding an incompatible server with requests that it cannot accept. The description of how an encrypted transport protocol fails is in and the sections following that. See the subsections below for a more detailed description of this protocol.
Maintaining Authoritative State by IP Address In designing a probing strategy, the recursive resolver could record its knowledge about any given authoritative server with different strategies, including at least:
  • the authoritative server's IP address,
  • the authoritative server's name (the NS record used), or
  • the zone that contains the record being looked up.
This document encourages the first strategy, to minimize timeouts or accidental delays, and does not describe the other two strategies. A timeout (accidental delay) is most likely to happen when the recursive client believes that the authoritative server offers encrypted transport, but the actual server reached declines encrypted transport (or worse, filters the incoming traffic and does not even respond with an ICMP destination port unreachable message, such as during rate limiting). By associating the state with the authoritative IP address, the client can minimize the number of accidental delays introduced (see also Sections and ). For example, consider an authoritative server named ns0.example.com that is served by two installations: one at 2001:db8::7 that follows this guidance and one at 2001:db8::8 that is a legacy (cleartext port 53-only) deployment. A recursive client who associates state with the NS name and reaches 2001:db8::7 first will "learn" that ns0.example.com supports encrypted transport. A subsequent query over encrypted transport dispatched to 2001:db8::8 would fail, potentially delaying the response.
Overall Recursive Resolver Settings A recursive resolver implementing the protocol in this document needs to set system-wide values for some default parameters. These parameters may be set independently for each supported encrypted transport, though a simple implementation may keep the parameters constant across encrypted transports. Recursive Resolver System Parameters per Encrypted Transport
Name Description Suggested Default
persistence How long the recursive resolver remembers a successful encrypted transport connection 3 days (259200 seconds)
damping How long the recursive resolver remembers an unsuccessful encrypted transport connection 1 day (86400 seconds)
timeout How long the recursive resolver waits for an initiated encrypted connection to complete 4 seconds
This document uses the notation <transport>-foo to refer to the foo parameter for the encrypted transport <transport>. For example, DoT-persistence would indicate the length of time that the recursive resolver will remember that an authoritative server had a successful connection over DoT. Additionally, when describing an arbitrary encrypted transport, we use E in place of <transport> to generically mean whatever encrypted transport is in use. For example, when handling a query sent over encrypted transport E, a reference to E-timeout should be understood to mean DoT-timeout if the query is sent over DoT, and to mean DoQ-timeout if the query is sent over DoQ. This document also assumes that the recursive resolver maintains a list of outstanding cleartext queries destined for the authoritative server's IP address X. This list is referred to as "Do53-queries[X]" This document does not attempt to describe the specific operation of sending and receiving cleartext DNS queries (Do53) for a recursive resolver. Instead it describes a "bolt-on" mechanism that extends the recursive resolver's operation on a few simple hooks into the recursive resolver's existing handling of Do53. Implementers or deployers of DNS recursive resolvers that follow the strategies in this document are encouraged to publish their preferred values of these parameters.
Recursive Resolver Requirements To follow the strategies in this document, a recursive resolver MUST implement at least one of either DoT or DoQ in its capacity as a client of authoritative nameservers. A recursive resolver SHOULD implement the client side of DoT. A recursive resolver SHOULD implement the client side of DoQ. DoT queries from the recursive resolver MUST target TCP port 853 using an ALPN of "dot". DoQ queries from the recursive resolver MUST target UDP port 853 using an ALPN of "doq". While this document focuses on the recursive-to-authoritative hop, a recursive resolver implementing the strategies in this document SHOULD also accept queries from its clients over some encrypted transport unless it only accepts queries from the localhost.
Authoritative Server Encrypted Transport Connection State The recursive resolver SHOULD keep a record of the state for each authoritative server it contacts, indexed by the IP address of the authoritative server and the encrypted transports supported by the recursive resolver. Note that the recursive resolver might record this per-authoritative-IP state for each source IP address it uses as it sends its queries. For example, if a recursive resolver can send a packet to authoritative servers from IP addresses 2001:db8::100 and 2001:db8::200, it could keep two distinct sets of per-authoritative-IP state: one for each source address it uses, if the recursive resolver knows the addresses in use. Keeping these state tables distinct for each source address makes it possible for a pooled authoritative server behind a load balancer to do a partial rollout while minimizing accidental timeouts (see ). In addition to tracking the state of connection attempts and outcomes, a recursive resolver SHOULD record the state of established sessions for encrypted protocols. The details of how sessions are identified are dependent on the transport protocol implementation (such as a TLS session ticket or TLS session ID, a QUIC connection ID, and so on). The use of session resumption as recommended here is limited somewhat because the tickets are only stored within the context defined by the (clientIP, serverIP, protocols) tuples used to track client-server interaction by the recursive resolver in a table like the one below. However, session resumption still offers the ability to optimize the handshake in some circumstances. Each record should contain the following fields for each supported encrypted transport, each of which would initially be null: Recursive Resolver State per-Authoritative-IP and per-Encrypted Transport
Name Description Retain Across Restart
session The associated state of any existing established session (the structure of this value is dependent on the encrypted transport implementation). If session is not null, it may be in one of two states: pending or established. no
initiated Timestamp of the most recent connection attempt yes
completed Timestamp of the most recent completed handshake (which can include one where an existing session is resumed) yes
status Enumerated value of success, fail, or timeout associated with the completed handshake yes
last-response A timestamp of the most recent response received on the connection yes
resumptions A stack of resumption tickets (and associated parameters) that could be used to resume a prior successful session yes
queries A queue of queries intended for this authoritative server, each of which has additional status of early, unsent, or sent no
last-activity A timestamp of the most recent activity on the connection no
Note that the session fields in aggregate constitute a pool of open connections to different servers. With the exception of the session, queries, and last-activity fields, this cache information should be kept across restart of the server unless explicitly cleared by administrative action. This document uses the notation E-foo[X] to indicate the value of field foo for encrypted transport E to IP address X. For example, DoT-initiated[192.0.2.4] represents the timestamp when the most recent DoT connection packet was sent to IP address 192.0.2.4. This document uses the notation any-E-queries to indicate any query on an encrypted transport.
Probing Policy When a recursive resolver discovers the need for an authoritative lookup to an authoritative DNS server using that server's IP address X, it retrieves the connection state records described in associated with X from its cache. Some of the subsections that follow offer pseudocode that corresponds roughly to an asynchronous programming model for a recursive resolver's interactions with authoritative servers. All subsections also presume that the time of the discovery of the need for lookup is time T0. If any of the records discussed here are absent, they are treated as null. The recursive resolver must decide whether to initially send a query over Do53, or over either of the supported encrypted transports (DoT or DoQ). Note that a recursive resolver might initiate this query via any or all of the known transports. When multiple queries are sent, the initial packets for each connection can be sent concurrently, similar to the method used in the document known as "Happy Eyeballs" (). However, unlike Happy Eyeballs, when one transport succeeds, the other connections do not need to be terminated; instead they can be continued to establish whether the IP address X is capable of communicating on the relevant transport.
Sending a Query over Do53 For any of the supported encrypted transports E, the recursive resolver SHOULD NOT send a query to X over Do53 if either of the following holds true:
  • E-session[X] is in the established state, or
  • E-status[X] is success and (T0 - E-last-response[X]) < persistence.
This indicates that one successful connection to a server that the client then closed cleanly would result in the client not sending the next query over Do53. Otherwise, if there is no outstanding session for any encrypted transport, and the last successful encrypted transport connection was long ago, the recursive resolver sends a query to X over Do53. When it does so, it inserts a handle for the query in Do53-queries[X].
Receiving a Response over Do53 When any response R (a well-formed DNS response, asynchronous timeout, asynchronous destination port unreachable, etc.) for query Q arrives at the recursive resolver in cleartext sent over Do53 from an authoritative server with IP address X, the recursive resolver should perform the following. If Q is not in Do53-queries[X]:
  • process R no further (do not respond to a cleartext response to a query that is not outstanding).
Otherwise, if Q was marked as already processed:
  • remove Q from Do53-queries[X],
  • discard any content from the response, and process R no further.
If R is a well-formed DNS response:
  • remove Q from Do53-queries[X],
  • process R further, and
  • for each supported encrypted transport E:
    • if Q is in E-queries[X], then
      • mark Q as already processed.
However, if R is malformed or a failure (e.g., a timeout or destination port unreachable), and
  • if Q is not in any of any-E-queries[X], then
    • treat this as a failed query (i.e., follow the resolver's policy for unresponsive or non-compliant authoritatives, such as falling back to another authoritative server, returning SERVFAIL to the requesting client, and so on).
Initiating a Connection over Encrypted Transport If any E-session[X] is in the established state, the recursive resolver SHOULD NOT initiate a new connection or resume a previous connection to X over Do53 or E, but should instead send queries to X through the existing session (see ). If the recursive resolver prefers one encrypted transport over another, but only the unpreferred encrypted transport is in the established state, it MAY also initiate a new connection to X over its preferred encrypted transport while concurrently sending the query over the established encrypted transport E. Before considering whether to initiate a new connection over an encrypted transport, the timer should be examined, and its state possibly refreshed, for encrypted transport E to authoritative IP address X.
  • If E-session[X] is in state pending, and
  • T0 - E-initiated[X] > E-timeout, then
    • set E-session[X] to null, and
    • set E-status[X] to timeout.
When resources are available to attempt a new encrypted transport, the recursive resolver should only initiate a new connection to X over E as long as one of the following holds true:
  • E-status[X] is success, or
  • E-status[X] is either fail or timeout and (T0 - E-completed[X]) > damping, or
  • E-status[X] is null and E-initiated[X] is null.
When initiating a session to X over encrypted transport E, if E-resumptions[X] is not empty, one ticket should be popped off the stack and used to try to resume a previous session. Otherwise, the initial ClientHello handshake should not try to resume any session. When initiating a connection, the recursive resolver should take the following steps:
  • set E-initiated[X] to T0,
  • store a handle for the new session (which should have pending state) in E-session[X], and
  • insert a handle for the query that prompted this connection in E-queries[X], with status unsent or early, as appropriate (see below).
Early Data Modern encrypted transports like TLS 1.3 offer the chance to send "early data" from the client in the initial ClientHello in some contexts. A recursive resolver that initiates a connection over an encrypted transport according to this guidance in a context where early data is possible SHOULD send the DNS query that prompted the connection in the early data, according to the sending guidance in . If it does so, the status of Q in E-queries[X] should be set to early instead of unsent.
Resumption Tickets When initiating a new connection (whether by resuming an old session or not), the recursive resolver SHOULD request a session resumption ticket from the authoritative server. If the authoritative server supplies a resumption ticket, the recursive resolver pushes it into the stack at E-resumptions[X].
Server Name Indication For modern encrypted transports like TLS 1.3, most client implementations expect to send a Server Name Indication (SNI) in the ClientHello. There are two complications with selecting or sending an SNI in this unilateral probing.
  • Some authoritative servers are known by more than one name; selecting a single name to use for a given connection may be difficult or impossible.
  • In most configurations, the contents of the SNI field are exposed on the wire to a passive adversary. This potentially reveals additional information about which query is being made based on the NS of the query itself.
To avoid additional leakage and complexity, a recursive resolver following this guidance SHOULD NOT send an SNI to the authoritative server when attempting encrypted transport. If the recursive resolver needs to send an SNI to the authoritative server for some reason not found in this document, using Encrypted ClientHello () would reduce leakage.
Authoritative Server Authentication Because this probing policy is unilateral and opportunistic, the client connecting under this policy MUST accept any certificate presented by the server. If the client cannot verify the server's identity, it MAY use that information for reporting, logging, or other analysis purposes; however, it MUST NOT reject the connection due to the authentication failure, as the result would be falling back to cleartext, which would leak the content of the session to a passive network monitor.
Establishing an Encrypted Transport Connection When an encrypted transport connection actually completes (e.g., the TLS handshake completes) at time T1, the recursive resolver sets E-completed[X] to T1 and does the following. If the handshake completed successfully, the recursive resolver:
  • updates E-session[X] so that it is in state established,
  • sets E-status[X] to success,
  • sets E-last-response[X] to T1,
  • sets E-completed[X] to T1, and
  • for each query Q in E-queries[X]:
    • if early data was accepted and Q is early, then
      • sets the status of Q to sent.
    • Otherwise:
      • sends Q through the session (see ) and sets the status of Q to sent.
Failing to Establish an Encrypted Transport Connection If, at time T2, an encrypted transport handshake completes with a failure (e.g., a TLS alert):
  • set E-session[X] to null,
  • set E-status[X] to fail,
  • set E-completed[X] to T2, and
  • for each query Q in E-queries[X]:
    • if Q is not present in any other any-E-queries[X] or in Do53-queries[X], add Q to Do53-queries[X] and send query Q to X over Do53.
Note that this failure will trigger the recursive resolver to fall back to cleartext queries to the authoritative server at IP address X. It will retry encrypted transport to X once the damping timer has elapsed.
Encrypted Transport Failure Once established, an encrypted transport might fail for a number of reasons (e.g., decryption failure or improper protocol sequence). If this happens:
  • set E-session[X] to null,
  • set E-status[X] to fail, and
  • for each query Q in E-queries[X]:
    • if Q is not present in any other any-E-queries[X] or in Do53-queries[X], add Q to Do53-queries[X] and send query Q to X over Do53.
Note that this failure will trigger the recursive resolver to fall back to cleartext queries to the authoritative server at IP address X. It will retry encrypted transport to X once the damping timer has elapsed.
Handling Clean Shutdown of an Encrypted Transport Connection At time T3, the recursive resolver may find that authoritative server X cleanly closes an existing outstanding connection (most likely due to resource exhaustion, see ). When this happens:
  • set E-session[X] to null, and
  • for each query Q in E-queries[X]:
    • if Q is not present in any other any-E-queries[X] or in Do53-queries[X], add Q to Do53-queries[X] and send query Q to X over Do53.
Note that this premature shutdown will trigger the recursive resolver to fall back to cleartext queries to the authoritative server at IP address X. Any subsequent query to X will retry the encrypted connection promptly.
Sending a Query over Encrypted Transport When sending a query to an authoritative server over encrypted transport at time T4, the recursive resolver should take a few reasonable steps to ensure privacy and efficiency. After sending query Q, the recursive resolver should:
  • Ensure that Q's state in E-queries[X] is set to sent.
  • Set E-last-activity[X] to T4.
The recursive resolver should also consider the guidance in the following subsections.
Pad Queries to Mitigate Traffic Analysis To increase the anonymity set for each query, the recursive resolver SHOULD use a sensible padding mechanism for all queries it sends. Specifically, a DoT client SHOULD use EDNS0 padding , and a DoQ client SHOULD follow the guidance in . How much to pad is out of scope of this document, but a reasonable suggestion can be found in .
Send Queries in Separate Channels When multiple queries are multiplexed on a single encrypted transport to a single authoritative server, the recursive resolver SHOULD pipeline queries and MUST be capable of receiving responses out of order. For guidance on how to best achieve this on a given encrypted transport, see (for DoT) and (for DoQ).
Receiving a Response over Encrypted Transport Even though session-level events on encrypted transports like clean shutdown (see ) or encrypted transport failure (see ) can happen, some events happen on encrypted transports that are specific to a query and are not session-wide. This subsection describes how the recursive resolver deals with events related to a specific query. When a query-specific response R (a well-formed DNS response or an asynchronous timeout) associated with query Q arrives at the recursive resolver over encrypted transport E from an authoritative server with IP address X at time T5, the recursive resolver should perform the following. If Q is not in E-queries[X]:
  • discard the response and process R no further (do not respond to an encrypted response to a query that is not outstanding).
Otherwise:
  • remove Q from E-queries[X],
  • set E-last-activity[X] to T5, and
  • set E-last-response[X] to T5.
If Q was marked as already processed:
  • discard the response and process the response no further.
If R is a well-formed DNS response:
  • process R further, and
  • for each supported encrypted transport N other than E:
    • if Q is in N-queries[X], then
      • mark Q as already processed.
  • If Q is in Do53-queries[X]:
    • mark Q as already processed.
However, if R is malformed or a failure (e.g., timeout), and
  • if Q is not in Do53-queries[X] or in any of any-E-queries[X], then
    • treat this as a failed query (i.e., follow the resolver's policy for unresponsive or non-compliant authoritative servers, such as falling back to another authoritative server, returning SERVFAIL to the requesting client, and so on).
Resource Exhaustion To keep resources under control, a recursive resolver should proactively manage outstanding encrypted connections. offers useful guidance for clients managing DoQ connections. offers useful guidance for clients managing DoT connections. Even with sensible connection management, a recursive resolver doing unilateral probing may find resources unexpectedly scarce and may need to close some outstanding connections. In such a situation, the recursive resolver SHOULD use a reasonable prioritization scheme to close outstanding connections. One reasonable prioritization scheme would be to close outstanding established sessions based on E-last-activity[X] (i.e, the oldest timestamp gets closed first). Note that when resources are limited, a recursive resolver following this guidance may also choose not to initiate new connections for encrypted transport.
Maintaining Connections Some recursive resolvers looking to amortize connection costs and minimize latency MAY choose to synthesize queries to a particular authoritative server to keep an encrypted transport session active. A recursive resolver that adopts this approach should try to align the synthesized queries with other optimizations. For example, a recursive resolver that "pre-fetches" a particular resource record to keep its cache "hot" can send that query over an established encrypted transport session.
Additional Tuning A recursive resolver's state table for an authoritative server can contain additional information beyond what is described above. The recursive resolver might use that additional state to change the way it interacts with the authoritative server in the future. Some examples of additional states include the following.
  • Whether the server accepts "early data" over a transport such as DoQ.
  • Whether the server fails to respond to queries after the handshake succeeds.
  • Tracking the round-trip time of queries to the server.
  • Tracking the number of timeouts (compared to the number of successful queries).
IANA Considerations This document has no IANA actions.
Privacy Considerations
Server Name Indication A recursive resolver querying an authoritative server over DoT or DoQ that sends a Server Name Indication (SNI) in the clear in the cryptographic handshake leaks information about the intended query to a passive network observer. In particular, if two different zones refer to the same nameserver IP addresses via differently named NS records, a passive network observer can distinguish the queries to one zone from the queries to the other. Omitting SNI entirely, or using Encrypted ClientHello to hide the intended SNI, avoids this additional leakage. However, a series of queries that leak this information is still an improvement over cleartext.
Modeling the Probability of Encryption Given that there are many parameter choices that can be made by recursive resolvers and authoritative servers, it is reasonable to consider the probability that queries would be encrypted. Such a measurement would also certainly be affected by the types of queries being sent by the recursive resolver, which, in turn, is also related to the types of queries that are sent to the recursive resolver by the stub resolvers and forwarders downstream. Doing this type of research would be valuable to the DNS community after initial implementation by a variety of recursive resolvers and authoritative servers because it would help assess the overall DNS privacy value of implementing the protocol. Thus, it would be useful if recursive resolvers and authoritative servers reported percentages of queries sent and received over the different transports.
Security Considerations The guidance in this document provides defense against passive network monitors for most queries. It does not defend against active attackers. It can also leak some queries and their responses due to Happy Eyeballs optimizations () when the recursive resolver's cache is cold. Implementation of the guidance in this document should increase deployment of opportunistic encrypted DNS transport between recursive resolvers and authoritative servers at little operational risk. However, implementers cannot rely on the guidance in this document for robust defense against active attackers: they should treat it as a stepping stone en route to stronger defense. In particular, a recursive resolver following the guidance in this document can easily be forced by an active attacker to fall back to cleartext DNS queries. Or, an active attacker could position itself as a machine-in-the-middle, which the recursive resolver would not defend against or detect due to lack of server authentication. Defending against these attacks without risking additional unexpected protocol failures would require signaling and coordination that are out of scope for this document. This guidance is only one part of operating a privacy-preserving DNS ecosystem. A privacy-preserving recursive resolver should adopt other practices as well, such as QNAME minimization (), local root zone (), etc., to reduce the overall leakage of query information that could infringe on the client's privacy.
Operational Considerations As recursive resolvers implement this protocol, authoritative servers will see more probing on port 853 of IP addresses that are associated with NS records. Such probing of an authoritative server should generally not cause any significant problems. If the authoritative server is not supporting this protocol, it will not respond on port 853; if it is supporting this protocol, it will act accordingly. However, a system that is a public recursive resolver that supports DoT and/or DoQ may also have an IP address that is associated with NS records. This could be accidental (such as a glue record with the wrong target address) or intentional. In such a case, a recursive resolver following this protocol will look for authoritative answers to ports 53 and 853 on that IP address. Additionally, the DNS server answering on port 853 would need to be able to differentiate queries for recursive answers from queries for authoritative answers (e.g., by having the authoritative server handle all queries that have the Recursion Desired (RD) flag unset). As discussed in , the protocol described in this document provides no defense against active attackers. On a network where a captive portal is operating, some communications may be actively intercepted (e.g., when the network tries to redirect a user to complete an interaction with a captive portal server). A recursive resolver operating on a node that performs captive portal detection and Internet connectivity checks SHOULD delay encrypted transport probes to authoritative servers until after the node's Internet connectivity check policy has been satisfied.
References Normative References Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension This document describes a Transport Layer Security (TLS) extension for application-layer protocol negotiation within the TLS handshake. For instances in which multiple application protocols are supported on the same TCP or UDP port, this extension allows the application layer to negotiate which protocol will be used within the TLS connection. Specification for DNS over Transport Layer Security (TLS) This document describes the use of Transport Layer Security (TLS) to provide privacy for DNS. Encryption provided by TLS eliminates opportunities for eavesdropping and on-path tampering with DNS queries in the network, such as discussed in RFC 7626. In addition, this document specifies two usage profiles for DNS over TLS and provides advice on performance considerations to minimize overhead from using TCP and TLS with DNS. This document focuses on securing stub-to-recursive traffic, as per the charter of the DPRIVE Working Group. It does not prevent future applications of the protocol to recursive-to-authoritative traffic. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. DNS over Dedicated QUIC Connections This document describes the use of QUIC to provide transport confidentiality for DNS. The encryption provided by QUIC has similar properties to those provided by TLS, while QUIC transport eliminates the head-of-line blocking issues inherent with TCP and provides more efficient packet-loss recovery than UDP. DNS over QUIC (DoQ) has privacy properties similar to DNS over TLS (DoT) specified in RFC 7858, and latency characteristics similar to classic DNS over UDP. This specification describes the use of DoQ as a general-purpose transport for DNS and includes the use of DoQ for stub to recursive, recursive to authoritative, and zone transfer scenarios. Informative References Domain names - implementation and specification This RFC is the revised specification of the protocol and format used in the implementation of the Domain Name System. It obsoletes RFC-883. This memo documents the details of the domain name client - server communication. Opportunistic Security: Some Protection Most of the Time This document defines the concept "Opportunistic Security" in the context of communications protocols. Protocol designs based on Opportunistic Security use encryption even when authentication is not available, and use authentication when possible, thereby removing barriers to the widespread use of encryption on the Internet. SMTP Security via Opportunistic DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) This memo describes a downgrade-resistant protocol for SMTP transport security between Message Transfer Agents (MTAs), based on the DNS-Based Authentication of Named Entities (DANE) TLSA DNS record. Adoption of this protocol enables an incremental transition of the Internet email backbone to one using encrypted and authenticated Transport Layer Security (TLS). DNS Transport over TCP - Implementation Requirements This document specifies the requirement for support of TCP as a transport protocol for DNS implementations and provides guidelines towards DNS-over-TCP performance on par with that of DNS-over-UDP. This document obsoletes RFC 5966 and therefore updates RFC 1035 and RFC 1123. The EDNS(0) Padding Option This document specifies the EDNS(0) "Padding" option, which allows DNS clients and servers to pad request and response messages by a variable number of octets. Happy Eyeballs Version 2: Better Connectivity Using Concurrency Many communication protocols operating over the modern Internet use hostnames. These often resolve to multiple IP addresses, each of which may have different performance and connectivity characteristics. Since specific addresses or address families (IPv4 or IPv6) may be blocked, broken, or sub-optimal on a network, clients that attempt multiple connections in parallel have a chance of establishing a connection more quickly. This document specifies requirements for algorithms that reduce this user-visible delay and provides an example algorithm, referred to as "Happy Eyeballs". This document obsoletes the original algorithm description in RFC 6555. SMTP TLS Reporting A number of protocols exist for establishing encrypted channels between SMTP Mail Transfer Agents (MTAs), including STARTTLS, DNS- Based Authentication of Named Entities (DANE) TLSA, and MTA Strict Transport Security (MTA-STS). These protocols can fail due to misconfiguration or active attack, leading to undelivered messages or delivery over unencrypted or unauthenticated channels. This document describes a reporting mechanism and format by which sending systems can share statistics and specific information about potential failures with recipient domains. Recipient domains can then use this information to both detect potential attacks and diagnose unintentional misconfigurations. SMTP MTA Strict Transport Security (MTA-STS) SMTP MTA Strict Transport Security (MTA-STS) is a mechanism enabling mail service providers (SPs) to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections and to specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate. Padding Policies for Extension Mechanisms for DNS (EDNS(0)) RFC 7830 specifies the "Padding" option for Extension Mechanisms for DNS (EDNS(0)) but does not specify the actual padding length for specific applications. This memo lists the possible options ("padding policies"), discusses the implications of each option, and provides a recommended (experimental) option. DNS Queries over HTTPS (DoH) This document defines a protocol for sending DNS queries and getting DNS responses over HTTPS. Each DNS query-response pair is mapped into an HTTP exchange. Running a Root Server Local to a Resolver Some DNS recursive resolvers have longer-than-desired round-trip times to the closest DNS root server; those resolvers may have difficulty getting responses from the root servers, such as during a network attack. Some DNS recursive resolver operators want to prevent snooping by third parties of requests sent to DNS root servers. In both cases, resolvers can greatly decrease the round-trip time and prevent observation of requests by serving a copy of the full root zone on the same server, such as on a loopback address or in the resolver software. This document shows how to start and maintain such a copy of the root zone that does not cause problems for other users of the DNS, at the cost of adding some operational fragility for the operator. This document obsoletes RFC 7706. TLS DNSSEC Chain Extension This document describes an experimental TLS extension for the in-band transport of the complete set of records that can be validated by DNSSEC and that are needed to perform DNS-Based Authentication of Named Entities (DANE) of a TLS server. This extension obviates the need to perform separate, out-of-band DNS lookups. When the requisite DNS records do not exist, the extension conveys a denial-of-existence proof that can be validated. This experimental extension is developed outside the IETF and is published here to guide implementation of the extension and to ensure interoperability among implementations. DNS Query Name Minimisation to Improve Privacy This document describes a technique called "QNAME minimisation" to improve DNS privacy, where the DNS resolver no longer always sends the full original QNAME and original QTYPE to the upstream name server. This document obsoletes RFC 7816. TLS Encrypted Client Hello RTFM, Inc. Fastly Cloudflare Cloudflare This document describes a mechanism in Transport Layer Security (TLS) for encrypting a ClientHello message under a server public key. Discussion Venues This note is to be removed before publishing as an RFC. Source for this draft and an issue tracker can be found at https://github.com/tlswg/draft-ietf-tls-esni (https://github.com/tlswg/draft-ietf-tls-esni). Work in Progress DNS Error Reporting ICANN ICANN DNS error reporting is a lightweight reporting mechanism that provides the operator of an authoritative server with reports on DNS resource records that fail to resolve or validate. A domain owner or DNS hosting organization can use these reports to improve domain hosting. The reports are based on extended DNS errors as described in RFC 8914. When a domain name fails to resolve or validate due to a misconfiguration or an attack, the operator of the authoritative server may be unaware of this. To mitigate this lack of feedback, this document describes a method for a validating resolver to automatically signal an error to a monitoring agent specified by the authoritative server. The error is encoded in the QNAME, thus the very act of sending the query is to report the error. Work in Progress
Assessing the Experiment This document is an Experimental RFC. In order to assess the success of the experiment, some key metrics could be collected by the technical community about the deployment of the protocol in this document. These metrics will be collected in recursive resolvers, authoritative servers, and the networks containing them. Some key metrics include the following.
  • Comparison of the CPU and memory use between Do53 and encrypted transports.
  • Comparison of the query response rates between Do53 and encrypted transports.
  • Measurement of server authentication successes and failures.
  • Measurement and descriptions of observed attack traffic, if any.
  • Comparison of transactional bandwidth (ingress/egress, packets per second, bytes per second) between Do53 and encrypted transports.
Defense against Active Attackers The protocol described in this document provides no defense against active attackers. A future protocol for recursive-to-authoritative DNS might want to provide such protection. This appendix assumes that the use case for that future protocol is a recursive resolver that wants to prevent an active attack on communication between it and an authoritative server that has committed to offering encrypted DNS transport. An inherent part of this use case is that the recursive resolver would want to respond with a SERVFAIL response to its client if it cannot make an authenticated encrypted connection to any of the authoritative nameservers for a name. However, an authoritative server that merely offers encrypted transport (for example, by following the guidance in ) has made no such commitment, and no recursive resolver that prioritizes delivery of DNS records to its clients would want to "fail closed" unilaterally. Therefore, such a future protocol would need at least three major distinctions from the protocol described in this document:
  • A signaling mechanism that tells the recursive resolver that the authoritative server intends to offer authenticated encryption.
  • Authentication of the authoritative server.
  • A way to combine defense against an active attacker with the defenses described in this document.
This can be thought of as a DNS analog to or .
Signaling Mechanism Properties To defend against an active attacker, the signaling mechanism needs to be able to indicate that the recursive resolver should fail closed if it cannot authenticate the server for a particular query. The signaling mechanism itself would have to be resistant to downgrade attacks from active attackers. One open question is how such a signal should be scoped. While this document scopes opportunistic state about encrypted transport based on the IP addresses of the client and server, signaled intent to offer encrypted transport is more likely to be scoped by the queried zone in the DNS or by the nameserver name than by the IP address. A reasonable authoritative server operator or zone administrator probably doesn't want to risk breaking anything when they first enable the signal. Therefore, a signaling mechanism should probably also offer a means to report problems to the authoritative server operator without the client failing closed. Such a mechanism is likely to be similar to those described in or .
Authentication of Authoritative Servers Forms of server authentication might include:
  • An X.509 certificate issued by a widely known certification authority associated with the common NS names used for this authoritative server.
  • DNS-Based Authentication of Named Entities (DANE) (to avoid infinite recursion, the DNS records necessary to authenticate could be transmitted in the TLS handshake using the DNSSEC chain extension (see )).
A recursive resolver would have to verify the server's identity. When doing so, the identity would presumably be based on the NS name used for a given query or the IP address of the server.
Combining Protocols If this protocol gains reasonable adoption, and a newer protocol that can offer defense against an active attacker were available, deployment is likely to be staggered and incomplete. This means that an operator that wants to maximize confidentiality for their users will want to use both protocols together. Any new stronger protocol should consider how it interacts with the opportunistic protocol defined here, so that operators are not faced with the choice between widespread opportunistic protection against passive attackers (this document) and more narrowly targeted protection against active attackers.
Acknowledgements Many people contributed to the development of this document beyond the authors, including , , , , , , , , , , , , , , , , , , , and the DPRIVE Working Group.
Authors' Addresses American Civil Liberties Union
125 Broad St. New York NY 10004 United States of America dkg@fifthhorseman.net
Alajuela 20201 Costa Rica joeygsal@gmail.com
ICANN
United States of America paul.hoffman@icann.org