Photo – G. T. Wang – CC BY / Photo modified
Fears Around EDNS
Standardized in 1987 (RFC1035), the DNS mechanism did not take into account many of the changes and security requirements that came with the development of the Internet. Even the author of the domain name system – Paul Mockapetris (Paul Mockapetris) – in an interview said that he did not expect such a wide distribution of his creation. According to his estimates, DNS was supposed to work with tens of millions of IP addresses, but their total number exceeded 300 million.
Initially, there were few opportunities for expanding DNS functionality. But the situation changed in 1999, when the specification EDNS0 (RFC2671) was published. It added a new type of pseudo-recording – OPT. It contains 16 flags describing the properties of the DNS query.
Note that the EDNS0 standard was supposed to be a temporary solution. In the future, it would be replaced by an updated version of EDNS1. But instead of turning into EDNS1 (for which there is a draft), the specification began to grow with options and integrations and is still in use.
EDNS0 also allowed attaching client subnet information to DNS records. This approach is used by the Akamai content distribution network to determine the server closest to the user. However, Geoff Huston, a leading researcher at the APNIC Internet registrar, notes that this reduces the overall level of information security. Servers that manage DNS zones are able to identify the user who sent a request to download a particular file. Plus, the load on local resolvers increases. They are forced to add lookup keys for subnets to their cache, reducing its effectiveness.
Despite concerns, the new functionality was implemented by Google Public DNS and OpenDNS. Perhaps in the future the EDNS0 specification will be amended to improve the security situation. Similar modifications can be made in EDNS1 if it leaves the draft status.
DoH / DoT Disputes
DNS does not encrypt messages transmitted between the client and server. Therefore, when intercepting requests, you can find out what resources the user is visiting. To solve the problem, last October, engineers from IETF and ICANN published the DNS over HTTPS (DoH) standard.
The new approach suggests sending DNS queries not directly, but hiding them in HTTPS traffic. Data is exchanged through the standard port 443, and if someone decides to listen to the traffic, it will be quite difficult for him to extract DNS information. Google and Mozilla spoke in support of the new protocol – they integrated the DNS over HTTPS functionality into their browsers.
APNIC's Jeff Huston also noted that DoH will simplify network structure by reducing the number of ports used and speed up address translation.
Photos – Andrew Hart – CC BY-SA
But this opinion is not shared by all. By according to Paul Vixie, the developer of the BIND DNS server, the new standard, on the contrary, complicates network administration. At the same time, DoH does not guarantee anonymity of requests. You can determine which hosts the user is accessing using SNI and OCSP responses. According to the APNIC study, a third party does not need DNS records to determine the resources that the user is visiting. They can be set with an accuracy of 95% only by IP.
For this reason, some experts suggest using an alternative approach – DNS over TLS (DoT). In this case, the transfer of DNS queries occurs on a dedicated port 853. So, the data is still encrypted, but network operation is simplified.
It’s hard to say which of the standards will win. Already, many cloud providers and browser developers support both protocols. Which one will get the most distribution will be shown only by time – in any case, it can take more than one decade.
Additional reading on 1cloud blog:
Will the cloud save ultra-budget smartphones
“How We Build IaaS”: 1cloud materials
Screening electronic devices at the border – a need or violation of human rights?
This is the turn: why Apple has changed the requirements for application developers
We at 1cloud.ru offer the Cloud Storage service. It can be used to store backups, archive data and the exchange of corporate documents.
The data storage system is built on three types of disks: HDD SATA, HDD SAS and SSD SAS. Their total volume is several thousand terabytes.