Internet-Draft | QNAME Minimisation | September 2021 |
Bortzmeyer, et al. | Expires 5 March 2022 | [Page] |
This document describes a technique called "QNAME minimisation" to improve DNS privacy, where the DNS resolver no longer always sends the full original QNAME and original QTYPE to the upstream name server. This document obsoletes RFC 7816.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 5 March 2022.¶
Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
The problem statement for this document is described in [RFC9076]. This specific solution is not intended to fully solve the DNS privacy problem; instead, it should be viewed as one tool amongst many.¶
QNAME minimisation follows the principle explained in Section 6.1 of [RFC6973]: the less data you send out, the fewer privacy problems you have.¶
Before QNAME minimisation, when a resolver received the query "What is the AAAA record for www.example.com?", it sent to the root (assuming a resolver whose cache is empty) the very same question. Sending the full QNAME to the authoritative name server was a tradition, not a protocol requirement. In a conversation with one of the authors in January 2015, Paul Mockapetris explained that this tradition comes from a desire to optimise the number of requests, when the same name server is authoritative for many zones in a given name (something that was more common in the old days, where the same name servers served .com and the root) or when the same name server is both recursive and authoritative (something that is strongly discouraged now). Whatever the merits of this choice at this time, the DNS is quite different now.¶
QNAME minimisation is compatible with the current DNS system and therefore can easily be deployed. Because it is only a change to the way that the resolver operates, it does not change the DNS protocol itself. The behaviour suggested here (minimising the amount of data sent in QNAMEs from the resolver) is allowed by Section 5.3.3 of [RFC1034] and Section 7.2 of [RFC1035].¶
This document obsoletes [RFC7816]. RFC 7816 was labelled "experimental", but ideas from it were widely deployed since its publication. Many resolver implementations now support QNAME minimisation. The lessons learned from implementing QNAME minimisation were used to create this new revision.¶
Data from DNSThought [dnsthought-qnamemin], Verisign [verisign-qnamemin] and APNIC [apnic-qnamemin] shows that a large percentage of the resolvers deployed on the Internet already support QNAME minimisation in some way.¶
Academic research has been performed on QNAME minimisation [devries-qnamemin]. This work shows that QNAME minimisation in relaxed mode causes almost no problems. The paper recommends using the A QTYPE, and limiting the number of queries in some way. Some of the issues that the paper found are covered in Section 5.¶
The terminology used in this document is defined in [RFC8499].¶
In this document, a "cold" cache is one that is empty, having literally no entries in it. A "warm" cache is one that has some entries in it.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The idea behind QNAME minimisation is to minimise the amount of privacy-sensitive data sent from the DNS resolver to the authoritative name server. This section describes how to do QNAME minimisation. The algorithm is summarised in Section 3.¶
When a resolver is not able to answer a query from cache it has to send a query to an authoritative nameserver. Traditionally these queries would contain the full QNAME and the original QTYPE as received in the client query.¶
The full QNAME and original QTYPE are only needed at the nameserver that is authoritative for the record requested by the client. All other nameservers queried while resolving the query only need to receive enough of the QNAME to be able to answer with a delegation. The QTYPE in these queries is not relevant, as the nameserver is not able to authoritatively answer the records the client is looking for. Sending the full QNAME and original QTYPE to these nameservers therefore exposes more privacy-sensitive data than necessary to resolve the client's request.¶
A resolver that implements QNAME minimisation obscures the QNAME and QTYPE in queries directed to an authoritative nameserver that is not known to be responsible for the original QNAME. These queries contain:¶
Note that this document relaxes the recommendation in RFC 7816 to use the NS QTYPE to hide the original QTYPE. Using the NS QTYPE is still allowed. The authority of NS records lies at the child side. The parent side of the delegation will answer using a referral, like it will do for queries with other QTYPEs. Using the NS QTYPE therefore has no added value over other QTYPEs.¶
The QTYPE to use while minimising queries can be any possible data type (as defined in [RFC6895] Section 3.1) for which the authority always lies below the zone cut (i.e. not DS, NSEC, NSEC3, OPT, TSIG, TKEY, ANY, MAILA, MAILB, AXFR, and IXFR), as long as there is no relation between the incoming QTYPE and the selection of the QTYPE to use while minimising. Good candidates are to always use the "A" or "AAAA" QTYPE because these are the least likely to raise issues in DNS software and middleboxes that do not properly support all QTYPEs. QTYPE=A or QTYPE=AAAA queries will also blend into traffic from non-minimising resolvers, making it in some cases harder to observe that the resolver is using QNAME minimisation. Using a QTYPE that occurs most in incoming queries will slightly reduce the number of queries, as there is no extra check needed for delegations on non-apex records.¶
The minimising resolver works perfectly when it knows the zone cut (zone cuts are described in Section 6 of [RFC2181]). But zone cuts do not necessarily exist at every label boundary. In the name www.foo.bar.example, it is possible that there is a zone cut between "foo" and "bar" but not between "bar" and "example". So, assuming that the resolver already knows the name servers of example, when it receives the query "What is the AAAA record of www.foo.bar.example?", it does not always know where the zone cut will be. To find the zone cut, it will query the example name servers for a record for bar.example. It will get a non-referral answer, it has to query the example name servers again with one more label, and so on. (Section 3 describes this algorithm in deeper detail.)¶
When using QNAME minimisation, the number of labels in the received QNAME can influence the number of queries sent from the resolver. This opens an attack vector and can decrease performance. Resolvers supporting QNAME minimisation MUST implement a mechanism to limit the number of outgoing queries per user request.¶
Take for example an incoming QNAME with many labels, like www.host.group.department.example.com, where host.group.department.example.com is hosted on example.com's name servers. (Such deep domains are especially common under ip6.arpa.) Assume a resolver that knows only the name servers of example.com. Without QNAME minimisation, it would send these example.com name servers a query for www.host.group.department.example.com and immediately get a specific referral or an answer, without the need for more queries to probe for the zone cut. For such a name, a cold resolver with QNAME minimisation will send more queries, one per label. Once the cache is warm, there will be less difference with a traditional resolver. Testing of this is described in [Huque-QNAME-Min].¶
The behaviour of sending multiple queries can be exploited by sending queries with a large number of labels in the QNAME that will be answered using a wildcard record. Take for example a record for *.example.com, hosted on example.com's name servers. An incoming query containing a QNAME with more than 100 labels, ending in example.com, will result in a query per label. By using random labels, the attacker can bypass the cache and always require the resolver to send many queries upstream. Note that [RFC8198] can limit this attack in some cases.¶
One mechanism that MAY be used to reduce this attack vector is by appending more than one label per iteration for QNAMEs with a large number of labels. To do this, a maximum number of QNAME minimisation iterations MUST be selected (MAX_MINIMISE_COUNT); a RECOMMENDED value is 10. Optionally, a value for the number of queries that should only have one label appended MAY be selected (MINIMISE_ONE_LAB), a good value is 4. The assumption here is that the number of labels on delegations higher in the hierarchy are rather small, therefore not exposing too many labels early on has the most privacy benefit.¶
Another potential, optional mechanism for limiting the number of queries is to assume that labels that begin with an underscore (_) character do not represent privacy-relevant administrative boundaries. For example, if the QNAME is "_25._tcp.mail.example.org" and the algorithm has already searched for "mail.example.org", the next query can be for all the underscore-prefixed names together, namely "_25._tcp.mail.example.org".¶
When a resolver needs to send out a query, it will look for the closest known delegation point in its cache. The number of not yet exposed labels is the difference between this closest nameserver and the incoming QNAME. The first MINIMISE_ONE_LAB labels will be handled as described in Section 2. The number of labels that are still not exposed now need to be divided proportionally over the remaining iterations (MAX_MINIMISE_COUNT - MINIMISE_ONE_LAB). If the not yet exposed labels can not be equally divided over the remaining iterations, the remainder of the division should be added to the last iterations. For example, when resolving a QNAME with 18 labels with MAX_MINIMISE_COUNT set to 10 and MINIMISE_ONE_LAB set to 4, the number of labels added per iteration are: 1,1,1,1,2,2,2,2,3,3.¶
Stub and forwarding resolvers MAY implement QNAME minimisation. Minimising queries that will be sent to an upstream resolver does not help in hiding data from the upstream resolver because all information will end up there anyway. It might, however, limit the data exposure between the upstream resolver and the authoritative nameserver in the situation where the upstream resolver does not support QNAME minimisation. Using QNAME minimisation in a stub or forwarding resolvers that does not have a mechanism to find and cache zone cuts will drastically increase the number of outgoing queries.¶
This algorithm performs name resolution with QNAME minimisation in the presence of zone cuts that are not yet known.¶
Although a validating resolver already has the logic to find the zone cuts, implementers of resolvers may want to use this algorithm to locate the zone cuts.¶
Get the closest delegation point that can be used for the original QNAME from the cache.¶
Query for CHILD with the selected QTYPE using one of ANCESTOR's name servers. The response can be:¶
As a first example, assume that a resolver receives a request to resolve foo.bar.baz.example. Assume that the resolver already knows that ns1.nic.example is authoritative for .example, and that the resolver does not know a more specific authoritative name server. It will send the query with QNAME=baz.example and the QTYPE selected to hide the original QTYPE to ns1.nic.example.¶
The following are more detailed examples of other queries with QNAME minimisation, using other names and authoritative servers:¶
Cold cache, traditional resolution algorithm without QNAME minimisation, request for MX record of a.b.example.org:¶
QTYPE QNAME TARGET NOTE MX a.b.example.org root nameserver MX a.b.example.org org nameserver MX a.b.example.org example.org nameserver¶
Cold cache, with QNAME minimisation, request for MX record of a.b.example.org, using the A QTYPE to hide the original QTYPE:¶
QTYPE QNAME TARGET NOTE A org root nameserver A example.org org nameserver A b.example.org example.org nameserver A a.b.example.org example.org nameserver "a" may be delegated MX a.b.example.org example.org nameserver¶
Note that in above example one query would have been saved if the incoming QTYPE was the same as the QTYPE selected by the resolver to hide the original QTYPE. Only one query for a.b.example.org would have been needed if the original QTYPE would have been A. Using the most used QTYPE to hide the original QTYPE therefore slightly reduces the number of outgoing queries compared to using any other QTYPE to hide the original QTYPE.¶
Warm cache with only org delegation known, (example.org's NS RRset is not known), request for MX record of a.b.example.org, using A QTYPE to hide the original QTYPE:¶
QTYPE QNAME TARGET NOTE A example.org org nameserver A b.example.org example.org nameserver A a.b.example.org example.org nameserver "a" may be delegated MX a.b.example.org example.org nameserver¶
The main goal of QNAME minimisation is to improve privacy by sending less data. However, it may have other advantages. For instance, if a resolver sends a root name server queries for A.example followed by B.example followed by C.example, the result will be three NXDOMAINs, since .example does not exist in the root zone. When using QNAME minimisation, the resolver would send only one question (for .example itself) to which they could answer NXDOMAIN. The resolver can cache this answer and use it as to prove that nothing below .example exists ([RFC8020]). A resolver now knows a priori that neither B.example nor C.example exist. Thus, in this common case, the total number of upstream queries under QNAME minimisation could counterintuitively be less than the number of queries under the traditional iteration (as described in the DNS standard).¶
QNAME minimisation can increase the number of queries based on the incoming QNAME. This is described in Section 2.3. As described in [devries-qnamemin], QNAME minimisation both increases the number of DNS lookups by up to 26% and leads to up to 5% more failed lookups. Filling the cache in a production resolver will soften that overhead.¶
QNAME minimisation's benefits are clear in the case where you want to decrease exposure of the queried name to the authoritative name server. But minimising the amount of data sent also, in part, addresses the case of a wire sniffer as well as the case of privacy invasion by the authoritative name servers. (Encryption is of course a better defense against wire sniffers, but, unlike QNAME minimisation, it changes the protocol and cannot be deployed unilaterally. Also, the effect of QNAME minimisation on wire sniffers depends on whether the sniffer is on the DNS path.)¶
QNAME minimisation offers no protection against the recursive resolver, which still sees the full request coming from the stub resolver.¶
A resolver using QNAME minimisation can possibly be used to cause a query storm to be sent to servers when resolving queries containing a QNAME with a large number of labels, as described in Section 2.3. That section proposes methods to significantly dampen the effects of such attacks.¶
The acknowledgements from RFC 7816 apply here. In addition, many participants from the DNSOP Working Group helped with proposals for simplification, clarification, and general editorial help.¶
Changed in -07¶
Changed in -06¶
Changed in -04¶
Changed in -03¶
Changed in -00, -01, and -02¶