Internet-Draft EDSR November 2022
Todd & Jensen Expires 12 May 2023 [Page]
Workgroup:
ADD
Internet-Draft:
draft-jt-add-dns-server-redirection-00
Published:
Intended Status:
Standards Track
Expires:
Authors:
J. Todd
Quad9
T. Jensen
Microsoft

Handling Encrypted DNS Server Redirection

Abstract

This document defines Encrypted DNS Server Redirection (EDSR), a mechanism for encrypted DNS servers to redirect clients to other encrypted DNS servers. This enables dynamic routing to geo-located or otherwise more desirable encrypted DNS servers without modifying DNS client endpoint configurations or the use of anycast by the DNS server.

About This Document

This note is to be removed before publishing as an RFC.

The latest revision of this draft can be found at https://example.com/LATEST. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-jt-add-dns-server-redirection/.

Discussion of this document takes place on the WG Working Group mailing list (mailto:add@ietf.org), which is archived at https://example.com/WG. Subscribe at https://www.ietf.org/mailman/listinfo/add/.

Source for this draft and an issue tracker can be found at https://github.com/johnhtodd/draft-DOH-redirect.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 12 May 2023.

Table of Contents

1. Introduction

Encrypted DNS Server Redirection (EDSR) is a protocol that allows an encrypted DNS resolver whose configuration is well known to clients to redirect them to other, more desirable resolvers without having to support anycast and without having to configure clients with these other resolvers ahead of time. It uses the mechanism defined by DDR [I-D.ietf-add-ddr] to redirect an encrypted DNS client from one encrypted DNS resolver to another encrypted DNS resolver. Where DDR uses a threat model that presumes the initial DNS traffic is unencrypted, EDSR applies when the initial DNS traffic is already encrypted.

One example of what makes redirection to another resolver desirable is geolocation. A DNS service may document one or a few well known resolver configurations even though it routes traffic to hundreds or thousands of resolvers that are closer to the client, reducing latency and making DNS resolutions more applicable to the client.

2. DNS client behavior

2.1. Discovering redirections

When a DNS client first opens a connection to an encrypted DNS server, it MUST send a SVCB query for _dns.resolver.arpa to discover its encrypted DNS configuration. If the configuration returned differs from the current connection, the DNS client SHOULD close the connection in favor of a connection to the one returned in the SVCB query.

The client does not need to wait for the results of the redirection discovery query before sending other DNS queries on the connection, though they SHOULD gracefully close the connection as soon as it has successfully established a connection to the server it was redirected to and received or timed out the outstanding queries on the original connection.

See the considerations section for reasons a client MAY choose to decline a redirection.

2.2. Prioritizing redirections

When clients receive more than one valid SVCB response, they SHOULD prefer using the redirections in ascending order of the SVCB priority.

2.3. Network changes

When a client device changes what network it is connected to, it SHOULD forget pre-existing redirections and start EDSR over with the originally configured resolvers. This ensures that a resolver which redirects clients based on their source network can behave accordingly.

Note that this is unrelated to what resolvers a client is originally configured with. For example, a client which is configured to always used the resolvers advertised by DHCP will likely start with different original resolvers when changing networks. How a client is configured with DNS resolvers is out of scope for this document. EDSR only provides a mechanism for clients to discover redirections from resolvers they were previously configured to use.

3. DNS server behavior

DNS resolvers who want to redirect clients to other resolvers MUST respond to SVCB [I-D.ietf-add-svcb-dns] queries for _dns.resolver.arpa. with records that describe the configuration of the destination server. Servers SHOULD be prepared for clients to not follow the redirection immediately as connection failures or other issues may lead to clients being unable to follow the redirection. Servers who are redirecting due to being overloaded MAY respond as they normally would to overwhelming traffic.

Guidance in Section 3 of [I-D.ietf-add-ddr] SHOULD be followed by resolvers when responding to these special queries for "resolver.arpa" to prevent unnecessary additional requests by the client. See Section 5 of [I-D.ietf-dnsop-svcb-https] for more info.

DNS resolvers who want to redirect clients to other resolvers MUST treat resolver.arpa as a locally served zone per [RFC6303]. In practice, this means that resolvers SHOULD respond to queries of any type other than SVCB for _dns.resolver.arpa with NODATA and queries of any type for any domain name under resolver.arpa with NODATA.

Redirections MUST only redirect to resolvers which support at least the same protocol, address family, and port as the referring resolver. This ensures that redirections do not lead clients to resolvers that are not compatible with the client.

4. Conventions and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

5. Deployment Considerations

5.1. Chained redirections

It is possible for DNS servers to redirect clients to DNS servers which also redirect clients. Clients which are presented with long chains of redirections MAY choose to stop following redirections to reduce connection thrashing. DNS server operators SHOULD deploy redirection behavior mindfully to avoid long chains of redirection.

6. Security Considerations

6.1. Trusting the redirected connection

EDSR does not provide novel authentication or security mechanisms. Redirection is trusted by virtue of the server authentication via PKI through TLS [RFC5280]. EDSR MUST NOT be used with encrypted DNS protocols that are not based on TLS. This scenario will require future standards work.

EDSR should not introduce any additional security considerations beyond use of the original encrypted resolver prior to redirection. Because the original connection was trusted, information sent over it about a new connection to use should be as trusted. This is analogous to the use of 3xx codes in HTTP to redirect HTTP clients to other servers. However, clients that wish to time bound vulnerabilities to attackers who compromise the original resolver MAY choose to implement a maximum TTL to honor on SVCB records that redirect to other servers.

6.2. Use with unencrypted DNS

EDSR MUST NOT be used to redirect unencrypted DNS traffic to any other resolver. This use case is called designation and is covered by Discovery of Designated Resolvers (DDR) as defined in [I-D.ietf-add-ddr]. Not following DDR opens up a DNS client to malicious redirection to an attacker-controlled DNS server. For more information, see Section 7 of [I-D.ietf-add-ddr].

EDSR also MUST NOT be used to redirect encrypted DNS traffic to a resolver that advertises support for unencrypted DNS. This would reduce the security posture of the client. Clients MUST NOT follow an encrypted DNS redirection and then send unencrypted DNS traffic to the new resolver.

7. Privacy Considerations

A client MAY choose to not send other name queries until redirection is complete, but there should be no issue with sending queries to intermediate resolvers before redirection takes place. This is because the intermediate resolvers are considered to be appropriate destinations by the client even if the resolver wants to substitute another resolver for reasons other than name resolution results such as latency optimization or load balancing.

8. Data Flow Considerations

8.1. Data Scope

EDSR does not result in any additional data being shared by the end user, as the DNS queries going to the new resolver were already going to go to the original resolver.

8.2. Data Visibility

EDSR results in a 1:1 replacement of DNS resolvers used (future queries sent to the new resolver will not be sent to the original resolver anymore). This means the number of servers which see any given query remain the same.

This is only true if clients only use one redirected DNS server per original DNS server. If the DNS server offers more than one redirection, and the client validates and uses two or more of those redirections, then there will be greater data visibility (more destinations). This is however entirely within the client's choice following their own policy as a redundancy versus volume of exhausted data trade-off.

EDSR requires the redirection to another server to also use encrypted DNS, so no third-party will be introduced to the data flow unless the encryption is broken.

8.3. Data centralization

EDSR can only increase data centralization if multiple resolver operators choose to redirect DNS clients to the same, other DNS resolver. To prevent the reduction of their resolution redundancy, DNS clients MAY choose to ignore redirections if they find that they point to resolvers they are already configured to use, by a previous redirection or some other configuration.

9. IANA Considerations

This document has no IANA actions.

10. References

10.1. Normative References

[I-D.ietf-add-ddr]
Pauly, T., Kinnear, E., Wood, C. A., McManus, P., and T. Jensen, "Discovery of Designated Resolvers", Work in Progress, Internet-Draft, draft-ietf-add-ddr-10, , <https://www.ietf.org/archive/id/draft-ietf-add-ddr-10.txt>.
[I-D.ietf-add-svcb-dns]
Schwartz, B. M., "Service Binding Mapping for DNS Servers", Work in Progress, Internet-Draft, draft-ietf-add-svcb-dns-07, , <https://www.ietf.org/archive/id/draft-ietf-add-svcb-dns-07.txt>.
[I-D.ietf-dnsop-svcb-https]
Schwartz, B. M., Bishop, M., and E. Nygren, "Service binding and parameter specification via the DNS (DNS SVCB and HTTPS RRs)", Work in Progress, Internet-Draft, draft-ietf-dnsop-svcb-https-11, , <https://www.ietf.org/archive/id/draft-ietf-dnsop-svcb-https-11.txt>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC6303]
Andrews, M., "Locally Served DNS Zones", BCP 163, RFC 6303, DOI 10.17487/RFC6303, , <https://www.rfc-editor.org/info/rfc6303>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/info/rfc8174>.

10.2. Informative References

[RFC5280]
Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, , <https://www.rfc-editor.org/info/rfc5280>.

Acknowledgments

TODO acknowledge.

Authors' Addresses

J. Todd
Quad9
T. Jensen
Microsoft