Internet-Draft | Oblivious DoH | February 2021 |
Kinnear, et al. | Expires 25 August 2021 | [Page] |
This document describes an extension to DNS Over HTTPS (DoH) that allows hiding client IP addresses via proxying encrypted DNS transactions. This improves privacy of DNS operations by not allowing any one server entity to be aware of both the client IP address and the content of DNS queries and answers.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 25 August 2021.¶
Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
DNS Over HTTPS (DoH) [RFC8484] defines a mechanism to allow DNS messages to be transmitted in encrypted HTTP messages. This provides improved confidentiality and authentication for DNS interactions in various circumstances.¶
While DoH can prevent eavesdroppers from directly reading the contents of DNS exchanges, clients cannot send DNS queries and receive answers from servers without revealing their local IP address, and thus information about the identity or location of the client.¶
Proposals such as Oblivious DNS ([I-D.annee-dprive-oblivious-dns]) increase privacy by ensuring no single DNS server is aware of both the client IP address and the message contents.¶
This document defines Oblivious DoH, an extension to DoH that permits proxied resolution, in which DNS messages are encrypted so that no DoH server can independently read both the client IP address and the DNS message contents.¶
This mechanism is intended to be used as one option for resolving privacy-sensitive content in the broader context of Adaptive DNS [I-D.pauly-dprive-adaptive-dns-privacy].¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This document defines the following terms:¶
Throughout the rest of this document, we use the terms Proxy and Target to refer to an Oblivious Proxy and Oblivious Target, respectively.¶
Oblivious DoH requires, at a minimum:¶
The mechanism for discovering and provisioning the DoH URI Templates and public keys is via parameters added to DNS resource records. The mechanism for discovering the public key is described in Section 5. The mechanism for discovering a DoH URI Template is described in [I-D.pauly-add-resolver-discovery].¶
Unlike direct resolution, oblivious hostname resolution over DoH involves three parties:¶
Oblivious DoH queries are created by the Client, and sent to the Proxy. Requests to the Proxy indicate which DoH server to use as a Target by specifying two variables: "targethost", which indicates the host name of the Target server, and "targetpath", which indicates the path on which the Target's DoH server is running. See Section 4.2 for an example request.¶
Oblivious DoH messages have no cache value since both requests and responses are encrypted using ephemeral key material. Clients SHOULD prefer using HTTP methods and headers that will prevent unhelpful cache storage of these exchanges (i.e., preferring POST instead of GET).¶
Clients MUST set the HTTP Content-Type header to "application/oblivious-dns-message" to indicate that this request is an Oblivious DoH query intended for proxying. Clients also SHOULD set this same value for the HTTP Accept header.¶
Proxies must check that client requests are correctly encoded, and MUST return a 4xx (Client Error) if the check fails, along with the Proxy-Status response header with an "error" parameter of type "http_request_error" [I-D.ietf-httpbis-proxy-status]. A correctly encoded request has the HTTP Content-Type header "application/oblivious-dns-message", and HTTP method POST. If the proxy does not operate as a target, then the request must additionally contain "targethost" and "targetpath" variables.¶
Upon receiving a request that contains a "application/oblivious-dns-message" Content-Type, the DoH server looks for the "targethost" and "targetpath" variables. If the variables are not present, then it is the target of the query, and it can decrypt the query (Section 7). If the variables are present, then the DoH server is acting as a Proxy. If it is a proxy, it is expected to send the request on to the Target using the URI template constructed as "https://targethost/targetpath".¶
Note that "targethost" may contain a port. Proxies MAY choose to not forward connections to non-standard ports. In such cases, proxies MUST return a 4xx (Client Error) response to the client request, along with Proxy-Status response header with an "error" parameter of type "http_request_error".¶
If the proxy cannot establish a connection to "targethost", it MUST return a 502 (Bad Gateway) response to the client request, along with Proxy-Status response header with an "error" parameter whose type indicates the reason. For example, if DNS resolution fails, the error type might be "dns_timeout", whereas if the TLS connection failed the error type might be "tls_protocol_error". Proxies SHOULD choose an error type that best captures the connection failure.¶
The following example shows how a client requests that a Proxy, "dnsproxy.example.net", forwards an encrypted message to "dnstarget.example.net". The URI template for the Proxy is "https://dnsproxy.example.net/dns-query{?targethost,targetpath}". The URI template for the Target is "https://dnstarget.example.net/dns-query".¶
:method = POST :scheme = https :authority = dnsproxy.example.net :path = /dns-query?targethost=dnstarget.example.net&targetpath=/dns-query accept = application/oblivious-dns-message cache-control = no-cache, no-store content-type = application/oblivious-dns-message content-length = 106 <Bytes containing the encrypted payload for an Oblivious DNS query>¶
The Proxy then sends the following request on to the Target:¶
:method = POST :scheme = https :authority = dnstarget.example.net :path = /dns-query accept = application/oblivious-dns-message cache-control = no-cache, no-store content-type = application/oblivious-dns-message content-length = 106 <Bytes containing the encrypted payload for an Oblivious DNS query>¶
The response to an Oblivious DoH query is generated by the Target. It MUST set the Content-Type HTTP header to "application/oblivious-dns-message" for all successful responses. The body of the response contains an encrypted DNS message; see Section 7.¶
The response from a Target MUST set the Content-Type HTTP header to "application/oblivious-dns-message" which MUST be forwarded by the Proxy to the Client. A Client MUST only consider a response which contains the Content-Type header in the response before processing the payload. A response without the appropriate header MUST be treated as an error and be handled appropriately. All other aspects of the HTTP response and error handling are inherited from standard DoH.¶
Proxies MUST forward responses unmodified to clients. Specifically, the HTTP status code generated by Targets must be forwarded to clients unmodified. If a proxy receives a successful response from a target without the "application/oblivious-dns-message" HTTP Content-Type header, it MUST return a 502 (Bad Gateway) response to the client request, along with Proxy-Status response header with an "error" parameter of type "http_protocol_error".¶
The following example shows a 2xx (Successful) response that can be sent from a Target to a client via a Proxy.¶
:status = 200 content-type = application/oblivious-dns-message content-length = 154 <Bytes containing the encrypted payload for an Oblivious DNS response>¶
Requests that cannot be processed by the target result in 4xx (Client Error) responses. If the target and client keys do not match, it is an authorization failure (HTTP status code 401; see Section 3.1 of [RFC7235]). Otherwise, if the client's request is invalid, such as in the case of decryption failure, wrong message type, or deserialization failure, this is a bad request (HTTP status code 400; see Section 6.5.1 of [RFC7231]).¶
Even in case of DNS responses indicating failure, such as SERVFAIL or NXDOMAIN, a successful HTTP response with a 2xx status code is used as long as the DNS response is valid. This is similar to how DoH [RFC8484] handles HTTP response codes.¶
In case of server error, the usual HTTP status code 500 (see Section 6.6.1 of [RFC7231]) applies.¶
Proxies forward requests and responses between clients and targets as specified in Section 4.1. Metadata sent with these messages may inadvertently weaken or remove Oblivious DoH privacy properties. Proxies MUST NOT send any client-identifying information about clients to targets, such as "Forwarded" HTTP headers [RFC7239]. Additionally, clients MUST NOT include any private state in requests to proxies, such as HTTP cookies.¶
In order to use a DoH server as a Target, the client must know a public key to use for encrypting its queries. This document specifies one discovery mechanism for public keys using the SVCB or HTTPSSVC record type ([I-D.ietf-dnsop-svcb-https]) for a name owned by the server.¶
The Service Binding key name is "odohconfig" (Section 12). If present, this key/value pair contains the public key to use when encrypting Oblivious DoH messages that will be targeted at a DoH server. The format of the key is defined in (Section 6).¶
Clients that use this discovery mechansim MUST only use keys that were retrieved from records protected by DNSSEC [RFC4033] to encrypt messages to a Target.¶
Servers SHOULD rotate public keys regularly. It is RECOMMENDED that servers rotate keys every day. Shorter rotation windows reduce the anonymity set of clients that might use the public key, whereas longer rotation windows widen the timeframe of possible compromise.¶
An Oblivious DNS public key configuration is a structure encoded, using TLS-style encoding [RFC8446], as follows:¶
struct { uint16 kem_id; uint16 kdf_id; uint16 aead_id; opaque public_key<1..2^16-1>; } ObliviousDoHConfigContents; struct { uint16 version; uint16 length; select (ObliviousDoHConfig.version) { case 0xff05: ObliviousDoHConfigContents contents; } } ObliviousDoHConfig; ObliviousDoHConfig ObliviousDoHConfigs<1..2^16-1>;¶
The ObliviousDoHConfigs
structure contains one or more ObliviousDoHConfig
structures in decreasing order of
preference. This allows a server to support multiple versions of Oblivious DoH and multiple sets of Oblivious DoH
parameters.¶
An ObliviousDoHConfig
contains a versioned representation of an Oblivious DoH configuration,
with the following fields.¶
ObliviousDoHConfig
structure with a version they do not support. The version of Oblivious DoH
specified in this document is 0xff05
.¶
ObliviousDoHConfigContents
structure.¶
An ObliviousDoHConfigContents
contains the information needed to encrypt a message under
ObliviousDoHConfigContents.public_key
such that only the owner of the corresponding private
key can decrypt the message. The values for ObliviousDoHConfigContents.kem_id
,
ObliviousDoHConfigContents.kdf_id
, and ObliviousDoHConfigContents.aead_id
are described in [I-D.irtf-cfrg-hpke] Section 7. The fields in this structure
are as follows:¶
public_key
. Clients MUST ignore any
ObliviousDoHConfig
structure with a key using a KEM they do not support.¶
public_key
. Clients MUST ignore any
ObliviousDoHConfig
structure with a key using a KDF they do not support.¶
public_key
. Clients MUST ignore any
ObliviousDoHConfig
structure with a key using an AEAD they do not support.¶
There are two types of Oblivious DoH messages: Queries (0x01) and Responses (0x02). Both messages carry the following information:¶
They are encoded using the following structure:¶
struct { opaque dns_message<1..2^16-1>; opaque padding<0..2^16-1>; } ObliviousDoHMessagePlaintext;¶
Both Query and Response messages use the ObliviousDoHMessagePlaintext
format.¶
ObliviousDoHMessagePlaintext ObliviousDoHQuery; ObliviousDoHMessagePlaintext ObliviousDoHResponse;¶
An encrypted ObliviousDoHMessagePlaintext
is carried in a ObliviousDoHMessage
message, encoded as follows:¶
struct { uint8 message_type; opaque key_id<0..2^16-1>; opaque encrypted_message<1..2^16-1>; } ObliviousDoHMessage;¶
The ObliviousDoHMessage
structure contains the following fields:¶
message_type
0x01, and Response
messages use message_type
0x02.¶
ObliviousDoHConfigContents
key. This is computed as
Expand(Extract("", config), "odoh key id", Nh)
, where config
is the ObliviousDoHConfigContents
structure and Extract
, Expand
, and Nh
are as specified by the HPKE cipher suite KDF corresponding
to config.kdf_id
.¶
The contents of ObliviousDoHMessage.encrypted_message
depend on ObliviousDoHMessage.message_type
.
In particular, ObliviousDoHMessage.encrypted_message
is an encryption of a ObliviousDoHQuery
if the message is a Query, and ObliviousDoHResponse
if the message is a Response.¶
Clients use the following utility functions for encrypting a Query and decrypting a Response as described in Section 8.¶
encrypt_query_body: Encrypt an Oblivious DoH query.¶
def encrypt_query_body(pkR, key_id, Q_plain): enc, context = SetupBaseS(pkR, "odoh query") aad = 0x01 || len(key_id) || key_id ct = context.Seal(aad, Q_plain) Q_encrypted = enc || ct return Q_encrypted¶
decrypt_response_body: Decrypt an Oblivious DoH response.¶
def decrypt_response_body(context, Q_plain, R_encrypted): key, nonce = derive_secrets(context, Q_plain) aad = 0x02 || 0x0000 // 0x0000 represents a 0-length KeyId R_plain, error = Open(key, nonce, aad, R_encrypted) return R_plain, error¶
The derive_secrets
function is described below.¶
Targets use the following utility functions in processing queries and producing responses as described in Section 9.¶
setup_query_context: Set up an HPKE context used for decrypting an Oblivious DoH query.¶
def setup_query_context(skR, key_id, Q_encrypted): enc || ct = Q_encrypted context = SetupBaseR(enc, skR, "odoh query") return context¶
decrypt_query_body: Decrypt an Oblivious DoH query.¶
def decrypt_query_body(context, key_id, Q_encrypted): aad = 0x01 || len(key_id) || key_id enc || ct = Q_encrypted Q_plain, error = context.Open(aad, ct) return Q_plain, error¶
derive_secrets: Derive keying material used for encrypting an Oblivious DoH response.¶
def derive_secrets(context, Q_plain): odoh_secret = context.Export("odoh secret", 32) odoh_prk = Extract(Q_plain, odoh_secret) key = Expand(odoh_prk, "odoh key", Nk) nonce = Expand(odoh_prk, "odoh nonce", Nn) return key, nonce¶
encrypt_response_body: Encrypt an Oblivious DoH response.¶
def encrypt_response_body(R_plain, answer_key, answer_nonce): aad = 0x02 || 0x0000 // 0x0000 represents a 0-length KeyId R_encrypted = Seal(answer_key, answer_nonce, aad, R_plain) return R_encrypted¶
Let M
be a DNS message (query) a client wishes to protect with Oblivious DoH.
When sending an Oblivious DoH Query for resolving M
to an Oblivious Target with
ObliviousDoHConfigContents
config
, a client does the following:¶
ObliviousDoHQuery
structure, carrying the message M and padding, to produce Q_plain.¶
config.public_key
to produce a public key pkR of type config.kem_id
.¶
Q_encrypted = encrypt_query_body(pkR, key_id, Q_plain)
,
where key_id
is as computed in Section 7. Note also that len(key_id)
outputs the length of key_id
as a two-byte unsigned integer.¶
Q
where Q.message_type = 0x01
, Q.key_id
carries key_id
,
and Q.encrypted_message = Q_encrypted
.¶
The client then sends Q
to the Proxy according to Section 4.1.
Once the client receives a response R
, encrypted as specified in Section 9,
it uses decrypt_response_body
to decrypt R.encrypted_message
and produce R_plain.
Clients MUST validate R_plain.padding
(as all zeros) before using R_plain.dns_message.¶
Targets that receive a Query message Q decrypt and process it as follows:¶
ObliviousDoHConfigContents
according to Q.key_id
. If no such key exists,
the Target MAY discard the query, and if so, it MUST return a 400 (Client Error) response
to the Proxy. Otherwise, let skR
be the private key corresponding to this public key,
or one chosen for trial decryption.¶
context = setup_query_context(skR, Q.key_id, Q.encrypted_message)
.¶
Q_plain, error = decrypt_query_body(context, Q.key_id, Q.encrypted_message)
.¶
Q_plain.padding
is valid (all zeros), resolve
Q_plain.dns_message
as needed, yielding a DNS message M. Otherwise, if an error
was returned or the padding was invalid, return a 400 (Client Error) response to the Proxy.¶
ObliviousDoHResponseBody
structure, carrying the message M
and padding,
to produce R_plain
.¶
answer_key, answer_nonce = derive_secrets(context, Q_plain)
.¶
R_encrypted = encrypt_response_body(R_plain, answer_key, answer_nonce)
.
The key_id
field used for encryption is empty, yielding 0x0000
as part of the AAD.
Also, the Seal
function is that which is associated with the HPKE AEAD.¶
ObliviousDoHMessage
message R
where R.message_type = 0x02
,
R.key_id = nil
, and R.encrypted_message = R_encrypted
.¶
The Target then sends R
in a 2xx (Successful) response to the Proxy; see Section 4.3.
The Proxy forwards the message R
without modification back to the client as the HTTP response
to the client's original HTTP request. In the event of an error (non 2xx status code), the
Proxy forwards the Target error to the client; see Section 4.3.¶
Oblivious DoH uses draft-08 of HPKE for public key encryption [I-D.irtf-cfrg-hpke]. In the absence of an application profile standard specifying otherwise, a compliant Oblivious DoH implementation MUST support the following HPKE cipher suite:¶
DISCLAIMER: this is a work in progress draft and has not yet seen significant security analysis.¶
Oblivious DoH aims to keep knowledge of the true query origin and its contents known to only clients. As a simplified model, consider a case where there exists two clients C1 and C2, one proxy P, and one target T. Oblivious DoH assumes an extended Dolev-Yao style attacker which can observe all network activity and can adaptively compromise either P or T, but not C1 or C2. Once compromised, the attacker has access to all session information and private key material. (This generalizes to arbitrarily many clients, proxies, and targets, with the constraints that not all targets and proxies are simultaneously compromised, and at least two clients are left uncompromised.) The attacker is prohibited from sending client identifying information, such as IP addresses, to targets. (This would allow the attacker to trivially link a query to the corresponding client.)¶
In this model, both C1 and C2 send an Oblivious DoH queries Q1 and Q2, respectively, through P to T, and T provides answers A1 and A2. The attacker aims to link C1 to (Q1, A1) and C2 to (Q2, A2), respectively. The attacker succeeds if this linkability is possible without any additional interaction. (For example, if T is compromised, it may return a DNS answer corresponding to an entity it controls, and then observe the subsequent connection from a client, learning its identity in the process. Such attacks are out of scope for this model.)¶
Oblivious DoH security prevents such linkability. Informally, this means:¶
Traffic analysis mitigations are outside the scope of this document. In particular, this document does not recommend padding lengths for ObliviousDoHQuery and ObliviousDoHResponse messages. Implementations SHOULD follow the guidance for choosing padding length in [RFC8467].¶
Oblivious DoH security does not depend on proxy and target indistinguishability. Specifically, an on-path attacker could determine whether a connection a specific endpoint is used for oblivious or direct DoH queries. However, this has no effect on confidentiality goals listed above.¶
Malicious clients (or proxies) may send bogus Oblivious DoH queries to targets as a Denial-of-Service (DoS) attack. Target servers may throttle processing requests if such an event occurs. Additionally, since Targets provide explicit errors upon decryption failure, i.e., if ciphertext decryption fails or if the plaintext DNS message is malformed, Proxies may throttle specific clients in response to these errors.¶
Malicious Targets or Proxies may send bogus answers in response to Oblivious DoH queries. Response decryption failure is a signal that either the proxy or target is misbehaving. Clients can choose to stop using one or both of these servers in the event of such failure. However, as above, malicious Targets and Proxies are out of scope for the threat model.¶
Proxies are free to enforce any forwarding policy they desire for clients. For example, they may only forward requests to known or otherwise trusted targets. Proxies that do not have an allow list of targets can attempt to determine if the specified target is a valid Oblivious DoH target by querying for the target configuration as specified in Section 5.¶
Using DoH over anonymizing proxy services such as Tor would also achieve the desired goal of separating query origins from their contents. However, there are several reasons why such systems are undesirable in comparison Oblivious DoH:¶
This document registers a new media type, "application/oblivious-dns-message".¶
Type name: application¶
Subtype name: oblivious-dns-message¶
Required parameters: N/A¶
Optional parameters: N/A¶
Encoding considerations: This is a binary format, containing encrypted DNS requests and responses, as defined in this document.¶
Security considerations: See this document. The content is an encrypted DNS message, and not executable code.¶
Interoperability considerations: This document specifies format of conforming messages and the interpretation thereof.¶
Published specification: This document.¶
Applications that use this media type: This media type is intended to be used by clients wishing to hide their DNS queries when using DNS over HTTPS.¶
Additional information: None¶
Person and email address to contact for further information: See Authors' Addresses section¶
Intended usage: COMMON¶
Restrictions on usage: None¶
Author: IETF¶
Change controller: IETF¶
This document adds a parameter ("odohconfig") to the "Service Binding (SVCB) Parameter" registry [I-D.ietf-dnsop-svcb-https]. The allocation request is 32769, taken from the to the First Come First Served range.¶
If present, the "odohconfig" parameter contains a ObliviousDoHConfigs structure. In wire format, the value of the parameter is an ObliviousDoHConfigs vector, including the redundant length prefix. In presentation format, the value is encoded in [base64].¶
This work is inspired by Oblivious DNS [I-D.annee-dprive-oblivious-dns]. Thanks to all of the authors of that document. Thanks to Nafeez Ahamed, Elliot Briggs, Marwan Fayed, Frederic Jacobs, Tommy Jensen Paul Schmitt, Brian Swander, Tanya Verma, and Peter Wu for the feedback and input.¶