Internet-Draft | CNAME DoH Discovery | June 2020 |
Rescorla & Livingood | Expires 27 December 2020 | [Page] |
This note describes a simple mechanism for determining whether an Internet Service Provider (ISP) network is operating a DNS over HTTPS [RFC8484] server on it for users connected to that network.¶
This note is to be removed before publishing as an RFC.¶
Source for this draft and an issue tracker can be found at https://github.com/ekr/draft-rescorla-doh-cdisco.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 27 December 2020.¶
Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
Some applications perform their own name resolution rather than using the system resolver, typically using an encrypted protocol such as DoH [RFC8484]. These applications have the choice of using either the same recursive resolver configured into the system or of using a resolver chosen out of a preconfigured list of trusted resolvers in an application, such as in [DOHTRR].¶
If all of the trusted resolvers are publicly available, then there are a number of mechanisms for choosing between them, for instance randomly or based on performance. [I-D.arkko-abcd-distributed-resolver-selection] describes a number of potential mechanisms. However, if the list of trusted resolvers includes Internet Service Providers (ISPs) and the client is on a network associated with such a provider, then it may be desirable to preferentially select the resolver associated with that provider. This provides the benefits both of using a DNS resolver with a known policy and using a resolver that has high quality local information about the local network topology.¶
This document describes a mechanism to address this situation. This mechanism is being tested in the Firefox browser with Comcast's resolvers.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The basic mechanism described in this document is straightforward and has been chosen for ease of implementation rather than architectural correctness.¶
+--------------+ Provision CNAME | | doh.test -> resolver.example -> | ISP Resolver | | | +--------------+ ^ | | | doh.test? | | resolver.example | | | v +--------------+ | | | Client | | | +--------------+¶
A network provider can publish the fact that it has an associated DoH resolver on its network by configuring its own resolvers to serve a CNAME record at a well known domain name which cannot be otherwise registered. The current test deployment uses "doh.test" (see [RFC2606] for the definition of .test). This CNAME points to the domain name of the associated DoH resolver ("resolver.example" in the diagram above).¶
[[OPEN ISSUE: doh.test is probably the wrong domain. We may pick something else later.]]¶
A client which wishes to test for the presence of a DoH resolver on the network takes the following steps:¶
As noted above, this mechanism was designed for ease of implementation.¶
Comcast's resolvers and authoritative servers have been configured with some additional records to support the Firefox applications and potential future applications. The DNS behavior is as follows, where example.com is the domain used for naming provider services:¶
The next few sections describe the reasoning for some of the design choices.¶
Considering that many applications do not act as a DNS client and instead use platform functions such as getaddrinfo, the domain of the associated resolver SHOULD also have an A record, so the call to getaddrinfo does not fail.¶
There have been a number of discussions of using non-DNS mechanisms resolver information, for instance as in Section 4 of [I-D.pauly-add-resolver-discovery]. While arguably more architecturally correct in terms of layering, they have a number of deployment drawbacks:¶
For these reasons, DNS seems to be the easiest solution to deploy quickly.¶
Most other proposed designs (e.g., [I-D.pp-add-resinfo] and [I-D.pp-add-stub-upgrade], and [I-D.pauly-add-resolver-discovery]) use new RRtypes. While this may be the right answer eventually, it is less convenient for immediate deployment, for several reasons:¶
The choice to use a CNAME does have one major drawback: it does not let us provide the URL template but only the name of the resolver. This is not a problem for our system in practice because Firefox will only connect to resolvers on a preconfigured list and thus will use the CNAME as a lookup key for that list. The Mozilla team is working to measure the rate of new RRType interference and may revise this approach depending on the results of that.¶
[[OPEN ISSUE: We are working to measure the rate of new RRType interference and may revise this approach depending on the results of that.]]¶
Because the initial request for discovery is done over insecure DNS (Do53), a local attacker or malicious local resolver can substitute their own response. However, because this mechanism only selects from a list of preconfigured trusted resolvers, an attacker can only redirect you to a different resolver out of that list, which by definition is also trusted. Note: the URI field potentially has different security properties depending on how it is used. As noted above; Firefox does not use it.¶
If the server which is redirected to is not publicly available, this mechanism can be used as a DoS attack. Application clients should test the selected server before committing to it and otherwise fall back to their ordinary DoH selection logic.¶
Any local discovery mechanism has potential privacy impacts: suppose that a user uses their mobile device on ISP A, which redirects it to their own resolver, and ISP B which does not. In that case, the user's DNS queries will be spread over both ISP A's resolver and one of the public trusted resolvers, which could have an impact on the user's privacy. This has to be balanced against the improvement obtained by using a local resolver and the level of metadata leakage that currently occurs to the ISP, but can be mitigated through trusted recursive resolver policies.¶
This document has no IANA actions.¶
TODO acknowledge.¶