Cisco Network Device Maintenance Cisco Network Device Maintenance Authoritative Servers– Cisco Names and Time

Authoritative Servers– Cisco Names and Time

Authoritative DNS servers are maintained by any organization that assigns and manages domain names, including

• Large organizations like colleges and companies that have a domain name.

• Domain name resellers

• Hosting companies

 

Hosting companies, for instance, will sell individual users or organizations website hosting. Many hosting companies bundle a domain name with the website and run an authoritative server to answer queries about the IP address of each site they host.

DNS Security and Privacy

Using DNS exposes a lot of user information. Consider the situation shown in Figure 16-7.

Figure 16-7 Typical DNS Query Path

Host A’s DNS queries to the recursive server are not encrypted or otherwise protected. The access provider—or an attacker positioned in the access provider network—can, if they would like to, capture every DNS query sent by every host attached to (or behind) their network. An outside observer who can capture and analyze every DNS query from a user, or even a group of users, can better understand their browsing habits, interests, concerns, etc.

Imagine the following situation, for instance:

• A person checks out of their doctor’s office, generating DNS queries to a payment service.

• A person meets with a friend at a local restaurant, generating DNS queries to social media and payment processing sites.

• The friend searches for a particular disease while at the restaurant, generating DNS queries for a website specializing in this medical condition.

Anyone observing these DNS queries can infer the person has just been informed they have the medical condition—a significant breach of their privacy.

Encrypted DNS Queries

Encrypting the DNS queries between host A and the recursive server would block the access provider—and any attacker within the access provider network.

DNS over HTTPs (DoH ) and DNS over Transport Layer Security (DoT) are designed to encrypt data between the host and the recursive DNS server. There are some significant differences between these two technologies, however:

• DoH is implemented in the web browser. The host operating system’s network stack no longer participates in DNS queries if DoH is used. DoH is widely implemented and supported by DNS recursive servers and web browsers.

• DoT is implemented in the operating system network stack.

DNS recursive servers or host operating systems do not widely implement DoT.

There are several downsides to implementing DoH, including

• The operating system’s DNS cache is no longer aware of previous responses; each web browser or other application must send a query for each domain name.

• Local network operators no longer have access to the contents of DNS queries for administrative purposes. For instance, if an organization or user uses a firewall that blocks DNS queries to limit access to specific websites, those filters will no longer work.

 

Oblivious Encrypted DNS Queries

Encrypting DNS queries prevents access providers and

attackers in the access provider’s network from observing a user’s data, but the recursive server can still observe this information. Oblivious DNS over HTTPs (oDoH) aims to resolve this problem. Figure 16-8 illustrates the operation of oDoH.

Figure 16-8 oDoH Operation

In oDoH, the recursive server is replaced by a DNS proxy. From the perspective of the host or web browser, this proxy server acts precisely like a recursive DNS server.

When host A sends an encrypted query, the proxy unencrypts the query and randomly selects a recursive DNS server to send the query to. Since there are thousands of recursive servers, the user’s DNS queries are scattered all over the Internet. There is no way for a single DNS recursive server to gain a complete understanding of a user’s queries.

Users still need to trust the proxy not to record their queries.

However, because there are open-source implementations of oDoH, organizations and individuals can build their own oDoH servers, pointing their web browsers at these servers rather than recursive DNS servers. Some companies, like Apple, run private, non-recording oDoH servers as part of their customer privacy protection systems.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post