| rfc9156v1.txt | rfc9156.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force (IETF) S. Bortzmeyer | Internet Engineering Task Force (IETF) S. Bortzmeyer | |||
| Request for Comments: 9156 AFNIC | Request for Comments: 9156 AFNIC | |||
| Obsoletes: 7816 R. Dolmans | Obsoletes: 7816 R. Dolmans | |||
| Category: Standards Track NLnet Labs | Category: Standards Track NLnet Labs | |||
| ISSN: 2070-1721 P. Hoffman | ISSN: 2070-1721 P. Hoffman | |||
| ICANN | ICANN | |||
| October 2021 | November 2021 | |||
| DNS Query Name Minimisation to Improve Privacy | DNS Query Name Minimisation to Improve Privacy | |||
| Abstract | Abstract | |||
| This document describes a technique called "QNAME minimisation" to | This document describes a technique called "QNAME minimisation" to | |||
| improve DNS privacy, where the DNS resolver no longer always sends | improve DNS privacy, where the DNS resolver no longer always sends | |||
| the full original QNAME and original QTYPE to the upstream name | the full original QNAME and original QTYPE to the upstream name | |||
| server. This document obsoletes RFC 7816. | server. This document obsoletes RFC 7816. | |||
| skipping to change at line 44 ¶ | skipping to change at line 44 ¶ | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Revised BSD License text as described in Section 4.e of the | |||
| the Trust Legal Provisions and are provided without warranty as | Trust Legal Provisions and are provided without warranty as described | |||
| described in the Simplified BSD License. | in the Revised BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction and Background | 1. Introduction and Background | |||
| 1.1. Experience from RFC 7816 | 1.1. Experience from RFC 7816 | |||
| 1.2. Terminology | 1.2. Terminology | |||
| 2. Description of QNAME Minimisation | 2. Description of QNAME Minimisation | |||
| 2.1. QTYPE Selection | 2.1. QTYPE Selection | |||
| 2.2. QNAME Selection | 2.2. QNAME Selection | |||
| 2.3. Limit Number of Queries | 2.3. Limitation of the Number of Queries | |||
| 2.4. Stub and Forwarding Resolvers | 2.4. Implementation by Stub and Forwarding Resolvers | |||
| 3. Algorithm to Perform QNAME Minimisation | 3. Algorithm to Perform QNAME Minimisation | |||
| 4. QNAME Minimisation Examples | 4. QNAME Minimisation Examples | |||
| 5. Performance Considerations | 5. Performance Considerations | |||
| 6. Security Considerations | 6. Security Considerations | |||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| 7.2. Informative References | 7.2. Informative References | |||
| Acknowledgments | Acknowledgments | |||
| Authors' Addresses | Authors' Addresses | |||
| skipping to change at line 180 ¶ | skipping to change at line 180 ¶ | |||
| still allowed. The authority of NS records lies at the child side. | still allowed. The authority of NS records lies at the child side. | |||
| The parent side of the delegation will answer using a referral, like | The parent side of the delegation will answer using a referral, like | |||
| it will do for queries with other QTYPEs. Using the NS QTYPE | it will do for queries with other QTYPEs. Using the NS QTYPE | |||
| therefore has no added value over other QTYPEs. | therefore has no added value over other QTYPEs. | |||
| The QTYPE to use while minimising queries can be any possible data | The QTYPE to use while minimising queries can be any possible data | |||
| type (as defined in Section 3.1 of [RFC6895]) for which the authority | type (as defined in Section 3.1 of [RFC6895]) for which the authority | |||
| always lies below the zone cut (i.e., not DS, NSEC, NSEC3, OPT, TSIG, | always lies below the zone cut (i.e., not DS, NSEC, NSEC3, OPT, TSIG, | |||
| TKEY, ANY, MAILA, MAILB, AXFR, and IXFR), as long as there is no | TKEY, ANY, MAILA, MAILB, AXFR, and IXFR), as long as there is no | |||
| relation between the incoming QTYPE and the selection of the QTYPE to | relation between the incoming QTYPE and the selection of the QTYPE to | |||
| use while minimising. Good candidates are to always use the A or | use while minimising. The A or AAAA QTYPEs are always good | |||
| AAAA QTYPEs because these are the least likely to raise issues in DNS | candidates to use because these are the least likely to raise issues | |||
| software and middleboxes that do not properly support all QTYPEs. | in DNS software and middleboxes that do not properly support all | |||
| QTYPE=A or QTYPE=AAAA queries will also blend into traffic from | QTYPEs. QTYPE=A or QTYPE=AAAA queries will also blend into traffic | |||
| nonminimising resolvers, making it in some cases harder to observe | from nonminimising resolvers, making it in some cases harder to | |||
| that the resolver is using QNAME minimisation. Using a QTYPE that | observe that the resolver is using QNAME minimisation. Using a QTYPE | |||
| occurs most in incoming queries will slightly reduce the number of | that occurs most in incoming queries will slightly reduce the number | |||
| queries, as there is no extra check needed for delegations on non- | of queries, as there is no extra check needed for delegations on non- | |||
| apex records. | apex records. | |||
| 2.2. QNAME Selection | 2.2. QNAME Selection | |||
| The minimising resolver works perfectly when it knows the zone cut | The minimising resolver works perfectly when it knows the zone cut | |||
| (zone cuts are described in Section 6 of [RFC2181]). But zone cuts | (zone cuts are described in Section 6 of [RFC2181]). But zone cuts | |||
| do not necessarily exist at every label boundary. In the name | do not necessarily exist at every label boundary. In the name | |||
| www.foo.bar.example, it is possible that there is a zone cut between | www.foo.bar.example, it is possible that there is a zone cut between | |||
| "foo" and "bar" but not between "bar" and "example". So, assuming | "foo" and "bar" but not between "bar" and "example". So, assuming | |||
| that the resolver already knows the name servers of example, when it | that the resolver already knows the name servers of example, when it | |||
| receives the query "What is the AAAA record of www.foo.bar.example?", | receives the query "What is the AAAA record of www.foo.bar.example?", | |||
| it does not always know where the zone cut will be. To find the zone | it does not always know where the zone cut will be. To find the zone | |||
| cut, it will query the example name servers for a record for | cut, it will query the example name servers for a record for | |||
| bar.example. It will get a non-referral answer, so it has to query | bar.example. It will get a non-referral answer, so it has to query | |||
| the example name servers again with one more label, and so on. | the example name servers again with one more label, and so on. | |||
| (Section 3 describes this algorithm in deeper detail.) | (Section 3 describes this algorithm in deeper detail.) | |||
| 2.3. Limit Number of Queries | 2.3. Limitation of the Number of Queries | |||
| When using QNAME minimisation, the number of labels in the received | When using QNAME minimisation, the number of labels in the received | |||
| QNAME can influence the number of queries sent from the resolver. | QNAME can influence the number of queries sent from the resolver. | |||
| This opens an attack vector and can decrease performance. Resolvers | This opens an attack vector and can decrease performance. Resolvers | |||
| supporting QNAME minimisation MUST implement a mechanism to limit the | supporting QNAME minimisation MUST implement a mechanism to limit the | |||
| number of outgoing queries per user request. | number of outgoing queries per user request. | |||
| Take for example an incoming QNAME with many labels, like | Take for example an incoming QNAME with many labels, like | |||
| www.host.group.department.example.com, where | www.host.group.department.example.com, where | |||
| host.group.department.example.com is hosted on example.com's name | host.group.department.example.com is hosted on example.com's name | |||
| skipping to change at line 268 ¶ | skipping to change at line 268 ¶ | |||
| the incoming QNAME. The first MINIMISE_ONE_LAB labels will be | the incoming QNAME. The first MINIMISE_ONE_LAB labels will be | |||
| handled as described in Section 2. The number of labels that are | handled as described in Section 2. The number of labels that are | |||
| still not exposed now need to be divided proportionally over the | still not exposed now need to be divided proportionally over the | |||
| remaining iterations (MAX_MINIMISE_COUNT - MINIMISE_ONE_LAB). If the | remaining iterations (MAX_MINIMISE_COUNT - MINIMISE_ONE_LAB). If the | |||
| not-yet-exposed labels cannot be equally divided over the remaining | not-yet-exposed labels cannot be equally divided over the remaining | |||
| iterations, the remainder of the division should be added to the last | iterations, the remainder of the division should be added to the last | |||
| iterations. For example, when resolving a QNAME with 18 labels with | iterations. For example, when resolving a QNAME with 18 labels with | |||
| MAX_MINIMISE_COUNT set to 10 and MINIMISE_ONE_LAB set to 4, the | MAX_MINIMISE_COUNT set to 10 and MINIMISE_ONE_LAB set to 4, the | |||
| number of labels added per iteration are: 1,1,1,1,2,2,2,2,3,3. | number of labels added per iteration are: 1,1,1,1,2,2,2,2,3,3. | |||
| 2.4. Stub and Forwarding Resolvers | 2.4. Implementation by Stub and Forwarding Resolvers | |||
| Stub and forwarding resolvers MAY implement QNAME minimisation. | Stub and forwarding resolvers MAY implement QNAME minimisation. | |||
| Minimising queries that will be sent to an upstream resolver do not | Minimising queries that will be sent to an upstream resolver does not | |||
| help in hiding data from the upstream resolver because all | help in hiding data from the upstream resolver because all | |||
| information will end up there anyway. It might however limit the | information will end up there anyway. It might however limit the | |||
| data exposure between the upstream resolver and the authoritative | data exposure between the upstream resolver and the authoritative | |||
| name server in the situation where the upstream resolver does not | name server in the situation where the upstream resolver does not | |||
| support QNAME minimisation. Using QNAME minimisation in a stub or | support QNAME minimisation. Using QNAME minimisation in a stub or | |||
| forwarding resolver that does not have a mechanism to find and cache | forwarding resolver that does not have a mechanism to find and cache | |||
| zone cuts will drastically increase the number of outgoing queries. | zone cuts will drastically increase the number of outgoing queries. | |||
| 3. Algorithm to Perform QNAME Minimisation | 3. Algorithm to Perform QNAME Minimisation | |||
| skipping to change at line 361 ¶ | skipping to change at line 361 ¶ | |||
| 4. QNAME Minimisation Examples | 4. QNAME Minimisation Examples | |||
| As a first example, assume that a resolver receives a request to | As a first example, assume that a resolver receives a request to | |||
| resolve foo.bar.baz.example. Assume that the resolver already knows | resolve foo.bar.baz.example. Assume that the resolver already knows | |||
| that ns1.nic.example is authoritative for .example and that the | that ns1.nic.example is authoritative for .example and that the | |||
| resolver does not know a more specific authoritative name server. It | resolver does not know a more specific authoritative name server. It | |||
| will send the query with QNAME=baz.example and the QTYPE selected to | will send the query with QNAME=baz.example and the QTYPE selected to | |||
| hide the original QTYPE to ns1.nic.example. | hide the original QTYPE to ns1.nic.example. | |||
| The following are more detailed examples of other queries with QNAME | ||||
| minimisation, using other names and authoritative servers: | ||||
| Cold cache, traditional resolution algorithm without QNAME | ||||
| minimisation, request for MX record of a.b.example.org: | ||||
| +=======+=================+=========================+======+ | +=======+=================+=========================+======+ | |||
| | QTYPE | QNAME | TARGET | NOTE | | | QTYPE | QNAME | TARGET | NOTE | | |||
| +=======+=================+=========================+======+ | +=======+=================+=========================+======+ | |||
| | MX | a.b.example.org | root name server | | | | MX | a.b.example.org | root name server | | | |||
| +-------+-----------------+-------------------------+------+ | +-------+-----------------+-------------------------+------+ | |||
| | MX | a.b.example.org | org name server | | | | MX | a.b.example.org | org name server | | | |||
| +-------+-----------------+-------------------------+------+ | +-------+-----------------+-------------------------+------+ | |||
| | MX | a.b.example.org | example.org name server | | | | MX | a.b.example.org | example.org name server | | | |||
| +-------+-----------------+-------------------------+------+ | +-------+-----------------+-------------------------+------+ | |||
| Table 1 | Table 1: Cold Cache, Traditional Resolution Algorithm | |||
| without QNAME Minimisation, Request for MX Record of | ||||
| a.b.example.org | ||||
| Cold cache, with QNAME minimisation, request for MX record of | The following are more detailed examples of requests for an MX record | |||
| a.b.example.org, using the A QTYPE to hide the original QTYPE: | of a.b.example.org with QNAME minimisation, using A QTYPE to hide the | |||
| original QTYPE and using other names and authoritative servers: | ||||
| +=======+=================+=========================+============+ | +=======+=================+=========================+============+ | |||
| | QTYPE | QNAME | TARGET | NOTE | | | QTYPE | QNAME | TARGET | NOTE | | |||
| +=======+=================+=========================+============+ | +=======+=================+=========================+============+ | |||
| | A | org | root name server | | | | A | org | root name server | | | |||
| +-------+-----------------+-------------------------+------------+ | +-------+-----------------+-------------------------+------------+ | |||
| | A | example.org | org name server | | | | A | example.org | org name server | | | |||
| +-------+-----------------+-------------------------+------------+ | +-------+-----------------+-------------------------+------------+ | |||
| | A | b.example.org | example.org name server | | | | A | b.example.org | example.org name server | | | |||
| +-------+-----------------+-------------------------+------------+ | +-------+-----------------+-------------------------+------------+ | |||
| | A | a.b.example.org | example.org name server | "a" may be | | | A | a.b.example.org | example.org name server | "a" may be | | |||
| | | | | delegated | | | | | | delegated | | |||
| +-------+-----------------+-------------------------+------------+ | +-------+-----------------+-------------------------+------------+ | |||
| | MX | a.b.example.org | example.org name server | | | | MX | a.b.example.org | example.org name server | | | |||
| +-------+-----------------+-------------------------+------------+ | +-------+-----------------+-------------------------+------------+ | |||
| Table 2 | Table 2: Cold Cache with QNAME Minimisation | |||
| Note that, in the above example, one query would have been saved if | Note that, in the above example, one query would have been saved if | |||
| the incoming QTYPE was the same as the QTYPE selected by the resolver | the incoming QTYPE was the same as the QTYPE selected by the resolver | |||
| to hide the original QTYPE. Only one query for a.b.example.org would | to hide the original QTYPE. Only one query for a.b.example.org would | |||
| have been needed if the original QTYPE would have been A. Using the | have been needed if the original QTYPE would have been A. Using the | |||
| most-used QTYPE to hide the original QTYPE therefore slightly reduces | most-used QTYPE to hide the original QTYPE therefore slightly reduces | |||
| the number of outgoing queries compared to using any other QTYPE to | the number of outgoing queries compared to using any other QTYPE to | |||
| hide the original QTYPE. | hide the original QTYPE. | |||
| Warm cache with only org delegation known (example.org's NS RRset is | : | |||
| not known), request for MX record of a.b.example.org, using A QTYPE | ||||
| to hide the original QTYPE: | ||||
| +=======+=================+=========================+============+ | +=======+=================+=========================+============+ | |||
| | QTYPE | QNAME | TARGET | NOTE | | | QTYPE | QNAME | TARGET | NOTE | | |||
| +=======+=================+=========================+============+ | +=======+=================+=========================+============+ | |||
| | A | example.org | org name server | | | | A | example.org | org name server | | | |||
| +-------+-----------------+-------------------------+------------+ | +-------+-----------------+-------------------------+------------+ | |||
| | A | b.example.org | example.org name server | | | | A | b.example.org | example.org name server | | | |||
| +-------+-----------------+-------------------------+------------+ | +-------+-----------------+-------------------------+------------+ | |||
| | A | a.b.example.org | example.org name server | "a" may be | | | A | a.b.example.org | example.org name server | "a" may be | | |||
| | | | | delegated | | | | | | delegated | | |||
| +-------+-----------------+-------------------------+------------+ | +-------+-----------------+-------------------------+------------+ | |||
| | MX | a.b.example.org | example.org name server | | | | MX | a.b.example.org | example.org name server | | | |||
| +-------+-----------------+-------------------------+------------+ | +-------+-----------------+-------------------------+------------+ | |||
| Table 3 | Table 3: Warm Cache with QNAME Minimisation | |||
| 5. Performance Considerations | 5. Performance Considerations | |||
| The main goal of QNAME minimisation is to improve privacy by sending | The main goal of QNAME minimisation is to improve privacy by sending | |||
| less data. However, it may have other advantages. For instance, if | less data. However, it may have other advantages. For instance, if | |||
| a resolver sends a root name server queries for A.example followed by | a resolver sends a root name server queries for A.example followed by | |||
| B.example followed by C.example, the result will be three NXDOMAINs, | B.example followed by C.example, the result will be three NXDOMAINs, | |||
| since .example does not exist in the root zone. When using QNAME | since .example does not exist in the root zone. When using QNAME | |||
| minimisation, the resolver would send only one question (for .example | minimisation, the resolver would send only one question (for .example | |||
| itself) to which they could answer NXDOMAIN. The resolver can cache | itself) to which they could answer NXDOMAIN. The resolver can cache | |||
| skipping to change at line 454 ¶ | skipping to change at line 449 ¶ | |||
| [devries-qnamemin], QNAME minimisation both increases the number of | [devries-qnamemin], QNAME minimisation both increases the number of | |||
| DNS lookups by up to 26% and leads to up to 5% more failed lookups. | DNS lookups by up to 26% and leads to up to 5% more failed lookups. | |||
| Filling the cache in a production resolver will soften that overhead. | Filling the cache in a production resolver will soften that overhead. | |||
| 6. Security Considerations | 6. Security Considerations | |||
| QNAME minimisation's benefits are clear in the case where you want to | QNAME minimisation's benefits are clear in the case where you want to | |||
| decrease exposure of the queried name to the authoritative name | decrease exposure of the queried name to the authoritative name | |||
| server. But minimising the amount of data sent also, in part, | server. But minimising the amount of data sent also, in part, | |||
| addresses the case of a wire sniffer as well as the case of privacy | addresses the case of a wire sniffer as well as the case of privacy | |||
| invasion by the authoritative name servers. (Encryption is of course | invasion by the authoritative name servers. Encryption is of course | |||
| a better defense against wire sniffers, but, unlike QNAME | a better defense against wire sniffers, but, unlike QNAME | |||
| minimisation, it changes the protocol and cannot be deployed | minimisation, it changes the protocol and cannot be deployed | |||
| unilaterally. Also, the effect of QNAME minimisation on wire | unilaterally. Also, the effect of QNAME minimisation on wire | |||
| sniffers depends on whether the sniffer is on the DNS path.) | sniffers depends on whether the sniffer is on the DNS path. | |||
| QNAME minimisation offers no protection against the recursive | QNAME minimisation offers no protection against the recursive | |||
| resolver, which still sees the full request coming from the stub | resolver, which still sees the full request coming from the stub | |||
| resolver. | resolver. | |||
| A resolver using QNAME minimisation can possibly be used to cause a | A resolver using QNAME minimisation can possibly be used to cause a | |||
| query storm to be sent to servers when resolving queries containing a | query storm to be sent to servers when resolving queries containing a | |||
| QNAME with a large number of labels, as described in Section 2.3. | QNAME with a large number of labels, as described in Section 2.3. | |||
| That section proposes methods to significantly dampen the effects of | That section proposes methods to significantly dampen the effects of | |||
| such attacks. | such attacks. | |||
| End of changes. 15 change blocks. | ||||
| 33 lines changed or deleted | 28 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||