DNS over HTTPS

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hi welcome to this latest episode of light board lessons and today we're gonna talk about DNS over TLS and DNS over HTTP really we're gonna talk mostly about DNS over HTTP roughly the same one rides over TLS alone one rides over HTTPS which has jealous underlying so it's just an additional layer of transport there with DNS over HTTP but that's what I want to focus on today because you know there's some more interesting developments in industry specifically over DNS over HTTP and how browsers are not only implementing that but you know starting to make a play to enforce that and and so you know we're going to talk about the technical sides and then we're just going to talk about some of the ramifications for the industry from user perspective provider perspective security perspective all the above so let's get started all right let's take a brief detour to kind of look at how DNS works in the first place you have you know a client out in the internet somewhere and they want to go to you know dev central f5 comm because they love it and it's exciting and they'll get to learn new things and so they will ask through their infrastructure a-l DNS service that they are configured for either because the router that you have established in your infrastructure whether it's just your home or you know an enterprise you know will will come out in and request that service and so l DNS could be within your organization or or coming out to some kind of attach resolver but anyway this typically for a client is you know unencrypted over UDP and that's on port 53 now you can also make TCP requests on port 53 but primarily requests are UDP port 53 and so they'll get a response and that response to come back to the client and then they can make their HTTP request to go out to the address that they were given for dev central and that's the way DNS has worked for you know 30 plus years 40 plus years I don't know it's been a long time and so there's a disruptive force now with new standards for B and s over TLS and DNS over HTTP and what happens there is you have your client and instead of making a request for dev central over UDP 53 you come out to the world and you make a record an encrypted request straight to that DNS service over HT HTTP and that's a port 443 and so then you make a request out to dev central and so you don't have to worry about you know an attacker getting in the middle so it like if you're sitting at a coffee shop and you're making this request to UDP 53 maybe there's a service sitting in that coffee shop that has been compromised and it's gonna give you a bad answer for that query that you made well if your queries are going over to this El DNS like you know CloudFlare has one [Music] or even Google Offers the do H when you're coming over here then that that that coffee shop infected resolver is not going to see that request so it cannot inject the problem there so we'll get to some of the security concerns about that shift here in a little bit but I wanted to talk briefly about the the different ways on f5 technology that you can you know in inject your configuration in environment either on the client side or the server side and the way that works and if you go out to dev central you can look up an article called unbreaking the internet and Eric Chen details kind of a client side for you know say that the clients don't support voh what do you do about that or or do T and how do you support that and so what you can do on a on a big IP is send you know your normal UDP 53 request to the big IP and then the big IP can then apply a server SSL profile to that and then change that UDP 53 take the payload of that request and then convert that from a normal DNS request and bundle it into an HTTP request and so you can apply a server SSL profile to come out to say this this you know server that's you know clouds layer and and it will make that request on behalf of the client and then you know you get your encrypted request back and then you can then repackage that into a UDP response to the client and then the client can make its normal HTTP request out to you know dev central and so you can do this over you know do tea or do H this one is specific to do H but then you can also do the flip side you can take clients who are making encrypted requests so we have an encrypted request coming in to a big IP then this request here is a da voh request or do T and then you could take the big IP unpackage that send that payload back to your local DNS servers and then you know that doesn't necessarily need to be encrypted in your controlled infrastructure and then you can turn around and send that encrypted response back so you definitely have options on on big IP to handle the the protocols themselves either from a client side or a server side and so what I wanted to talk about now is what are the implications of all this and from a client perspective you do get some additional security especially hanging out in coffee shops if you're you know if you're concerned about your internet service providers and what they may be doing with the your your resolution data so if you are hitting all these different sites and you don't want your ISPs you know peeking in to your queries then then you know you can encrypt those and then you know your eyes piece don't have that data but you know so what some of the security concerns are is it's not really changing the the threat of your data being exposed it's just shifting it right so in here this is typically your let me do a different color here typically in this scenario your ISP has that data and in this scenario down here it's just you know whoever the DNS providers are they have that data and so whether it's CloudFlare or Google or any of the other ones that the browser's are going to support now it's it's they're controlling your resolution data and you know an argument that foresters David Holmes says is that you know in in Google's case with the chrome that they already have that data in your browser and so providing that service to bypass the ISP looking at that data it doesn't really benefit Google at all to do that and so likely this is just a play for them to provide more security for users and so there's arguments on the other side where you know maybe that's not the case but so it's an interesting conversation in the industry on who controls your data who can control your data where are we gonna shift that bar but there's also a lot of security people who are concerned about encrypting DNS which is odd because you know security has been screaming for four years encrypt everything but now that DNS is getting in Krita let's let's back the truck up a little bit and some of the concerns are just you know the tooling that exists today and what do you do about visibility into where these queries are going and again with an enterprise situation that's not really a problem because you can inspect if you force your clients internally to go to still request UDP 53 then you can then you can inspect internally before that request goes out from your infrastructure and even the ice piece themselves they have a play here right because the initial request here is not to your website it's to look up these right and so if you have the addresses for that and as an ISP you don't want to play nice you could just respond to the requests to look up CloudFlare in Google with an X domain and then then there say hey we don't know the time domain exist for that particular query and so then the browser's like well what do I do now well they're defaulted at this point to you know go back to regular DNS and so you know they can bypass that altogether so so there's going to be this cat-and-mouse game for a while of okay well they're doing that now how can I better protect that scenario so you know it's it's an interesting situation with the way that the DNS is evolving but it's neat to see DNS actually evolving it's it's really been you know a a feature here there along the way but it's it's pretty much been the same for a long long time so in a nutshell that's that DNS over HTTP if you have any questions you know drop them in the comments if you like this video please click Subscribe and we'll see you out there in the community [Music] you [Music]
Info
Channel: F5 DevCentral
Views: 14,477
Rating: undefined out of 5
Keywords: f5, devcentral, DoH, DNS over HTTPS, f5 big-ip, big-ip
Id: G6rMxxIZMsE
Channel Id: undefined
Length: 11min 53sec (713 seconds)
Published: Mon Oct 21 2019
Related Videos
NLNOG 2019 - DNS over HTTPS considerations - Bert Hubert
NLNOG
8.9K
What is a TLS Cipher Suite?
F5 DevCentral
73K
DNS over HTTPS Testing With Firefox and What it Means for Web Filtering and Privacy
Lawrence Systems
39K
Explaining TLS 1.3
F5 DevCentral
49K
Mozilla Stirs Ire With DNS Over HTTPS
TWiT Tech Podcast Network
5.7K
Perfect Forward Secrecy
F5 DevCentral
52K
DNS Encryption explained - DNS over TLS (DoT) & DNS over HTTPS (DoH)
The Digital Life
13K
DNSSEC Overview
F5 DevCentral
70K
What is BIG-IP?
F5 DevCentral
84K
What is QUIC?
F5 DevCentral
45K
DNS Explained
DNS Made Easy Videos
1.6M
BIG-IP Basic Nomenclature
F5 DevCentral
25K
DevCentral Connects: The New OWASP Top 10
F5 DevCentral
614
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.