Internet DRAFT - draft-shane-review-dns-over-http

draft-shane-review-dns-over-http







Internet Engineering Task Force                                  S. Kerr
Internet-Draft                                                   L. Song
Intended status: Informational                                    R. Wan
Expires: May 18, 2017                         Beijing Internet Institute
                                                       November 14, 2016


                    A review of DNS over port 80/443
                  draft-shane-review-dns-over-http-04

Abstract

   The default DNS transport uses UDP on port 53.  There are many
   motivations why users or operators may prefer to avoid sending DNS
   traffic in this way.  A common solution is to use port 80 or 443;
   with plain TCP, TLS-encrypted TCP, or full HTTP(S).  This memo
   reviews the possible approaches and delivers some useful information
   for developers.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on May 18, 2017.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of



Kerr, et al.              Expires May 18, 2017                  [Page 1]

Internet-Draft      A review of DNS over port 80/443       November 2016


   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Different Implementations Approaches  . . . . . . . . . . . .   3
     2.1.  DNS over TCP on port 80/443 . . . . . . . . . . . . . . .   3
     2.2.  DNS over TLS on port 443  . . . . . . . . . . . . . . . .   3
     2.3.  DNS Wire-format over HTTP(S)  . . . . . . . . . . . . . .   4
     2.4.  REST HTTP API . . . . . . . . . . . . . . . . . . . . . .   5
   3.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .   6
   4.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   6
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   7

1.  Introduction

   Name servers use port 53, on both UDP and TCP [RFC1035] [RFC5966].
   However, users or operators occasionally find it useful to use an
   alternative way to deliver DNS information, and often pick port 80
   (the default HTTP port) or 443 (the default HTTPS port) for this
   purpose.

   There are several use cases:

   o  Case 1: Firewalls or other middleboxes may interfere with normal
      DNS traffic [RFC3234] [RFC5625] [DOTSE] [SAC035].  In addition,
      some ISPs and hotels block external DNS and perform DNS rewriting
      to send users to advertising or other pages that they did intend,
      or networks may use IP addresses which cause misleading geographic
      location for the user [RFC7871].  Users may want DNSSEC support
      which is not deployed locally in such a case, and so on.

   o  Case 2: Users may use DNS over TLS or HTTPS to protect privacy.
      This also allows the DNS client to authenticate the DNS server.

   o  Case 3: Developers may want a higher level DNS API.  Web
      developers may prefer different abstractions or familiar tools
      like JSON or XML, transmitted using HTTP or HTTPS.

   This memo does not aim to develop standards or tools.  The purpose is
   to review various implementation options as a reference for
   developers.  However, it may be helpful for anyone hoping to develop
   specifications or implementations for DNS over 80/443.

   Note that most of the implementations described in this memo are on
   port 80/443 and combined with TCP/TLS/HTTP(S).  The main focus here




Kerr, et al.              Expires May 18, 2017                  [Page 2]

Internet-Draft      A review of DNS over port 80/443       November 2016


   is between stub resolvers and recursive servers, and the discussion
   is about the stub resolver to recursive server communication.

2.  Different Implementations Approaches

2.1.  DNS over TCP on port 80/443

   The simplest approach is just moving the DNS traffic to port 80 or
   443 from 53.  This approach serves the requirement use case 1.

   In this way, the whole protocol is the same as current DNS transport
   in TCP, except the transport port is moved to port 80 or 443.  The
   difference between port 80 and 443 is that the traffic of port 80 is
   often intercepted as HTTP traffic for purposes of deeper inspection,
   while the traffic of port 443 is usually considered to be encrypted,
   and typically ignored by middle-boxes.  One example where DNS is
   transported through port 80/443 is one of the fallback cases of
   NLnetLabs' DNSSEC trigger [dnssec-trigger].

   Transporting DNS through port 80/443 is easy to implement.
   Developers can simply run an existing DNS server and configure the
   DNS software to listen on ports 80/443.  The client can also apply
   this change without any significant changes.

   One drawback of this approach is that it might mislead the client
   because of the port used.  For example, clients might think DNS over
   443 as a secure protocol because normally the session would be
   encrypted.  In this case, however, it is not.

2.2.  DNS over TLS on port 443

   Another approach is DNS over TLS on port 443, which is also
   implemented in DNSSEC trigger [dnssec-trigger].  DNS over TLS is
   documented in [RFC7858], which uses the well-known port 853.  Using
   port 443 to carry the traffic instead still serves the purpose in use
   case 1, as some middle boxes may block traffic on the port 853.
   [I-D.ietf-dprive-dns-over-tls] also discusses authentication and
   privacy profiles.

   TLS provide many benefits for DNS.  First, it significantly reduces
   the DNS conversation's vulnerability to being hijacked.  Second, like
   plain TCP or DNS Cookies, it prevents resolvers from being used in
   amplification or reflection attacks.  Additionally, it provides
   privacy by encrypting the conversation between client and server.

   One concern of DNS over TLS is its cost.  Compared to UDP, DNS-over-
   TCP requires an additional round-trip-time (RTT) of latency to
   establish a TCP connection (although TCP fast open [RFC7413] may



Kerr, et al.              Expires May 18, 2017                  [Page 3]

Internet-Draft      A review of DNS over port 80/443       November 2016


   eliminate that in some cases).  Use of TLS encryption algorithms adds
   an additional RTT, and results in slightly higher CPU usage.  Keeping
   a session open may amortize the latency of extra RTT, but at the cost
   of state on both client and resolver side.  Another concern is that
   the DNS packet over TLS on a new port might be dropped by some middle
   boxes.  Another concern of TLS is the deployment difficulty when
   authenticating the server.  If servers are authenticated, certificate
   management is required.

2.3.  DNS Wire-format over HTTP(S)

   Different from raw DNS over TCP using port 80/443, another option is
   encapsulating DNS wire-format data into an HTTP body and sending it
   as HTTP(S) traffic.  It is quiet useful in use cases 1 & 2 described
   in the introduction.  This approach has the benefit that HTTP usually
   makes it through even the worst coffee shop or hotel room firewalls,
   as working web browsing is expected by Internet users.

   Using HTTP also benefits from HTTP's persistent TCP connection pool
   concept (see section 6.3 in [RFC7230]), which DNS on TCP port 53 does
   not have.  Note that if HTTP/2 (see [RFC7540]) is used then there may
   be concurrent streams, and answers on different streams may arrive
   out-of-order.

   Finally, as with DNS over TLS, HTTPS provides data integrity and
   privacy.  Use of such encryption is recommended.

   The basic methodology works as follows:

   1.  The client creates a DNS query message.

   2.  The client encapsulates the DNS message in a HTTP(S) message body
       and assigns parameters with the HTTP header.

   3.  The client connects to the server and issues an HTTP(S) POST
       request method.

   4.  The server decapsulates the HTTP package to DNS query, and
       resolves the DNS query.

   5.  The server encapsulates the DNS response in HTTP(S) and sends it
       back via the HTTP(S) session.

   Note that if the original DNS query is sent by TCP, first two bits of
   the package is the message length and should be removed.  (This is
   only true if some software is translating from the DNS protocol to
   DNS over HTTP, for example via a proxy.  Native implementations will
   of course not need this.)  There is an implementation of this



Kerr, et al.              Expires May 18, 2017                  [Page 4]

Internet-Draft      A review of DNS over port 80/443       November 2016


   methodology in the Go Programming Language (https://github.com/BII-
   Lab/DNSoverHTTPinGO) as well as C (https://github.com/BII-Lab/
   DNSoverHTTP), maintained by BII lab.

   In addition to the benefits mentioned before, the HTTP header makes
   DNS wire-format over HTTP(S) easy to extend.  Compared to creating a
   new option in EDNS0, using new parameters in HTTP header is far
   easier to deploy, since DNS messages with EDNS0 may not pass some
   middle boxes.

   The DNS wire-format approach has the advantage that any future
   changes to the DNS protocol will be transparently supported by both
   client and server, even while continuing to use HTTP.

   One disadvantage of packaging DNS into HTTP is its cost.  Packing and
   unpacking uses CPU and may result in higher response time.  The DNS
   over HTTP messages also have a risk of being dropped by firewalls
   which intercepts HTTP packets.  And it should be noted that if HTTPS
   is used, then all the discussion of the costs, benefits, and security
   recommendations about TLS in previous section is also applicable
   here.

2.4.  REST HTTP API

   As mentioned in use case 3, one motivation of a REST HTTP API is for
   web developers who need to get DNS information but prefer not to
   create raw requests.  They can work by creating HTTP requests other
   than real DNS queries.

   In this style of implementation DNS data is exchanged in other
   formats than wire format, like JSON [I-D.hoffman-dns-in-json], or XML
   [I-D.mohan-dns-query-xml].  There are also lots of REST DNS API
   developed by DNS or cloud service providers.

   Most of these APIs are developed in the scope of their own system
   with different specification.  But a typical query is a client will
   requesting a special formatted URI.  This may be via an HTTP POST
   command, or it may encode the contents of the DNS query in the URI
   directly.  Usually there is a HTTP(S) server listening to port
   80/443, which will parse the request and create a DNS query or DNS
   operation command towards the real DNS.  Unlike wire-format DNS over
   HTTP(S), once the HTTP(S) server receives the response, it create the
   response by putting DNS data into various structured formats like
   JSON, XML, YAML, or even plain text.

   However, such an approach may have issues, because it is not based on
   traditional DNS protocol.  So there is no guarantee of the protocol's
   completeness and correctness.  Support for DNSSEC might also be a



Kerr, et al.              Expires May 18, 2017                  [Page 5]

Internet-Draft      A review of DNS over port 80/443       November 2016


   problem because the response usually do not contain RR records with
   the answer, making it impossible for a client to validate the reply.

   As with DNS using DNS wire-format over HTTP, use of encryption is
   encouraged.

3.  Acknowledgments

   Thanks to Jinmei Tatuya for review.  Thanks to Robert Edmonds for
   pushing for encryption.  Thanks to Mark Delany for raising the issue
   of out-of-order responses.  Thanks to Ted Hardie for mentioning the
   idea of encoding the DNS query directly in the URI.

4.  References

   [dnssec-trigger]
              "Dnssec-Trigger", <https://www.nlnetlabs.nl/projects/
              dnssec-trigger/>.

   [DOTSE]    Aehlund, J. and P. Wallstroem, "DNSSEC Tests of Consumer
              Broadband Routers", February 2008,
              <http://www.iis.se/docs/Routertester_en.pdf>.

   [I-D.hoffman-dns-in-json]
              Hoffman, P., "Representing DNS Messages in JSON", draft-
              hoffman-dns-in-json-10 (work in progress), October 2016.

   [I-D.ietf-dprive-dns-over-tls]
              Zi, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D.,
              and P. Hoffman, "Specification for DNS over TLS", draft-
              ietf-dprive-dns-over-tls-07 (work in progress), March
              2016.

   [I-D.mohan-dns-query-xml]
              Parthasarathy, M. and P. Vixie, "Representing DNS messages
              using XML", draft-mohan-dns-query-xml-00 (work in
              progress), September 2011.

   [RFC1035]  Mockapetris, P., "Domain names - implementation and
              specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
              November 1987, <http://www.rfc-editor.org/info/rfc1035>.

   [RFC3234]  Carpenter, B. and S. Brim, "Middleboxes: Taxonomy and
              Issues", RFC 3234, DOI 10.17487/RFC3234, February 2002,
              <http://www.rfc-editor.org/info/rfc3234>.






Kerr, et al.              Expires May 18, 2017                  [Page 6]

Internet-Draft      A review of DNS over port 80/443       November 2016


   [RFC5625]  Bellis, R., "DNS Proxy Implementation Guidelines",
              BCP 152, RFC 5625, DOI 10.17487/RFC5625, August 2009,
              <http://www.rfc-editor.org/info/rfc5625>.

   [RFC5966]  Bellis, R., "DNS Transport over TCP - Implementation
              Requirements", RFC 5966, DOI 10.17487/RFC5966, August
              2010, <http://www.rfc-editor.org/info/rfc5966>.

   [RFC7230]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
              Protocol (HTTP/1.1): Message Syntax and Routing",
              RFC 7230, DOI 10.17487/RFC7230, June 2014,
              <http://www.rfc-editor.org/info/rfc7230>.

   [RFC7413]  Cheng, Y., Chu, J., Radhakrishnan, S., and A. Jain, "TCP
              Fast Open", RFC 7413, DOI 10.17487/RFC7413, December 2014,
              <http://www.rfc-editor.org/info/rfc7413>.

   [RFC7540]  Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext
              Transfer Protocol Version 2 (HTTP/2)", RFC 7540,
              DOI 10.17487/RFC7540, May 2015,
              <http://www.rfc-editor.org/info/rfc7540>.

   [RFC7858]  Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D.,
              and P. Hoffman, "Specification for DNS over Transport
              Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May
              2016, <http://www.rfc-editor.org/info/rfc7858>.

   [RFC7871]  Contavalli, C., van der Gaast, W., Lawrence, D., and W.
              Kumari, "Client Subnet in DNS Queries", RFC 7871,
              DOI 10.17487/RFC7871, May 2016,
              <http://www.rfc-editor.org/info/rfc7871>.

   [SAC035]   ICANN Security and Stability Advisory Committee, "DNSSEC
              Impact on Broadband Routers and Firewalls", 2008.

Authors' Addresses

   Shane Kerr
   Beijing Internet Institute
   2/F, Building 5, No.58 Jinghai Road, BDA
   Beijing  100176
   CN

   Email: shane@biigroup.cn
   URI:   http://www.biigroup.com/






Kerr, et al.              Expires May 18, 2017                  [Page 7]

Internet-Draft      A review of DNS over port 80/443       November 2016


   Linjian Song
   Beijing Internet Institute
   2508 Room, 25th Floor, Tower A, Time Fortune
   Beijing  100028
   P. R. China

   Email: songlinjian@gmail.com
   URI:   http://www.biigroup.com/


   Runxia Wan
   Beijing Internet Institute
   2508 Room, 25th Floor, Tower A, Time Fortune
   Beijing  100028
   P. R. China

   Email: rxwan@biigroup.cn
   URI:   http://www.biigroup.com/

































Kerr, et al.              Expires May 18, 2017                  [Page 8]