Re: Encrypted DNS in Fedora

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am 05.11.19 um 14:38 schrieb Tomasz Torcz:
On Tue, Nov 05, 2019 at 02:09:31PM +0100, Marius Schwarz wrote:
DoH is IMHO a waste of resources and as Browsers implement it, useless
at best, but mostly a centralization of control of users under a false
protection umbrella.

Any modern Browser will do this sequence:

User enters URL
Browser checks for domainnames
Browser sends DNS request ( over which path doesn't matter )
Opens connection to the target host

If ( HTTPS ) {
    sends the domainname, he has found in the URL as SNI in plain! in
his TLS request
  This is not true, SNI is encrypted:
  https://eff.org/pl/deeplinks/2018/09/esni-privacy-protecting-upgrade-https

It says "experimental" in sentence one in 2018 ... and this is end of 2019 connecting to EFF.org with Firefox:

Request:

15:11:04.342072 IP MYIP.46286 > vm1.eff.org.https: Flags [P.], seq 1:518, ack 1, win 502, options [nop,nop,TS val 2291965978 ecr 490558638], length 517
    0x0000:  4500 0239 8492 4000 4006 f5ae c0a8 0022  E..9..@.@......"
    0x0010:  adef 4fc4 b4ce 01bb 52d3 1d70 a0d0 f7f6  ..O.....R..p....
    0x0020:  8018 01f6 857b 0000 0101 080a 889c a01a  .....{..........
    0x0030:  1d3d 54ae 1603 0102 0001 0001 fc03 032e  .=T.............
    0x0040:  4e54 98b3 7e3d 6fc4 0a9a f788 da24 62f4  NT..~=o......$b.
    0x0050:  8649 5ed0 eee5 941e fcf2 ab32 2510 f020  .I^........2%...
    0x0060:  88d6 2ac2 75f3 309f 636d 07fe 8660 84e6  ..*.u.0.cm...`..
    0x0070:  da60 a907 d7c5 aa3e 5c58 4af5 274c 5c4c  .`.....>\XJ.'L\L
    0x0080:  0022 1301 1303 1302 c02b c02f cca9 cca8  .".......+./....
    0x0090:  c02c c030 c00a c009 c013 c014 0033 0039  .,.0.........3.9
    0x00a0:  002f 0035 0100 0191 0000 0017 0015 0000  ./.5............
    0x00b0:  1261 6e6f 6e2d 7374 6174 732e 6566 662e  .anon-stats.eff.
    0x00c0:  6f72 6700 1700 00ff 0100 0100 000a 000e  org.............
    0x00d0:  000c 001d 0017 0018 0019 0100 0101 000b  ................
    0x00e0:  0002 0100 0023 0000 0010 000e 000c 0268  .....#.........h
    0x00f0:  3208 6874 7470 2f31 2e31 0005 0005 0100  2.http/1.1......

Answere:

15:11:04.517421 IP vm1.eff.org.https > MYIP.46286: Flags [.], seq 1:1441, ack 518, win 11, options [nop,nop,TS val 490558683 ecr 2291965978], length 1440
    0x0000:  4500 05d4 a322 4000 2e06 e583 adef 4fc4  E...."@.......O.
    0x0010:  c0a8 0022 01bb b4ce a0d0 f7f6 52d3 1f75  ..."........R..u
    0x0020:  8010 000b 09d2 0000 0101 080a 1d3d 54db  .............=T.
    0x0030:  889c a01a 1603 0300 5402 0000 5003 03ae  ........T...P...
    0x0040:  9213 9378 8065 5d69 d974 edc4 3a2f 85d4  ...x.e]i.t..:/..
    0x0050:  e7e3 46cd aa03 c317 4dde 5bb2 947c e100  ..F.....M.[..|..
    0x0060:  c030 0000 28ff 0100 0100 0000 0000 000b  .0..(...........
    0x0070:  0004 0300 0102 0023 0000 0017 0000 0010  .......#........
    0x0080:  000b 0009 0868 7474 702f 312e 3116 0303  .....http/1.1...
    0x0090:  0b04 0b00 0b00 000a fd00 0661 3082 065d  ...........a0..]
    0x00a0:  3082 0545 a003 0201 0202 1203 1919 210a  0..E..........!.
    0x00b0:  ca50 2c2e 4bc1 798f bffc 2094 7330 0d06  .P,.K.y.....s0..
    0x00c0:  092a 8648 86f7 0d01 010b 0500 304a 310b  .*.H........0J1.
    0x00d0:  3009 0603 5504 0613 0255 5331 1630 1406  0...U....US1.0..
    0x00e0:  0355 040a 130d 4c65 7427 7320 456e 6372  .U....Let's.Encr
    0x00f0:  7970 7431 2330 2106 0355 0403 131a 4c65  ypt1#0!..U....Le
    0x0100:  7427 7320 456e 6372 7970 7420 4175 7468  t's.Encrypt.Auth
    0x0110:  6f72 6974 7920 5833 301e 170d 3139 3131  ority.X30...1911
    0x0120:  3031 3138 3330 3436 5a17 0d32 3030 3133  01183046Z..20013
    0x0130:  3031 3833 3034 365a 301d 311b 3019 0603  0183046Z0.1.0...
    0x0140:  5504 0313 1261 6e6f 6e2d 7374 6174 732e  U....anon-stats.
    0x0150:  6566 662e 6f72 6730 8202 2230 0d06 092a  eff.org0.."0...*
    0x0160:  8648 86f7 0d01 0101 0500 0382 020f 0030  .H.............0
    0x0170:  8202 0a02 8202 0100 be74 c8c0 c04e d886  .........t...N..
    0x0180:  6fb4 90f7 d65b c1be 0d7d eece be45 6161  o....[...}...Eaa
    0x0190:  c71f 544d 8fd7 ab3c 63bd 4ce5 b3dc f5c8  ..TM...<c.L.....

TLS stands for "Transport Layer Security" and it does exactly that, not more.

If you see the initial response, you get a cert. The cert contains the domainnames it's signed against: gotcha.

As the IETF page with the rfc for ESNI is not loading ( server down? ) i refer to cloudflares projectpage... they store a public key in .. tada .. DNS.

Which brings us back to the point, that we don't have too many DNSSEC aware apps out there... we are going in cycles.. :(

The solution for the ESNI problem would have been, a two-level HTTPS exchange:

1. Layer a SERVER Cert signed for the IP ( because thats not a secret )
2. Layer after a session they has been negotiated, a normal old school request would have been sent.

Result: some bits more overhead, but finally, a !safe! TLS exchange.

... seufz..

best regards,
Marius
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux