Re: Encrypted DNS in Fedora

Marius Schwarz <fedoradev@xxxxxxxxxxxx> · Tue, 5 Nov 2019 15:40:39 +0100

    Am 05.11.19 um 14:38 schrieb Tomasz
      Torcz:

      On Tue, Nov 05, 2019 at 02:09:31PM +0100, Marius Schwarz wrote:

        DoH is IMHO a waste of resources and as Browsers implement it, useless
at best, but mostly a centralization of control of users under a false
protection umbrella.

Any modern Browser will do this sequence:

User enters URL
Browser checks for domainnames
Browser sends DNS request ( over which path doesn't matter )
Opens connection to the target host

If ( HTTPS ) {
    sends the domainname, he has found in the URL as SNI in plain! in
his TLS request

        This is not true, SNI is encrypted:
  https://eff.org/pl/deeplinks/2018/09/esni-privacy-protecting-upgrade-https

    It says "experimental" in sentence one in 2018 ... and this is end
    of 2019 connecting to EFF.org with Firefox:

    Request:

    15:11:04.342072 IP MYIP.46286 > vm1.eff.org.https: Flags [P.],
    seq 1:518, ack 1, win 502, options [nop,nop,TS val 2291965978 ecr
    490558638], length 517

        0x0000:  4500 0239 8492 4000 4006 f5ae c0a8 0022 
    E..9..@.@......"

        0x0010:  adef 4fc4 b4ce 01bb 52d3 1d70 a0d0 f7f6 
    ..O.....R..p....

        0x0020:  8018 01f6 857b 0000 0101 080a 889c a01a 
    .....{..........

        0x0030:  1d3d 54ae 1603 0102 0001 0001 fc03 032e 
    .=T.............

        0x0040:  4e54 98b3 7e3d 6fc4 0a9a f788 da24 62f4 
    NT..~=o......$b.

        0x0050:  8649 5ed0 eee5 941e fcf2 ab32 2510 f020 
    .I^........2%...

        0x0060:  88d6 2ac2 75f3 309f 636d 07fe 8660 84e6 
    ..*.u.0.cm...`..

        0x0070:  da60 a907 d7c5 aa3e 5c58 4af5 274c 5c4c 
    .`.....>\XJ.'L\L

        0x0080:  0022 1301 1303 1302 c02b c02f cca9 cca8 
    .".......+./....

        0x0090:  c02c c030 c00a c009 c013 c014 0033 0039 
    .,.0.........3.9

        0x00a0:  002f 0035 0100 0191 0000 0017 0015 0000 
    ./.5............

        0x00b0:  1261 6e6f 6e2d 7374 6174 732e 6566 662e  .anon-stats.eff.

        0x00c0:  6f72 6700 1700 00ff 0100 0100 000a 000e  org.............

        0x00d0:  000c 001d 0017 0018 0019 0100 0101 000b 
    ................

        0x00e0:  0002 0100 0023 0000 0010 000e 000c 0268 
    .....#.........h

        0x00f0:  3208 6874 7470 2f31 2e31 0005 0005 0100 
    2.http/1.1......

    Answere:

    15:11:04.517421 IP vm1.eff.org.https > MYIP.46286: Flags [.], seq
    1:1441, ack 518, win 11, options [nop,nop,TS val 490558683 ecr
    2291965978], length 1440

        0x0000:  4500 05d4 a322 4000 2e06 e583 adef 4fc4 
    E...."@.......O.

        0x0010:  c0a8 0022 01bb b4ce a0d0 f7f6 52d3 1f75 
    ..."........R..u

        0x0020:  8010 000b 09d2 0000 0101 080a 1d3d 54db 
    .............=T.

        0x0030:  889c a01a 1603 0300 5402 0000 5003 03ae 
    ........T...P...

        0x0040:  9213 9378 8065 5d69 d974 edc4 3a2f 85d4 
    ...x.e]i.t..:/..

        0x0050:  e7e3 46cd aa03 c317 4dde 5bb2 947c e100 
    ..F.....M.[..|..

        0x0060:  c030 0000 28ff 0100 0100 0000 0000 000b 
    .0..(...........

        0x0070:  0004 0300 0102 0023 0000 0017 0000 0010 
    .......#........

        0x0080:  000b 0009 0868 7474 702f 312e 3116 0303 
    .....http/1.1...

        0x0090:  0b04 0b00 0b00 000a fd00 0661 3082 065d 
    ...........a0..]

        0x00a0:  3082 0545 a003 0201 0202 1203 1919 210a 
    0..E..........!.

        0x00b0:  ca50 2c2e 4bc1 798f bffc 2094 7330 0d06 
    .P,.K.y.....s0..

        0x00c0:  092a 8648 86f7 0d01 010b 0500 304a 310b 
    .*.H........0J1.

        0x00d0:  3009 0603 5504 0613 0255 5331 1630 1406 
    0...U....US1.0..

        0x00e0:  0355 040a 130d 4c65 7427 7320 456e 6372 
    .U....Let's.Encr

        0x00f0:  7970 7431 2330 2106 0355 0403 131a 4c65 
    ypt1#0!..U....Le

        0x0100:  7427 7320 456e 6372 7970 7420 4175 7468 
    t's.Encrypt.Auth

        0x0110:  6f72 6974 7920 5833 301e 170d 3139 3131 
    ority.X30...1911

        0x0120:  3031 3138 3330 3436 5a17 0d32 3030 3133 
    01183046Z..20013

        0x0130:  3031 3833 3034 365a 301d 311b 3019 0603 
    0183046Z0.1.0...

        0x0140:  5504 0313 1261 6e6f 6e2d 7374 6174 732e  U....anon-stats.

        0x0150:  6566 662e 6f72 6730 8202 2230 0d06 092a  eff.org0.."0...*

        0x0160:  8648 86f7 0d01 0101 0500 0382 020f 0030 
    .H.............0

        0x0170:  8202 0a02 8202 0100 be74 c8c0 c04e d886 
    .........t...N..

        0x0180:  6fb4 90f7 d65b c1be 0d7d eece be45 6161 
    o....[...}...Eaa

        0x0190:  c71f 544d 8fd7 ab3c 63bd 4ce5 b3dc f5c8 
    ..TM...<c.L.....

    TLS stands for "Transport Layer Security" and it does exactly that,
    not more. 

    If you see the initial response, you get a cert. The cert contains
    the domainnames it's signed against: gotcha.

    As the IETF page with the rfc for ESNI is not loading ( server down?
    ) i refer to cloudflares projectpage... they store a public key in
    .. tada .. DNS.

    Which brings us back to the point, that we don't have too many
    DNSSEC aware apps out there... we are going in cycles.. :(

    The solution for the ESNI problem would have been, a two-level HTTPS
    exchange:

    1. Layer a SERVER Cert signed for the IP ( because thats not a
    secret )

    2. Layer after a session they has been negotiated, a normal old
    school request would have been sent.

    Result: some bits more overhead, but finally, a !safe! TLS exchange.

    ... seufz.. 

    best regards,

    Marius

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx