| < draft-ietf-dnsop-dns-wireformat-http-00.txt | draft-ietf-dnsop-dns-wireformat-http-01.txt > | |||
|---|---|---|---|---|
| Internet Engineering Task Force L. Song | Internet Engineering Task Force L. Song | |||
| Internet-Draft Beijing Internet Institute | Internet-Draft Beijing Internet Institute | |||
| Intended status: Experimental P. Vixie | Intended status: Experimental P. Vixie | |||
| Expires: March 19, 2017 TISF | Expires: September 28, 2017 TISF | |||
| S. Kerr | S. Kerr | |||
| R. Wan | R. Wan | |||
| Beijing Internet Institute | Beijing Internet Institute | |||
| September 15, 2016 | March 27, 2017 | |||
| DNS wire-format over HTTP | DNS wire-format over HTTP | |||
| draft-ietf-dnsop-dns-wireformat-http-00 | draft-ietf-dnsop-dns-wireformat-http-01 | |||
| Abstract | Abstract | |||
| This memo introduces a way to tunnel DNS data over HTTP. This may be | This memo introduces a way to tunnel DNS data over HTTP. This may be | |||
| useful in any situation where DNS is not working properly, such as | useful in any situation where DNS is not working properly, such as | |||
| when there is middlebox misbehavior. | when there is middlebox misbehavior. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| skipping to change at page 1, line 36 ¶ | skipping to change at page 1, line 36 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on March 19, 2017. | This Internet-Draft will expire on September 28, 2017. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2016 IETF Trust and the persons identified as the | Copyright (c) 2017 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Methodology and Configuration . . . . . . . . . . . . . . . . 3 | 2. Methodology and Configuration . . . . . . . . . . . . . . . . 3 | |||
| 3. DNS-over-HTTP Message Format . . . . . . . . . . . . . . . . 4 | 3. DNS-over-HTTP Message Format . . . . . . . . . . . . . . . . 4 | |||
| 3.1. Request Method . . . . . . . . . . . . . . . . . . . . . 4 | 3.1. Request Method . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.2. Response Status Code . . . . . . . . . . . . . . . . . . 5 | 3.2. Response Status Code . . . . . . . . . . . . . . . . . . 5 | |||
| 3.3. Header Fields . . . . . . . . . . . . . . . . . . . . . . 6 | 3.3. Header Fields . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 3.4. Message Body . . . . . . . . . . . . . . . . . . . . . . 6 | 3.4. Message Body . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | |||
| 5. IANA considerations . . . . . . . . . . . . . . . . . . . . . 7 | 5. Privacy Considerations . . . . . . . . . . . . . . . . . . . 7 | |||
| 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 8 | 6. IANA considerations . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 | 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 | ||||
| 1. Introduction | 1. Introduction | |||
| RFC 1035 [RFC1035] specifies the wire format for DNS messages. It | RFC 1035 [RFC1035] specifies the wire format for DNS messages. It | |||
| also specifies DNS transport on UDP and TCP on port 53, which is | also specifies DNS transport on UDP and TCP on port 53, which is | |||
| still used today. However, there are other ways to access DNS | still used today. However, there are other ways to access DNS | |||
| database, for example in a different data format or via alternative | database, for example in a different data format or via alternative | |||
| DNS transport. These approaches are summarized in [draft-shane- | DNS transport. These approaches are summarized in [draft-shane- | |||
| review-DNS-over-http]. | review-DNS-over-http]. | |||
| skipping to change at page 6, line 41 ¶ | skipping to change at page 6, line 45 ¶ | |||
| For a stub resolver that connects directly via HTTP to the HTTP | For a stub resolver that connects directly via HTTP to the HTTP | |||
| server proxy then this flag should be set to TCP, as the entire | server proxy then this flag should be set to TCP, as the entire | |||
| response can always be delivered so truncation is never required. | response can always be delivered so truncation is never required. | |||
| The client MUST include this option. If it is missing then it is an | The client MUST include this option. If it is missing then it is an | |||
| error and the server should respond with HTTP code 400 (bad request). | error and the server should respond with HTTP code 400 (bad request). | |||
| 3.4. Message Body | 3.4. Message Body | |||
| As mentioned, the message body is DNS wire-format data. It is worth | As mentioned, the message body is DNS wire-format data. DNS messages | |||
| mentioning that DNS messages sent over TCP connections is prefixed | sent over TCP connections is prefixed with a two-byte length field | |||
| with a two-byte length field which gives the message length [section | which gives the message length [section 4.2.2 in RFC 1035 [RFC1035]], | |||
| 4.2.2 in RFC 1035 [RFC1035]], excluding the two-byte length field. | excluding the two-byte length field. This length field allows the | |||
| This length field allows the low-level processing to assemble a | low-level processing to assemble a complete message before beginning | |||
| complete message before beginning to parse it. In the context of | to parse it. But when HTTP is used, the HTTP protocol itself keeps | |||
| HTTP, there is content-length header field [section 3.3.2 in | track of the length of the message, so there is no need to transmit | |||
| [RFC7230]]in which the field-value is the same with two bytes length | this separately. | |||
| field in DNS over TCP. | ||||
| Since this two-byte length field is redundant, when the client proxy | Since the two-byte length field is redundant, when the client proxy | |||
| receives a DNS message over TCP, it MUST NOT include the length field | receives a DNS message over TCP or when the server sends an answer | |||
| in the message sent to the server. The length in the content-length | for a TCP query, it MUST NOT include the length field in the message | |||
| header is only the size of the DNS message itself, and MUST NOT | sent. The length of the message sent by HTTP is only the size of the | |||
| include this two-byte length header. | DNS message itself, and MUST NOT include this two-byte length header. | |||
| 4. Security Considerations | 4. Security Considerations | |||
| This protocol does not introduce any new security considerations | This protocol does not introduce any new security considerations | |||
| since it is built on the DNS and HTTP protocols. | since it is built on the DNS and HTTP protocols. | |||
| Since this protocol transmits DNS messages, all of the security | Since this protocol transmits DNS messages, all of the security | |||
| concerns that stub resolvers and recursive resolvers have with DNS | concerns that stub resolvers and recursive resolvers have with DNS | |||
| messages apply. However, since HTTP uses TCP as the underlying | messages apply. However, since HTTP uses TCP as the underlying | |||
| protocol, DNS reflection or amplification attacks are not possible. | protocol, DNS reflection or amplification attacks are not possible. | |||
| skipping to change at page 7, line 40 ¶ | skipping to change at page 7, line 43 ¶ | |||
| example, clients of an open resolver do not require authentication. | example, clients of an open resolver do not require authentication. | |||
| Note that the ability to perform DNS queries in this way may allow | Note that the ability to perform DNS queries in this way may allow | |||
| users to bypass local DNS policy. This is problematic in any | users to bypass local DNS policy. This is problematic in any | |||
| environment where administrators need to enforce specific DNS | environment where administrators need to enforce specific DNS | |||
| behavior, such as an enterprise environment. The protocol outlined | behavior, such as an enterprise environment. The protocol outlined | |||
| here does not introduce any new capabilities in this area, but by | here does not introduce any new capabilities in this area, but by | |||
| creating a more standardized way of doing this it may cause | creating a more standardized way of doing this it may cause | |||
| operational problems for enterprise administrators. | operational problems for enterprise administrators. | |||
| 5. IANA considerations | 5. Privacy Considerations | |||
| DNS over HTTP involves sending DNS requests, so is subject to most of | ||||
| the problems documented in RFC 7626 [RFC7626]. In particular the | ||||
| resolver handling the request sees the contents of every query and | ||||
| answer, as does any proxy involved on either the client or server | ||||
| side. | ||||
| Use of TLS encryption will prevent attackers from seeing the plain | ||||
| DNS queries on the wire. However, the warnings about privacy in RFC | ||||
| 7858 [RFC7858] apply: "Even with encrypted messages, a well- | ||||
| positioned party may be able to glean certain details from an | ||||
| analysis of message timings and sizes." | ||||
| If a server requires a client-side certificate or other | ||||
| authentication, then this may allow an attacker to identify which | ||||
| user is active and when, if they gain access to the server logs. | ||||
| The use of DNS over HTTP may act as a strong signal to any | ||||
| surviellers that the user is attempting to bypass local DNS policy | ||||
| either to get different answers or hide their traffic. Various | ||||
| techniques could be used to discover this, such as observing web | ||||
| traffic without any corresponding DNS traffic. | ||||
| 6. IANA considerations | ||||
| Registration for a new Media Type: dns-wireformat | Registration for a new Media Type: dns-wireformat | |||
| Registration for a new HTTP header field: Proxy-DNS-Transport | Registration for a new HTTP header field: Proxy-DNS-Transport | |||
| Registration for a new Well-Known URI: "dns-wireformat" | Registration for a new Well-Known URI: "dns-wireformat" | |||
| 6. Acknowledgments | 7. Acknowledgments | |||
| Thanks to Bob Harold, Paul Hoffman, and Julian Reschke for review. | Thanks to Bob Harold, Paul Hoffman, Julian Reschke, and Erik Kline | |||
| for review. | ||||
| 7. References | 8. References | |||
| [DOTSE] and , "DNSSEC Tests of Consumer Broadband Routers", | [DOTSE] and , "DNSSEC Tests of Consumer Broadband Routers", | |||
| February 2008, | February 2008, | |||
| <http://www.iis.se/docs/Routertester_en.pdf>. | <http://www.iis.se/docs/Routertester_en.pdf>. | |||
| [I-D.bortzmeyer-dns-json] | [I-D.bortzmeyer-dns-json] | |||
| Bortzmeyer, S., "JSON format to represent DNS data", | Bortzmeyer, S., "JSON format to represent DNS data", | |||
| draft-bortzmeyer-dns-json-01 (work in progress), February | draft-bortzmeyer-dns-json-01 (work in progress), February | |||
| 2013. | 2013. | |||
| skipping to change at page 9, line 15 ¶ | skipping to change at page 9, line 38 ¶ | |||
| [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer | [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer | |||
| Protocol (HTTP/1.1): Semantics and Content", RFC 7231, | Protocol (HTTP/1.1): Semantics and Content", RFC 7231, | |||
| DOI 10.17487/RFC7231, June 2014, | DOI 10.17487/RFC7231, June 2014, | |||
| <http://www.rfc-editor.org/info/rfc7231>. | <http://www.rfc-editor.org/info/rfc7231>. | |||
| [RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext | [RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext | |||
| Transfer Protocol Version 2 (HTTP/2)", RFC 7540, | Transfer Protocol Version 2 (HTTP/2)", RFC 7540, | |||
| DOI 10.17487/RFC7540, May 2015, | DOI 10.17487/RFC7540, May 2015, | |||
| <http://www.rfc-editor.org/info/rfc7540>. | <http://www.rfc-editor.org/info/rfc7540>. | |||
| [RFC7626] Bortzmeyer, S., "DNS Privacy Considerations", RFC 7626, | ||||
| DOI 10.17487/RFC7626, August 2015, | ||||
| <http://www.rfc-editor.org/info/rfc7626>. | ||||
| [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., | ||||
| and P. Hoffman, "Specification for DNS over Transport | ||||
| Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May | ||||
| 2016, <http://www.rfc-editor.org/info/rfc7858>. | ||||
| [SAC035] ICANN Security and Stability Advisory Committee, "DNSSEC | [SAC035] ICANN Security and Stability Advisory Committee, "DNSSEC | |||
| Impact on Broadband Routers and Firewalls", 2008. | Impact on Broadband Routers and Firewalls", 2008. | |||
| Authors' Addresses | Authors' Addresses | |||
| Linjian Song | Linjian Song | |||
| Beijing Internet Institute | Beijing Internet Institute | |||
| 2508 Room, 25th Floor, Tower A, Time Fortune | 2508 Room, 25th Floor, Tower A, Time Fortune | |||
| Beijing 100028 | Beijing 100028 | |||
| P. R. China | P. R. China | |||
| End of changes. 14 change blocks. | ||||
| 28 lines changed or deleted | 62 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||