idnits 2.17.1 draft-reddy-dnsop-error-page-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 26, 2020) is 1341 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-12) exists of draft-ietf-dnsop-svcb-https-01 ** Obsolete normative reference: RFC 7540 (Obsoleted by RFC 9113) == Outdated reference: A later version (-02) exists of draft-ietf-dnsop-terminology-ter-01 == Outdated reference: A later version (-09) exists of draft-reddy-add-server-policy-selection-03 -- Obsolete informational reference (is this intentional?): RFC 8499 (Obsoleted by RFC 9499) Summary: 1 error (**), 0 flaws (~~), 4 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 DNSOP WG T. Reddy 3 Internet-Draft McAfee 4 Intended status: Standards Track N. Cook 5 Expires: January 27, 2021 Open-Xchange 6 D. Wing 7 Citrix 8 M. Boucadair 9 Orange 10 July 26, 2020 12 DNS Access Denied Error page 13 draft-reddy-dnsop-error-page-01 15 Abstract 17 When a DNS server filters a query the response conveys no detailed 18 explanation of why the query was blocked, leading to end-user 19 confusion. This document defines a method to return an URL that 20 explains the reason the DNS query was filtered. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on January 27, 2021. 39 Copyright Notice 41 Copyright (c) 2020 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 58 3. Method to return the error page URL . . . . . . . . . . . . . 5 59 4. ERROR Page . . . . . . . . . . . . . . . . . . . . . . . . . 6 60 5. Usability Considerations . . . . . . . . . . . . . . . . . . 7 61 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 62 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 63 7.1. Error Page URL DNS Parameter . . . . . . . . . . . . . . 8 64 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 65 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 66 9.1. Normative References . . . . . . . . . . . . . . . . . . 8 67 9.2. Informative References . . . . . . . . . . . . . . . . . 9 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 70 1. Introduction 72 DNS filters are deployed for a variety of reasons including endpoint 73 security, parental filtering, and filtering required by law 74 enforcement. These are discussed in more detail below: 76 o Various network security services are provided by Enterprise 77 networks to protect endpoints (e.g., Hosts including IoT devices). 78 Network-based security solutions such as firewalls and Intrusion 79 Prevention Systems (IPS) rely on network traffic inspection to 80 implement perimeter-based security policies. The network security 81 services may, for example, prevent malware download, block known 82 malicious domains, block phishing sites, etc. These network 83 security services act on DNS queries originating from endpoints. 84 For example, DNS firewalls, a method of expressing DNS response 85 policy information inside specially constructed DNS zones, known 86 as Response Policy Zones (RPZs) allows DNS servers to modify DNS 87 responses in real time to stop access to malware and phishing 88 domains. Note that some of the commonly known types of malware 89 are viruses, worms, trojans, bots, ransomware, backdoors, spyware, 90 and adware. 92 o Network devices in a home network offer network security to 93 protect the devices connected to the home network by performing 94 DNS-based content filtering. The network security service may, 95 for example, block access to specific domains to enforce parental 96 control, block access to malware sites, etc. 98 o ISPs typically block access to some domains due to a requirement 99 imposed by an external entity (e.g., Law Enforcement Agency) by 100 performing DNS-based content filtering. 102 DNS responses can be filtered by sending a bogus ("forged") A or AAAA 103 response, NXDOMAIN error or empty answer, or an extended error code 104 defined in [I-D.ietf-dnsop-extended-error]. Each of these have 105 advantages and disadvantages, discussed below: 107 1. The DNS response is forged providing IP addresses that points to 108 a HTTP(S) server alerting the end user of the reason for blocking 109 access to the domain (e.g., malware). When a HTTP(S) enabled 110 domain name is blocked, the network security device presents a 111 block page instead of the HTTP response from the content 112 provider. If an HTTP enabled domain name is blocked, the network 113 security device intercepts the HTTP request and returns a block 114 page over HTTP. If an HTTPS enabled domain is blocked, the block 115 page is also served over HTTPS. In order to return a block page 116 over HTTPS, man in the middle (MITM) is enabled on endpoints by 117 generating a local root certificate and an accompanying (local) 118 public/private key pair. The local root certificate is installed 119 on the endpoint, and the network security device(s) store a copy 120 of the private key. During the TLS handshake, the network 121 security device modifies the certificate provided by the server 122 and (re)signs it with the private key from the local root 123 certificate. 125 * However, configuring the local root certificate on endpoints 126 is not viable option in several deployments like Home 127 networks, Schools, Small Office/Home Office (SOHO), and Small/ 128 Medium Enterprise (SME). In these cases, the typical behavior 129 is that the forged DNS response directs the user towards a 130 server hosted to display the block page which breaks the TLS 131 connection. For web-browsing this then results in an HTTPS 132 certificate error message indicating that a secure connection 133 could not be established, which gives no information to the 134 end-user about the reason for the error. The typical errors 135 are "The security certificate presented by this website was 136 not issued by a trusted certificate authority" (Internet 137 Explorer/Edge"), "The site's security certificate is not 138 trusted" (Chrome), "This Connection is Untrusted" (Firefox), 139 "Safari can't verify the identity of the website..." (Safari 140 on MacOS)". 142 * Enterprise networks do not assume that all the devices 143 connected to their network are managed by the IT team or 144 Mobile Device Management (MDM) devices, especially in the 145 quite common BYOD ("Bring Your Own Device") scenario. In 146 addition, the local root certificate cannot be installed on 147 IoT devices without a device management tool. 149 * An end user does not know why the connection was reset and, 150 consequently, may repeatedly try to unsuccessfully reach the 151 domain. Frustrated, the end user may use insecure interfaces 152 to reach the domain, potentially compromising both security 153 and privacy. Furthermore, certificate errors train users to 154 click through certificate errors, which is poor security 155 practice. To eliminate the need for an end user to click 156 through certificate errors, an end user may manually install a 157 local root certificate [Chrome-Install-Cert] on a host device. 158 Doing so, however, is also poor security practice as it 159 creates a security vulnerability that may be exploited by a 160 MITM attack. When the manually installed local root 161 certificate expires, the user has to (again) manually install 162 the new local root certificate. 164 2. The DNS response is forged to provide a NXDOMAIN response to 165 cause the DNS lookup to terminate in failure. In this case, an 166 end user does not know why the domain cannot be reached, and may 167 repeatedly try to unsuccessfully reach the domain. Frustrated, 168 the end user may use insecure interfaces to reach the domain, 169 potentially compromising both security and privacy. 171 3. The extended error codes Blocked, Censored, and Filtered defined 172 in [I-D.ietf-dnsop-extended-error] can be returned by the DNS 173 server to provide additional information about the cause of an 174 DNS error. If the extended error code "Forged answer" defined in 175 [I-D.ietf-dnsop-extended-error] is returned by the DNS server, 176 the client can identify the DNS response is forged and the reason 177 for HTTPS certificate error. These extended error codes do not 178 suffer from the limitations discussed in (1) and (2) but the user 179 still does not know the exact reason nor the user is aware of the 180 exact entity blocking the access to the domain. For example, a 181 DNS server may block access domain based on the content category 182 like "Adult Content" to enforce parental control, "Violence & 183 Terrorism" due to an external requirement imposed by an external 184 entity (e.g., Law Enforcement Agency), etc. The content 185 categories for domains cannot be standardized because the 186 classification of domains into content categories is vendor 187 specific, typically ranges from 40 to 100 types of categories 188 depending on the vendor and the categories keep evolving. 189 Further, the threat data used to categorize domains may sometimes 190 mis-classify domains (e.g., Domains wrongly classified as DGA 191 (Domain Generation Algorithm) by deep learning techniques, domain 192 wrongly classified as phishing due to crowd sourcing, new domains 193 not categorized by the threat data, etc.). The end user needs to 194 know the contact details of the IT/InfoSec team to raise a 195 complaint. 197 No matter which type of response is generated (forged IP address, 198 NXDOMAIN or empty answer, or an extended error code), the user who 199 generated the query has little chance to understand which entity 200 filtered the query, how to report a mistake in the filter, or why the 201 entity filtered it at all. This document describes a mechanism to 202 provide a URL which, when accessed, provides such information to the 203 user. 205 One of the other benefits of this document is eliminating the need to 206 "spoof" block pages for HTTPS resources, as the block page no longer 207 needs to create a signed certificate when blocking a destination. 208 This avoids the need to install an local root certificate authority 209 on those IT-managed devices. 211 2. Terminology 213 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 214 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 215 "OPTIONAL" in this document are to be interpreted as described in BCP 216 14 [RFC2119][RFC8174] when, and only when, they appear in all 217 capitals, as shown here. 219 This document makes use of the terms defined in [RFC8499] and 220 [I-D.ietf-dnsop-terminology-ter]. 222 'DoH/DoT' refers to DNS-over-HTTPS and/or DNS-over-TLS. 224 3. Method to return the error page URL 226 The mechanism for providing additional information about the cause of 227 blocking access to a domain is from the HTTPS DNS record 228 [I-D.ietf-dnsop-svcb-https]. The "HTTPS" DNS resource record type 229 provides more information to the client before it attempts to 230 establish a HTTPS connection. This HTTPS record in the "ServiceMode" 231 (Section 2.4.2 of [I-D.ietf-dnsop-svcb-https]) provides the URL that 232 gives additional information about the cause of blocking access to a 233 domain. In order to convey an error page URL, this HTTPS record 234 SHOULD be returned along with the "Forged Answer" extended error code 235 in Extended DNS Error (EDE) EDNS option and MUST contain the "eut" 236 (Section 7) parameter. The value stored in the parameter is a URL. 237 The SvcParamKey "eut" MUST only be processed by the DNS client for a 238 "Forged Answer" extended error code and MUST be ignored for any other 239 type of DNS response. When the "forged answer" extended error code 240 is returned in conjunction with an HTTPS record containing the "eut" 241 SvcParamKey, any other resource records in the answer MUST be ignored 242 by clients supporting this specification. The "eut" is a single- 243 valued SvcParamKey and the value MUST NOT be empty. 245 The following example shows a record containing an error page URL: 247 foo.example.com. 7200 IN HTTPS 1 . ( 248 eut=https://block.example.net/block-page=ZXhhbXBsZS5jb20 ) 250 Figure 1: Example 1 252 In the above example, if the URI template is 253 "https://block.example.net/block-page={target-domain}" for the server 254 returning the error page and access to the target domain 255 "example.com" is blocked, the DNS server replaces the string 256 "{target-domain}" in the template with the base64url-encoded target 257 domain [RFC4648]. 259 The agent acting as HTTPS client on the endpoint uses the URL as 260 given by the DNS server in a HTTP GET request to retrieve the error 261 page. HTTP/2 [RFC7540] is the minimum RECOMMENDED version of HTTP to 262 use to retrieve the error page. 264 4. ERROR Page 266 The following text outlines the RECOMMENDED contents of an error page 267 to assist the operator developing the error page. 269 o The exact reason for blocking access to the domain. If the domain 270 is blocked based on some threat data, the threat type associated 271 with the blocked domain can be provided/displayed to the end user. 272 For example, the reason can indicate the type of malware blocked 273 like spyware and the damage it can do the security and privacy of 274 the user. 276 o The domain name blocked. 278 o If query was blocked by regulation, a pointer to a regulatory text 279 that mandates this query block. 281 o The entity (or organization) blocking the access to the domain and 282 contact details of the IT/InfoSec team to raise a complaint. 284 o The blocked error page to not include Ads and dynamic content. 286 The content of the error page discussed above is non-normative, the 287 above text only provides the guidelines and template for the error 288 page and. 290 o Does not attempt to offer an exhaustive list for the contents of 291 an error page. 293 o It is not intended to form the basis of any legal/compliance for 294 developing the error page. 296 5. Usability Considerations 298 The error page SHOULD be returned in the user's preferred language as 299 expressed by the Accept-Language header. If the error page is 300 displayed in a language not known to the end user and assuming 301 Internationalization features failed, browser extensions to translate 302 to user's native language can be used. For example, "Google 303 Translate" extension [Chrome-Translate] provided by Google on Chrome 304 can be used by the user to translate the error page. The "Google 305 Translate" extension automatically detects whether the language of a 306 page is different from the language the user has selected. If it is 307 in a different language, a banner appears at the top of the page. 308 The user can click on the Translate button in the banner to have all 309 the text on the page appear in the language selected by the user. 311 6. Security Considerations 313 Security considerations in [I-D.ietf-dnsop-extended-error] need to be 314 taken into consideration. Unless the DNS response that conveys the 315 URL that provides additional information about the cause of blocking 316 access to a domain is sent over DNS-over-HTTPS (DoH) [RFC8484] or 317 DNS-over-TLS (DoT) [RFC7858], the DNS response is susceptible to 318 forgery. 320 The agent acting as the HTTPS client on the endpoint MUST NOT fetch 321 the URL unless DNS messages exchanged are cryptographically protected 322 using DoH/DoT. Bad actors can host DoH/DoT servers, and claim the 323 servers offer privacy and filtering capability to block malware 324 domains but exactly do the opposite to invade the security and 325 privacy of the end user. For example, this attack can be mitigated 326 if the endpoint selects DoH/DoT servers hosted by well-known 327 organizations (e.g., ISPs, organization for which a user works, etc.) 328 or the user selects DoH/DoT server with filtering capability pre- 329 configured in the OS/Browser. The DNS client can learn the filtering 330 capability of a DoH/DoT server using 331 [I-D.reddy-add-server-policy-selection]. 332 [I-D.reddy-add-server-policy-selection] also discusses how a DNS 333 client can authenticate it is connecting to a DoH/DoT server hosted 334 by a specific organization (e.g., ISP). This information is 335 cryptographically signed to attest its authenticity. It is 336 particularly useful when the DoH/DoT server is insecurely discovered 337 and prevents the client from connecting to an attackers DoH/DoT 338 server. 340 In order to deal with malicious servers, because the client knows 341 that it is accessing a error page URL, it can know not to send 342 cookies, not to send credentials, disable JavaScript, auto-enable 343 private browsing mode for the error page or load the error page in a 344 container isolated from other web activity, etc. The client MUST 345 reject the URL if the scheme is not "https". 347 The DoH/DoT session provides transport security for the interaction 348 between the DNS client and server, but DNSSEC signing and validation 349 is not possible for the HTTPS record returning the error page URL 350 along with the "Forged Answer" extended error. 352 7. IANA Considerations 354 7.1. Error Page URL DNS Parameter 356 This document adds a parameter to the "Service Binding (SVCB) 357 Parameter" registry. If present, this parameter indicates the URL 358 that provides additional information about the cause of blocking 359 access to a domain is designated for use with the "Forged answer" 360 extended error code. This is a string encoded as UTF-8 characters. 362 Name: eut 364 SvcParamKey: TBD 366 Meaning: URL that provides additional information about the cause of 367 blocking access to a domain. 369 Reference: This document. 371 8. Acknowledgements 373 Thanks to Vittorio Bertola and Bob Harold for the comments.. 375 9. References 377 9.1. Normative References 379 [I-D.ietf-dnsop-extended-error] 380 Kumari, W., Hunt, E., Arends, R., Hardaker, W., and D. 381 Lawrence, "Extended DNS Errors", draft-ietf-dnsop- 382 extended-error-16 (work in progress), May 2020. 384 [I-D.ietf-dnsop-svcb-https] 385 Schwartz, B., Bishop, M., and E. Nygren, "Service binding 386 and parameter specification via the DNS (DNS SVCB and 387 HTTPS RRs)", draft-ietf-dnsop-svcb-https-01 (work in 388 progress), July 2020. 390 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 391 Requirement Levels", BCP 14, RFC 2119, 392 DOI 10.17487/RFC2119, March 1997, 393 . 395 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 396 Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, 397 . 399 [RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext 400 Transfer Protocol Version 2 (HTTP/2)", RFC 7540, 401 DOI 10.17487/RFC7540, May 2015, 402 . 404 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 405 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 406 May 2017, . 408 9.2. Informative References 410 [Chrome-Install-Cert] 411 "How to manually install the Securly SSL certificate in 412 Chrome", . 416 [Chrome-Translate] 417 "Google Translate", 418 . 422 [I-D.ietf-dnsop-terminology-ter] 423 Hoffman, P., "Terminology for DNS Transports and 424 Location", draft-ietf-dnsop-terminology-ter-01 (work in 425 progress), February 2020. 427 [I-D.reddy-add-server-policy-selection] 428 Reddy.K, T., Wing, D., Richardson, M., and M. Boucadair, 429 "DNS Server Selection: DNS Server Information with 430 Assertion Token", draft-reddy-add-server-policy- 431 selection-03 (work in progress), June 2020. 433 [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., 434 and P. Hoffman, "Specification for DNS over Transport 435 Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 436 2016, . 438 [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS 439 (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, 440 . 442 [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS 443 Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, 444 January 2019, . 446 Authors' Addresses 448 Tirumaleswar Reddy 449 McAfee, Inc. 450 Embassy Golf Link Business Park 451 Bangalore, Karnataka 560071 452 India 454 Email: kondtir@gmail.com 456 Neil Cook 457 Open-Xchange 458 UK 460 Email: neil.cook@noware.co.uk 462 Dan Wing 463 Citrix Systems, Inc. 464 USA 466 Email: dwing-ietf@fuggles.com 468 Mohamed Boucadair 469 Orange 470 Rennes 35000 471 France 473 Email: mohamed.boucadair@orange.com