Inside DNS over HTTPS workflow
Aniketh Girish (~Aniketh01) |
DNS is a non-encrypted protocol. DNS responses which are sent over UDP or TCP lack confidentiality, privacy and security. DNS often contains password files, geolocations, email service and fax numbers, certificate identity and pinning for TLS and much more. Parsing DNS without encryption would lead to different vulnerabilities such as eavesdropping and spoofing.
DNS over HTTPS(DoH) is a web protocol that argues for sending DNS requests and receiving DNS responses via HTTPS connections, hence providing query confidentiality. DoH provides more than just privacy – it also helps guarantee the integrity of the response users receives their requests. Because the DNS response is invisible between responder and user, ISPs and others in the end-to-end network chain can't interfere with the responses. Moreover, Responses from the use of recursive resolvers to clients are the most vulnerable to undesired or malicious changes, because generally recursive resolvers do not encrypt any of your queries.
Henceforth, we would be discussing the implementation and parsing of DNS over HTTPS. Further, we provided added support for handling IPv4 and IPv6 DNS packets (A + AAAA records) as well as support for EDNS for edns-client-subnet usage. The integration with HTTP provides a transport suitable for traditional DNS clients seeking access to the DNS. In the end, we will discuss how our client will be sending DNS queries and get DNS responses over HTTP using https:// and implies TLS security integrity and confidentiality.
Furthermore, I plan to put some light on how DNSSEC validation is getting involved here with DNS resolution through HTTP to provide ultimate privacy and security support for the DNS packets.
I’m currently in my sophomore year, pursuing an undergraduate degree in Computer Science and Engineering from Amrita University. I’m an active member of a FOSS club in our university(FOSS@Amrita). I started actively contributing to various open source organizations from the year 2016. Initially, I started my career in Open Source by contributing to KDE. I was selected for Season of KDE(KDE-SoK) 2016-17 in which I worked on an astronomy software named called Kstars.
Further, I was selected for Google Summer of Code 2017 under KDE, where I worked on a project for a libre graphics software, Krita. My work involved introducing a data sharing module in it. The module enables communication between Krita and a remote KDE server in order to help users save and publish their data online. This also required modifying the underlying framework to enable client/server communication. I have been selected for Google Summer of Code for the 2nd time, where I am working on the project Wget2 under GNU organisation. I GSoC project involves adding support for DNS over HTTPS in Wget2.
I was invited as a speaker for KDE India Conference 2017 in IIT Guwahati, where I gave a talk on the topic “Object tracking using OpenCV and Qt”. Further, I will be travelling to Austria on August to give a talk in KDE conference, Akademy and will be talking on the topic "Strengthen Code Review Culture: rm -rf ‘Toxic Behaviors"