Mon 15 May 2017  

The Importance of Being an Earnest stub


Many transactions that need to be trustworthy, and possibly encrypted, start with a DNS query. If we consider security from the ground-up, we need to include end users DNS transactions with resolvers in the security realm. The minimal step is DNSSEC where the received data can be verified and validated to be correct and authentic. But if we want to take security and privacy a step further, also the recursive resolver needs to be authenticated and communication with it encrypted.

These requirements put higher demands, on the capabilities and also on the role and responsibilities of stub resolvers, and changes the relationship with and the requirements on the recursive resolvers they use. The first/last mile is changing.

In this presentation we discuss the idea of security from the ground-up, focussing on the versatile stub resolver as designed in the getdns project. Current challenges and solutions to DNSSEC roadblocks are presented, and ideas/design of future developments are outlined.

Summary

For both DANE and DNS Privacy, stub resolvers need to be able to reliably establish the authenticity of data and the remote end. This alone already involves DNSSEC and/or PKIX validation, and might also involve DNSSEC roadblocks avoidance, discovery and anticipating IPv6-only networks (DNS64/NAT64), and reliable trust requirements maintenance (i.e. the KSK rollover). Furthermore, to correctly perform DANE, applications need to learn from the stub resolver the status of the authentication result.

In this course of the presentation the following topics will be covered:

  • the current techniques stub resolvers have to reliably do DNSSEC,
  • the changing architectural role of the stub-resolver system-component (Stub as daemon, as library, as both, dbus interface, nsswitch module),
  • the stub resolver specific challenges with the KSK rollover, and
  • the implementation status of different stub software with respect to the bullet points above.

Related

  How to keep your ISP’s nose out of your browser history with encrypted DNS
  Sun 08 Apr 2018
  Media   DNS Privacy   Stubby
Blog post on DNS privacy by Sean Gallagher on Ars Technica
  Living on the Edge
  Sun 04 Feb 2018
  DNS devroom @ FOSDEM'18
  Willem Toorop   end-2-endness
Greatly needed stub resolver capabilities for applications and systems with the getdns library
  How to Use Pihole With Stubby
  Mon 08 Jan 2018
  Media   DNS Privacy   Stubby
Guide by Frank Santoso describing how to use Stubby in the blockhole for Internet advertisements solution Pi-HOLE
  getdns-1.3.0 release
  Fri 22 Dec 2017
  Stubby   Zero config DNSSEC
Bug-, robustness- and stability-fixes that came out of Stubby usage
  First release candidate for getdns-1.2.2
  Thu 14 Dec 2017
  Stubby   Zero config DNSSEC
Bug-, robustness- and stability-fixes that came out of Stubby usage
  Quad9, a Public DNS Resolver - with Security
  Tue 21 Nov 2017
  Media   DNS Privacy   Stubby
Blog post on how to configure Stubby for use with Quad9 by Stéphane Bortzmeyer on RIPE Labs
  Privacy: Using DNS-over-TLS with the Quad9 DNS Service
  Mon 20 Nov 2017
  Media   DNS Privacy   Stubby
Blog post on how to configure Stubby for use with Quad9 by Alex Band
  getdns-1.2.1 release
  Sat 11 Nov 2017
  Stubby
Just bug-, robustness- and stability-fixes
  First release candidate for getdns-1.2.1
  Fri 03 Nov 2017
  Stubby
Just bug-, robustness- and stability-fixes
  Living on the Edge
  Wed 25 Oct 2017
  DNS-WG @ RIPE75
  Benno Overeinder   end-2-endness
(Re)focus DNS Efforts on the End-Points
  getdns-1.2.0 release
  Fri 29 Sep 2017
  Stubby   Zero config DNSSEC
Zero configuration DNSSEC, Stubby config in YAML format and resilient TLS upstream management
  First release candidate for getdns-1.2.0
  Fri 22 Sep 2017
  Stubby   Zero config DNSSEC
Zero configuration DNSSEC, YAML config files and resilient TLS upstream management
  DNS over TLS: experience from the Go6lab
  Tue 05 Sep 2017
  Media   DNS Privacy   Stubby
Jan Žorž giving Stubby a spin in this excellent article on ISOC's Deploy360 blog
  getdns-1.1.3 release
  Mon 04 Sep 2017
  Stubby
Bugfixes and Stubby in its own repository
  First release candidate for getdns-1.1.3
  Fri 25 Aug 2017
  Stubby
Bugfixes and Stubby in its own repository
  DNS Privacy daemon - Stubby
  Wed 23 Aug 2017
  Sara Dickinson   Stubby   DNS Privacy
A reference page on how to get up and running with Stubby!
  Der coole Stubby
  Fri 18 Aug 2017
  Media   DNS Privacy   Stubby
Stubby mentioned in article about progress in DNS privacy in c't magazine
  DNS Privacy
  Sun 16 Jul 2017
  Tutorial @ IETF99
  Sara Dickinson   DNS Privacy
DNS Privacy tutorial at the IETF99 in Prague
  DNS Privacy
  Thu 06 Jul 2017
  JCSA17
  Sara Dickinson   DNS Privacy
DNS Privacy tutorial at the JCSA17 in Paris
  getdns-1.1.2 release
  Mon 03 Jul 2017
  Stubby
At runtime upstream statistics logging
  First release candidate for getdns-1.1.2
  Wed 28 Jun 2017
  Stubby
At runtime upstream statistics logging
  getdns-1.1.1 release
  Thu 15 Jun 2017
  Stubby
stubby.conf and DNS setup script + guidance
  First release candidate for getdns-1.1.1
  Thu 08 Jun 2017
  Stubby
stubby.conf and DNS setup script + guidance
  getdns-1.1.0 release
  Thu 13 Apr 2017
  1.1.0 release   Stubby
New features release. Functions for serving DNS. Stubby on board!
  Second release candidate for getdns-1.1.0
  Thu 06 Apr 2017
  1.1.0 release   Stubby
Fixes for things uncovered during IETF98 Hackathon.
  Developing a monitoring plugin for DNS-over-TLS at the IETF hackathon
  Mon 27 Mar 2017
  Media   Hackathon   1.1.0 release   DNS Privacy
Stephane Bortzmeyer's blog post about developing a DNS-over-TLS monitor plugin at the IETF98 hackathon
  First release candidate for getdns-1.1.0
  Thu 23 Mar 2017
  1.1.0 release   Stubby
New features release. Functions for serving DNS. Stubby on board!
  getdns covered in IPJ
  Wed 01 Mar 2017
  Media   DNS Privacy
getdns is discussed in DNS Privacy article by Geoff Huston and Joao Luis Silva Dama in the Internet Protocol Journal
  How to get a trustworthy DNS Privacy enabling recursive resolver
  Sun 26 Feb 2017
  NDSS2017
  Willem Toorop   Benno Overeinder   Melinda Shore   DNS Privacy
Analysis of authentication mechanisms for DNS Privacy enabling recursive resolvers, presented at the NDSS2017
  Another mention of Stubby in the register
  Tue 06 Dec 2016
  Media   Stubby   DNS Privacy
Stubby in The Register again in an article about IETF pervasive monitoring work
  The Register article about Stubby
  Tue 22 Nov 2016
  Media   Stubby   DNS Privacy
The popular UK online computer magazine theregister.co.uk published an article about Stubby
  heise.de article about Stubby
  Thu 17 Nov 2016
  Media   Stubby   DNS Privacy
The popular German online computer magazine Heise.de published an article about Stubby
  DNS Privacy
  Sun 13 Nov 2016
  Tutorial @ IETF97
  Sara Dickinson   Stubby   DNS Privacy
DNS Privacy tutorial mentioning stubby at the IETF97 in Seoul
  Stubby
  Wed 19 Oct 2016
  NANOG68
  Willem Toorop   Stubby
Introducting Stubby at the NANOG68 in Dallas
  From the Ground Up Security
  Mon 11 Jul 2016
  JCSA16
  Benno Overeinder   end-2-endness
How DNS(SEC) provides building blocks for security and privacy from the very first query

Other by Willem Toorop

  Living on the Edge
  Sun 04 Feb 2018
  DNS devroom @ FOSDEM'18
  Willem Toorop   end-2-endness
Greatly needed stub resolver capabilities for applications and systems with the getdns library
  Hands on getdns
  Thu 06 Jul 2017
  JCSA17
  Sara Dickinson   Willem Toorop
Tutorial at the JCSA17 in Paris
  How to get a trustworthy DNS Privacy enabling recursive resolver
  Sun 26 Feb 2017
  NDSS2017
  Willem Toorop   Benno Overeinder   Melinda Shore   DNS Privacy
Analysis of authentication mechanisms for DNS Privacy enabling recursive resolvers, presented at the NDSS2017
  Stubby
  Wed 19 Oct 2016
  NANOG68
  Willem Toorop   Stubby
Introducting Stubby at the NANOG68 in Dallas
  DNSSEC for Legacy Applications
  Thu 19 Nov 2015
  DNS-WG @ RIPE71
  Willem Toorop
Presentation about an experimental nsswitch getdns component.
  getdns - A new stub resolver
  Sun 13 Sep 2015
  vBSDcon 2015
  Willem Toorop
Very complete overview presentation at te vBSDcon 2015 in Reston
  getdns API implementation
  Thu 14 May 2015
  OS-WG @ RIPE70
  Willem Toorop
Presentation in the Open Source Working Group at RIPE70 in Amsterdam
  getdns API
  Thu 26 Mar 2015
  Bits-n-Bites @ IETF92
  Sara Dickinson   Gowri Visweswaran   Willem Toorop
Poster presentation at the Bits-n-Bites of the IETF92
  getdns API implementation
  Wed 25 Jun 2014
  DNSSEC-WS @ ICANN50
  Willem Toorop
Presentation at the DNSSEC Workshop at ICANN50 in London
  getdns API implementation
  Wed 14 May 2014
  OS-WG @ RIPE68
  Willem Toorop
Lightning talk at the Open Source Working Group at RIPE 68 in Warsaw
  getdns API implementation
  Sun 11 May 2014
  DNS-OARC 2014 Spring-WS
  Willem Toorop
Presentation at the DNS-OARC Spring Workshop in Warsaw