draft-ietf-dnsop-dns-wireformat-http-00.txt   draft-ietf-dnsop-dns-wireformat-http-01.txt 
Internet Engineering Task Force L. Song Internet Engineering Task Force L. Song
Internet-Draft Beijing Internet Institute Internet-Draft Beijing Internet Institute
Intended status: Experimental P. Vixie Intended status: Experimental P. Vixie
Expires: March 19, 2017 TISF Expires: September 28, 2017 TISF
S. Kerr S. Kerr
R. Wan R. Wan
Beijing Internet Institute Beijing Internet Institute
September 15, 2016 March 27, 2017
DNS wire-format over HTTP DNS wire-format over HTTP
draft-ietf-dnsop-dns-wireformat-http-00 draft-ietf-dnsop-dns-wireformat-http-01
Abstract Abstract
This memo introduces a way to tunnel DNS data over HTTP. This may be This memo introduces a way to tunnel DNS data over HTTP. This may be
useful in any situation where DNS is not working properly, such as useful in any situation where DNS is not working properly, such as
when there is middlebox misbehavior. when there is middlebox misbehavior.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 19, 2017. This Internet-Draft will expire on September 28, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Methodology and Configuration . . . . . . . . . . . . . . . . 3 2. Methodology and Configuration . . . . . . . . . . . . . . . . 3
3. DNS-over-HTTP Message Format . . . . . . . . . . . . . . . . 4 3. DNS-over-HTTP Message Format . . . . . . . . . . . . . . . . 4
3.1. Request Method . . . . . . . . . . . . . . . . . . . . . 4 3.1. Request Method . . . . . . . . . . . . . . . . . . . . . 5
3.2. Response Status Code . . . . . . . . . . . . . . . . . . 5 3.2. Response Status Code . . . . . . . . . . . . . . . . . . 5
3.3. Header Fields . . . . . . . . . . . . . . . . . . . . . . 6 3.3. Header Fields . . . . . . . . . . . . . . . . . . . . . . 6
3.4. Message Body . . . . . . . . . . . . . . . . . . . . . . 6 3.4. Message Body . . . . . . . . . . . . . . . . . . . . . . 6
4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7
5. IANA considerations . . . . . . . . . . . . . . . . . . . . . 7 5. Privacy Considerations . . . . . . . . . . . . . . . . . . . 7
6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 8 6. IANA considerations . . . . . . . . . . . . . . . . . . . . . 8
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction 1. Introduction
RFC 1035 [RFC1035] specifies the wire format for DNS messages. It RFC 1035 [RFC1035] specifies the wire format for DNS messages. It
also specifies DNS transport on UDP and TCP on port 53, which is also specifies DNS transport on UDP and TCP on port 53, which is
still used today. However, there are other ways to access DNS still used today. However, there are other ways to access DNS
database, for example in a different data format or via alternative database, for example in a different data format or via alternative
DNS transport. These approaches are summarized in [draft-shane- DNS transport. These approaches are summarized in [draft-shane-
review-DNS-over-http]. review-DNS-over-http].
skipping to change at page 6, line 41 skipping to change at page 6, line 45
For a stub resolver that connects directly via HTTP to the HTTP For a stub resolver that connects directly via HTTP to the HTTP
server proxy then this flag should be set to TCP, as the entire server proxy then this flag should be set to TCP, as the entire
response can always be delivered so truncation is never required. response can always be delivered so truncation is never required.
The client MUST include this option. If it is missing then it is an The client MUST include this option. If it is missing then it is an
error and the server should respond with HTTP code 400 (bad request). error and the server should respond with HTTP code 400 (bad request).
3.4. Message Body 3.4. Message Body
As mentioned, the message body is DNS wire-format data. It is worth As mentioned, the message body is DNS wire-format data. DNS messages
mentioning that DNS messages sent over TCP connections is prefixed sent over TCP connections is prefixed with a two-byte length field
with a two-byte length field which gives the message length [section which gives the message length [section 4.2.2 in RFC 1035 [RFC1035]],
4.2.2 in RFC 1035 [RFC1035]], excluding the two-byte length field. excluding the two-byte length field. This length field allows the
This length field allows the low-level processing to assemble a low-level processing to assemble a complete message before beginning
complete message before beginning to parse it. In the context of to parse it. But when HTTP is used, the HTTP protocol itself keeps
HTTP, there is content-length header field [section 3.3.2 in track of the length of the message, so there is no need to transmit
[RFC7230]]in which the field-value is the same with two bytes length this separately.
field in DNS over TCP.
Since this two-byte length field is redundant, when the client proxy Since the two-byte length field is redundant, when the client proxy
receives a DNS message over TCP, it MUST NOT include the length field receives a DNS message over TCP or when the server sends an answer
in the message sent to the server. The length in the content-length for a TCP query, it MUST NOT include the length field in the message
header is only the size of the DNS message itself, and MUST NOT sent. The length of the message sent by HTTP is only the size of the
include this two-byte length header. DNS message itself, and MUST NOT include this two-byte length header.
4. Security Considerations 4. Security Considerations
This protocol does not introduce any new security considerations This protocol does not introduce any new security considerations
since it is built on the DNS and HTTP protocols. since it is built on the DNS and HTTP protocols.
Since this protocol transmits DNS messages, all of the security Since this protocol transmits DNS messages, all of the security
concerns that stub resolvers and recursive resolvers have with DNS concerns that stub resolvers and recursive resolvers have with DNS
messages apply. However, since HTTP uses TCP as the underlying messages apply. However, since HTTP uses TCP as the underlying
protocol, DNS reflection or amplification attacks are not possible. protocol, DNS reflection or amplification attacks are not possible.
skipping to change at page 7, line 40 skipping to change at page 7, line 43
example, clients of an open resolver do not require authentication. example, clients of an open resolver do not require authentication.
Note that the ability to perform DNS queries in this way may allow Note that the ability to perform DNS queries in this way may allow
users to bypass local DNS policy. This is problematic in any users to bypass local DNS policy. This is problematic in any
environment where administrators need to enforce specific DNS environment where administrators need to enforce specific DNS
behavior, such as an enterprise environment. The protocol outlined behavior, such as an enterprise environment. The protocol outlined
here does not introduce any new capabilities in this area, but by here does not introduce any new capabilities in this area, but by
creating a more standardized way of doing this it may cause creating a more standardized way of doing this it may cause
operational problems for enterprise administrators. operational problems for enterprise administrators.
5. IANA considerations 5. Privacy Considerations
DNS over HTTP involves sending DNS requests, so is subject to most of
the problems documented in RFC 7626 [RFC7626]. In particular the
resolver handling the request sees the contents of every query and
answer, as does any proxy involved on either the client or server
side.
Use of TLS encryption will prevent attackers from seeing the plain
DNS queries on the wire. However, the warnings about privacy in RFC
7858 [RFC7858] apply: "Even with encrypted messages, a well-
positioned party may be able to glean certain details from an
analysis of message timings and sizes."
If a server requires a client-side certificate or other
authentication, then this may allow an attacker to identify which
user is active and when, if they gain access to the server logs.
The use of DNS over HTTP may act as a strong signal to any
surviellers that the user is attempting to bypass local DNS policy
either to get different answers or hide their traffic. Various
techniques could be used to discover this, such as observing web
traffic without any corresponding DNS traffic.
6. IANA considerations
Registration for a new Media Type: dns-wireformat Registration for a new Media Type: dns-wireformat
Registration for a new HTTP header field: Proxy-DNS-Transport Registration for a new HTTP header field: Proxy-DNS-Transport
Registration for a new Well-Known URI: "dns-wireformat" Registration for a new Well-Known URI: "dns-wireformat"
6. Acknowledgments 7. Acknowledgments
Thanks to Bob Harold, Paul Hoffman, and Julian Reschke for review. Thanks to Bob Harold, Paul Hoffman, Julian Reschke, and Erik Kline
for review.
7. References 8. References
[DOTSE] and , "DNSSEC Tests of Consumer Broadband Routers", [DOTSE] and , "DNSSEC Tests of Consumer Broadband Routers",
February 2008, February 2008,
<http://www.iis.se/docs/Routertester_en.pdf>. <http://www.iis.se/docs/Routertester_en.pdf>.
[I-D.bortzmeyer-dns-json] [I-D.bortzmeyer-dns-json]
Bortzmeyer, S., "JSON format to represent DNS data", Bortzmeyer, S., "JSON format to represent DNS data",
draft-bortzmeyer-dns-json-01 (work in progress), February draft-bortzmeyer-dns-json-01 (work in progress), February
2013. 2013.
skipping to change at page 9, line 15 skipping to change at page 9, line 38
[RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Semantics and Content", RFC 7231, Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
DOI 10.17487/RFC7231, June 2014, DOI 10.17487/RFC7231, June 2014,
<http://www.rfc-editor.org/info/rfc7231>. <http://www.rfc-editor.org/info/rfc7231>.
[RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext [RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext
Transfer Protocol Version 2 (HTTP/2)", RFC 7540, Transfer Protocol Version 2 (HTTP/2)", RFC 7540,
DOI 10.17487/RFC7540, May 2015, DOI 10.17487/RFC7540, May 2015,
<http://www.rfc-editor.org/info/rfc7540>. <http://www.rfc-editor.org/info/rfc7540>.
[RFC7626] Bortzmeyer, S., "DNS Privacy Considerations", RFC 7626,
DOI 10.17487/RFC7626, August 2015,
<http://www.rfc-editor.org/info/rfc7626>.
[RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D.,
and P. Hoffman, "Specification for DNS over Transport
Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May
2016, <http://www.rfc-editor.org/info/rfc7858>.
[SAC035] ICANN Security and Stability Advisory Committee, "DNSSEC [SAC035] ICANN Security and Stability Advisory Committee, "DNSSEC
Impact on Broadband Routers and Firewalls", 2008. Impact on Broadband Routers and Firewalls", 2008.
Authors' Addresses Authors' Addresses
Linjian Song Linjian Song
Beijing Internet Institute Beijing Internet Institute
2508 Room, 25th Floor, Tower A, Time Fortune 2508 Room, 25th Floor, Tower A, Time Fortune
Beijing 100028 Beijing 100028
P. R. China P. R. China
 End of changes. 14 change blocks. 
28 lines changed or deleted 62 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/