Internet Engineering Task Force S. Kerr
Internet-Draft L. Song
Intended status: Informational R. Wan
Expires: November 4, 2016 Beijing Internet Institute
May 3, 2016
A review of implementation DNS over port 80/443
draft-shane-review-dns-over-http-03
Abstract
The default DNS transport uses UDP on port 53. There are many
motivations why users or operators may prefer to avoid sending DNS
traffic in this way. A common solution is to use port 80 or 443;
with plain TCP, TLS-encrypted TCP, or full HTTP(S). This memo
reviews the possible approaches and delivers some useful information
for developers.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 4, 2016.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
Kerr, et al. Expires November 4, 2016 [Page 1]
�
Internet-DrafA review of implementation DNS over port 80/443 May 2016
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Different Implementations Approaches . . . . . . . . . . . . 3
2.1. DNS over TCP on port 80/443 . . . . . . . . . . . . . . . 3
2.2. DNS over TLS on port 443 . . . . . . . . . . . . . . . . 3
2.3. DNS Wire-format over HTTP(S) . . . . . . . . . . . . . . 4
2.4. REST HTTP API . . . . . . . . . . . . . . . . . . . . . . 5
3. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 6
4. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7
1. Introduction
Name servers use port 53, on both UDP and TCP [RFC1035] [RFC5966].
However, users or operators occasionally find it useful to use an
alternative way to deliver DNS information, and often pick port 80
(the default HTTP port) or 443 (the default HTTPS port) for this
purpose.
There are several use cases:
o Case 1: Firewalls or other middleboxes may interfere with normal
DNS traffic [RFC3234] [RFC5625] [DOTSE] [SAC035]. In addition,
some ISPs and hotels block external DNS and perform DNS rewriting
to send users to advertising pages, or may use IP addresses which
cause misleading geographic location for the user
[I-D.ietf-dnsop-edns-client-subnet]. Users may want DNSSEC
support which is not deployed locally in such a case, and so on.
o Case 2: Users may use DNS over TLS or HTTPS to protect privacy.
This also allows the client to authenticate the server.
o Case 3: Developers may want a higher level DNS API. Web
developers may prefer different abstractions or familiar tools
like JSON or XML, transmitted using HTTP or HTTPS.
This memo does not aim to develop standards or tools. The purpose is
to review various implementation options as a reference for
developers. However, it may be helpful for anyone hoping to develop
specifications for DNS over 80/443 in the future.
Note that most of the implementations described in this memo are on
port 80/443 and combined with TCP/TLS/HTTP(S). The main focus is
Kerr, et al. Expires November 4, 2016 [Page 2]
�
Internet-DrafA review of implementation DNS over port 80/443 May 2016
between stub resolvers and recursive servers, and the discussion is
about the stub resolver to recursive server communication.
2. Different Implementations Approaches
2.1. DNS over TCP on port 80/443
The simplest approach is just moving the DNS traffic to port 80 or
443 from 53. This approach serves the requirement use case 1.
In this way, the whole protocol is the same as current DNS transport
in TCP, except the transport port is moved to port 80 or 443. The
difference between port 80 and 443 is that the traffic of port 80 is
usually intercepted as HTTP traffic for purposes of deeper
inspection, while the traffic of port 443 is usually considered to be
encrypted, and typically ignored by middle-boxes. One example where
DNS is transported through port 80/443 is one of the fallback cases
of NLnetLabs' DNSSEC trigger [dnssec-trigger].
Transporting DNS through port 80/443 is an easy implementation.
Developers can simply run an existing DNS server and configure the
DNS software to listen on ports 80/443. The client can also apply
this change without any significant changes.
One drawback of this approach is that it might mislead the client
because of the port used. For example, clients might think DNS over
443 as a secure protocol because normally the session would be
encrypted. In this case, however, it is not.
2.2. DNS over TLS on port 443
Another approach is DNS over TLS on port 443, which is also
implemented in DNSSEC trigger. DNS over TLS is documented in
[I-D.ietf-dprive-dns-over-tls], which uses the well-known port 853.
Using port 443 to carry the traffic instead still serves the purpose
in use case 1, as some middle boxes may block traffic on the port
853. [I-D.ietf-dprive-dns-over-tls] also discusses authentication
and privacy profiles.
TLS provide many benefits for DNS. First, it significantly reduces
the DNS conversation's vulnerability to being hijacked. Second, it
prevents resolvers from becoming amplifiers of reflection attack.
Additionally, it provides privacy by encrypting the conversation
between client and server.
One concern of DNS over TLS is its cost. Compared to UDP, DNS-over-
TCP requires an additional round-trip-time (RTT) of latency to
establish a TCP connection. Use of TLS encryption algorithms adds an
Kerr, et al. Expires November 4, 2016 [Page 3]
�
Internet-DrafA review of implementation DNS over port 80/443 May 2016
additional RTT, and results in slightly higher CPU usage. It should
also be considered that the DNS packet over TLS on a new port might
be dropped by some middle boxes. Another concern of TLS is the
deployment difficulty when authenticating the server. If servers are
authenticated, certificate management is required.
2.3. DNS Wire-format over HTTP(S)
Different from raw DNS over TCP using port 80/443, another option is
encapsulating DNS wire-format data into an HTTP body and sending it
as HTTP(S) traffic. It is quiet useful in use cases 1 & 2 described
in the introduction. This approach has the benefit that HTTP usually
makes it through even the worst coffee shop or hotel room firewalls,
as this expected by Internet users.
Using HTTP also benefits from HTTP's persistent TCP connection pool
concept (see section 6.3 in [RFC7230]), which DNS on TCP port 53 does
not have. Note that if HTTP/2 (see [RFC7540]) is used then there may
be concurrent streams, and answers on different streams may arrive
out-of-order.
Finally, as with DNS over TLS, HTTPS provides data integrity and
privacy. Use of such encryption is recommended.
The basic methodology works as follows:
1. The client creates a DNS query message.
2. The client encapsulates the DNS message in a HTTP(S) message body
and assigns parameters with the HTTP header.
3. The client connects to the server and issues an HTTP(S) POST
request method.
4. The server decapsulates the HTTP package to DNS query, and
resolves the DNS query.
5. The server encapsulates the DNS response in HTTP(S) and sends it
back via the HTTP(S) session.
Note that if the original DNS query is sent by TCP, first two bits of
the package is the message length and should be removed. (This is
only true if some software is translating from the DNS protocol to
DNS over HTTP, for example via a proxy. Native implementations will
of course not need this.) There is an implementation of this
methodology in the Go Programming Language (https://github.com/BII-
Lab/DNSoverHTTPinGO) as well as C (https://github.com/BII-Lab/
DNSoverHTTP), maintained by BII lab.
Kerr, et al. Expires November 4, 2016 [Page 4]
�
Internet-DrafA review of implementation DNS over port 80/443 May 2016
In addition to the benefits mentioned before, the HTTP header makes
DNS wire-format over HTTP(S) easy to extend. Compared to creating a
new option in EDNS0, using new parameters in HTTP header is far
easier to deploy, since DNS messages with EDNS0 may not pass some
middle boxes.
The DNS wire-format approach has the advantage that any future
changes to the DNS protocol will be transparently supported by both
client and server, even while continuing to use HTTP.
One disadvantage of packaging DNS into HTTP is its cost. Packing and
unpacking uses CPU and may result in higher response time. The DNS
over HTTP messages also have a risk of being dropped by firewalls
which intercepts HTTP packets. And it should be noted that if HTTPS
is used, then all the discussion of TLS in previous section is also
applicable here.
2.4. REST HTTP API
As mentioned in use case 3, one motivation of a REST HTTP API is for
web developers who need to get DNS information but cannot create raw
requests (for example JavaScript developers). They can work by
creating HTTP requests other than real DNS queries.
In this style of implementation DNS data is exchanged in other
formats than wire format, like JSON [I-D.bortzmeyer-dns-json], or XML
[I-D.mohan-dns-query-xml]. There are also lots of REST DNS API
developed by DNS service providers.
Most of these APIs are developed in the scope of their own system
with different specification. But a typical query is a client will
requesting a special formatted URI. Usually there is a HTTP(S)
server listening to port 80/443, which will parse the request and
create a DNS query or DNS operation command towards the real DNS.
Unlike wire-format DNS over HTTP(S), once the HTTP(S) server receives
the response, it create the response by putting DNS data into various
structured formats like JSON, XML, YAML, or even plain text.
However, such an approach may have issues, because it is not based on
traditional DNS protocol. So there is no guarantee of the protocol's
completeness and correctness. Support for DNSSEC might also be a
problem because the response usually do not contain RR records with
the answer, making it impossible for a client to validate the reply.
As with DNS over DNS Wire-format over HTTP, use of encryption is
encouraged.
Kerr, et al. Expires November 4, 2016 [Page 5]
�
Internet-DrafA review of implementation DNS over port 80/443 May 2016
3. Acknowledgments
Thanks to Jinmei Tatuya for review. Thanks to Robert Edmonds for
pushing for encryption. Thanks to Mark Delany for raising the issue
of out-of-order responses.
4. References
[dnssec-trigger]
"Dnssec-Trigger", .
[DOTSE] Aehlund, J. and P. Wallstroem, "DNSSEC Tests of Consumer
Broadband Routers", February 2008,
.
[I-D.bortzmeyer-dns-json]
Bortzmeyer, S., "JSON format to represent DNS data",
draft-bortzmeyer-dns-json-01 (work in progress), February
2013.
[I-D.ietf-dnsop-edns-client-subnet]
Contavalli, C., Gaast, W., tale, t., and W. Kumari,
"Client Subnet in DNS Queries", draft-ietf-dnsop-edns-
client-subnet-04 (work in progress), September 2015.
[I-D.ietf-dprive-dns-over-tls]
Zi, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D.,
and P. Hoffman, "DNS over TLS: Initiation and Performance
Considerations", draft-ietf-dprive-dns-over-tls-01 (work
in progress), October 2015.
[I-D.mohan-dns-query-xml]
Parthasarathy, M. and P. Vixie, "Representing DNS messages
using XML", draft-mohan-dns-query-xml-00 (work in
progress), September 2011.
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, .
[RFC3234] Carpenter, B. and S. Brim, "Middleboxes: Taxonomy and
Issues", RFC 3234, DOI 10.17487/RFC3234, February 2002,
.
Kerr, et al. Expires November 4, 2016 [Page 6]
�
Internet-DrafA review of implementation DNS over port 80/443 May 2016
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246,
DOI 10.17487/RFC5246, August 2008,
.
[RFC5625] Bellis, R., "DNS Proxy Implementation Guidelines",
BCP 152, RFC 5625, DOI 10.17487/RFC5625, August 2009,
.
[RFC5966] Bellis, R., "DNS Transport over TCP - Implementation
Requirements", RFC 5966, DOI 10.17487/RFC5966, August
2010, .
[RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Message Syntax and Routing",
RFC 7230, DOI 10.17487/RFC7230, June 2014,
.
[RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext
Transfer Protocol Version 2 (HTTP/2)", RFC 7540,
DOI 10.17487/RFC7540, May 2015,
.
[SAC035] ICANN Security and Stability Advisory Committee, "DNSSEC
Impact on Broadband Routers and Firewalls", 2008.
Authors' Addresses
Shane Kerr
Beijing Internet Institute
2/F, Building 5, No.58 Jinghai Road, BDA
Beijing 100176
CN
Email: shane@biigroup.cn
URI: http://www.biigroup.com/
Linjian Song
Beijing Internet Institute
2508 Room, 25th Floor, Tower A, Time Fortune
Beijing 100028
P. R. China
Email: songlinjian@gmail.com
URI: http://www.biigroup.com/
Kerr, et al. Expires November 4, 2016 [Page 7]
�
Internet-DrafA review of implementation DNS over port 80/443 May 2016
Runxia Wan
Beijing Internet Institute
2508 Room, 25th Floor, Tower A, Time Fortune
Beijing 100028
P. R. China
Email: rxwan@biigroup.cn
URI: http://www.biigroup.com/
Kerr, et al. Expires November 4, 2016 [Page 8]