IETF spikes government metadata collection with DNS request crypto plan
RFC calling for DNS encryption would make it much harder for spooks to know where you surf
DNS requests and responses – part of what many countries regard as “metadata” that they want collected for law enforcement – should be encrypted to protect users from surveillance.
That's what's put forward in RFC 7858: that DNS requests should traverse transport layer security (TLS) links, so as to protect users' requests from eavesdropping.
DNSSec – less-loved than IPv6 but probably inevitable – only offers verification that the response you receive is accurate, by cryptographically signing DNS zones.
If you've visited (for example) nbnco.com.au and the Australian Federal Police has that domain on a warrant, in the data-retention-enabled future Australia, your visit to the site will be among the things your ISP will be expected to retain. Similar requirements are appearing around the world.
It's now two years since the IETF community decided that pervasive monitoring is an attack, and RFC 7858 is part of that stream of work.
The nice thing, if you happen to be a sysadmin with responsibility for someone's DNS servers, is that the authors reckon it's not going to break your heart.
“Initiation of DNS over TLS is very straightforward. By establishing a connection over a well-known port, clients and servers expect and agree to negotiate a TLS session to secure the channel.”
For now, the main catch is that some firewalls might block the port (port 853 in the RFC); there's a load on clients to work out which servers support TLS and which don't; and both clients and servers need a secure TLS implementation.
The current document sticks to stub clients and recursive servers; recursive clients are “out-of-scope”, the RFC says.
As always, the effectiveness of a system like DNS over TLS depends on deployment. If it looks like taking off, El Reg reckons it won't be long before law enforcement decides the techs have opened another front in the crypto wars. ®
Bootnote: For those unfamiliar with DNS, the domain name system is the infrastructure that converts "www.theregister.co.uk" into the relevant IP address, so you don't need to memorise the 12-digit numbers to get to a website. ®