 Welcome everybody, you just joined this our next speakers. They found boards Maya You were talking about testing DOH and the OT servers for compliance and performance Okay, or is yours. Good luck. Hello everyone. Would you like some water? Oh, yes, please on beer, too There's no beer. Sorry So it's a good thing that I don't have a lot of time because I don't have many Concrete results to show because the problem is more complicated than I thought when I suggested this talk, so general context DOE DNS of our encryption do TDO Do H maybe DNS of our quick one day the general idea is I Don't think that it would be a good idea to have only two or three DOE Resolvers managed by big US company the good solution in my opinion is to have many many possible DOE resolvers But if you have many of these resolvers, you meet one problem, which is to choose one you need information about the server So you need to test compliance or to assess compliance is the server a correct Working server and also performance because of course as you know everything depends on DNS if DNS is slow or Unresponsive Everything is lost also One good reason to have some way to testing compliance of resolvers is to help Managing directories of resolvers. You have always already today several public directories of DOE resolvers Typically they are managed by and Service resolve DOE resolvers come on go the directories are not always up to date when you want to have some specific characteristics such as IPv6 support for instance It has to be done by and which is not good for the quality of the directories So for the compliance, I have played with a lot of DOE Resolvers from the beginning using different tools to test if they work or not Most of the tests I'm going to enumerate come from a real problem with one of the resolver for instance, the RFC says that DOH resolver has to accept get on post method, but I saw DOH Resolvers with only support for post for instance Also robust nest when you have a strange or unexpected method So RFC about DOH doesn't mandate that you have to support add But I've seen at least one DOH resolver when you send an add method. It doesn't reply It doesn't shut the communication. It just times out after some delay Same thing when there are broken requests In some case a broken request for instance a DNS request, which is not a proper one may break the Connection the HTTP to connection Same thing for MIME types. Also, it could be interesting to test the TLS quality Cypher accepted protocols accepted I hesitated on this one because at least for DOH you can use existing tools like SSL labs.com Which when you want to test a DOH resolver and also very important both DOT and DOH allows you to have several DNS requests per connection because as you know DNS has to be small latency on setting up TCP TLS HTTP to a connection Takes some time. So it's absolutely necessary to have the ability to Put several DNS requests on one connection not creating a new connection each time It works more or less. I remember one big DOT resolver when it was first announced It was possible only to send one request and after that the connection was shut down It has been fixed since but it's still important And also of course Out of order answers because it's not enough to have several connect several requests on one connection You know that a Response time of a resolver unlike an authoritative server the response time of a resolver Depends highly on the request if you do a request for a domain with Authoritative name servers are broken the resolver will take a lot of time So you need to be able to receive on process and receive out of order answers If you send a request for a slow domain then a request for a fast domain You certainly expect the answer for the fast domain to come back first While we are still waiting for the slow domain On also several IP address. It's very classical. It's funny that in 2020 we still have problems for instance with IPv6 and I've seen DOH or DOT resolvers with Name that has both IPv4 and IPv6 address the IPv4 address worked the IPv6 timed out bad Also Compliance is not enough. We also need performance the case of DOT on DOH is a bit different Or as I said you need to do it to be able to do several DNS requests in one the TCP TLS session Demultiplexing in the case of DOT is done on the basis of the query ID So typically the client is supposed to send as many requests as they want With the proper query ID and when the answers come back the client is supposed to use the query ID to know How to match the answer with the request Of course, it's interesting only if there is pipelining the ability to send the request even Before you receive the answer on out of order as I said if Slow question starts before a first a fast question you expect the answers in the opposite order For DOH. It's a bit different. You also need several requests on one HTTP 2 Session you certainly don't set up a complete HTTP session for each request, but the demultiplexing Demultiplexing is not done by the query ID. It's done by the use of the streams of HTTP 2 You know that DOH Requires HTTP 2 which means that you have several streams in In the session on the run in parallel We and that's the reason why in the LFC It says that the query ID has to be zero because you don't need it for demultiplexing So the server needs to be able to process them in parallel send answers out of order What does it make in practice? That was the theory now a bit of practice For DOT I tested I I both tested with actual Software on servers and also I checked with the documentation on the software on some directories like the one on DNS privacy.org That I was correct. So out of order DOT works with Google public DNS. It works with Cloudflare If you take software it works with a not I believe that Cloudflare uses not We can explain but also it works if you have set up bind bind doesn't have DOT today Officially, but you can run it behind S2NL or another TLS proxy and in that case out of order works apparently Unfortunately doesn't work on the quad 9 service which I believe uses unbound It doesn't work on unbound and it doesn't work on DNS disk which is really sad because DNS disk is a very very good software very useful so I will try to Ask the DNS disk developer to do something about this Yes I'm no the client is In that case the client is a stub client on the resolver is unbound it works now Okay, great. So I have to fix the slides. Thank you For DOH Well, that's why I had a lot of problems I was planning to use leap curl to do HTTP 2 on streams and apparently leap curl is a bit too difficult for me I have to upgrade my brain So what I saw is that if you use Google proprietary a protocol it's DNS over HTTPS, but it's not the official DOH It works you can have several HTTP 2 streams and you receive the answer out of order, which is a good thing I didn't test yet with DOH and I'm not sure that someone did it Is it well if you have information about this? I'm interested. Can we use HTTP 2 streams and have out-of-order answers with DOH resolvers That's on my to-do list. I'm starting on Monday. There is a new intern starting At ethnic and he will have to work on this poor guy Among the four performance measurements we have many tools to measure performance and some of them have support for DOT and not for DOH For instance DNS meter as far as I thought as see as not even TCP not even plain TCP DNS Perth as DOT but not DOH, but it's quite it's a good thing flamethrower as DOT and it's very very efficient if you want to kill a DOT so yeah Okay, not yet officially integrated okay, so So from forward we'll have dough hopefully soon the door direct DNS blast has no TCP at all so my So as you see there are not a lot of Actual results yet. I'm planning to work on it We already developed a small testing tool which will make easy to do this sort of test and I'm interested if people here have ideas Proposals fixes on want to work on this sort of stuff. Thank you. Thank you, Stefan So in the remarks Andre We have eight minutes for questions remarks comments Hi, Stefan. This is Andre from IC. So Are you going to publish the test suite and the compliance suite? Because we are going to develop DOH for buying this year and I would love to like if you already tested a lot of This stuff I would love to have the test suite That I can really use to when we are doing the implementation so we get everything right from the beginning So so are you going to publish this? Okay, so at this time What we have it just it says this list which is a good idea of the things to test Some are implemented in a tool which is It's free software. It's public. It's on a git lab, but it's very very alpha at this stage But in the end the goal is yes to publish it and to be able to type Command line minus minus check the name of a server and then you will have an answer like we do for the DNS then or DNS with tools like your own master Let's suspect some of the other vendors will have some test to go to no power. The net does I suspect not does and maybe you know That loves to But it will be good as somebody outside of all of those dust. It's Anybody else Peter? Right, so hi, Stefan. So internally we're working on a tool as well to do low So to do to do dough performance testing, but it will use HTTP to streams for this as well And I've talked to the developer earlier this week and we're gonna release it at some point When it's not in the alpha state it is now So this is this will come out as well Okay, I'm interested in discussion on sharing of code and to be sure that we are on the same We have this what as we don't have to redevelop if it's not necessary Well, it's cool, but Multi-enders are sometimes a bit difficult at least for me. I think we ended up with a different lip and the HTTP to You too. Yeah, okay. Any other question? It's also that lip curl I use lip curl currently for it for DOH, but for DOT. I it's ever everything is done by and So this is on rate this time with my DNS org Had so you mentioned DNS Perth and DNS Perth is now maintained by org. So There's an option to ask Jerry to an org to add implement at support for DOH to DNS Perth So if you can do that, that would be great So it's not my board had forcing Jerry something to do that But if you can fill an issue for DNS Perth, that would be great One of the reasons why there are many tools without DOH First it's more recent than DOT that's first explanation and also it's more complicated because you need the entire HTTP to machine which is quite complicated So you depend in the end you depend on an external library like and the HTTP 2 or lip curl Which makes you dependency new problems new documentation to read etc. So DOH is a bit more difficult Anybody else? Right then we have ten minutes until the next speaker. Thank you. Thank you