 Good morning Before we start the next talk the air conditioning is currently broken, but the hotel is working on it our next speaker everybody in this room is running a software on a daily basis and I suspect most of you even know about it Please welcome. Mr. Paul Vixie Who's going? Who's going to tell us about the DNS over HTTPS and much more. Thank you Paul Thank you very much, and thank you all for coming Two other rooms now, and I'm happy to see that some of you chose this one There has been a cold war for control of the DNS resolution path ever since commercialization and Privatization of the internet began in the mid 90s so we're into our third decade of it and It's heating up Because a lot more people than ever before understand the DNS is the protocol that gets used in order to start most internet transactions Therefore if you can see those DNS questions and possibly modify those DNS answers you can learn a lot about what people are doing You could maybe change what they do to make whatever they end up doing more advantageous In other words money has changed everything and the trend is accelerating So there's some things happening right now DNS over HTTPS is the debacle of the moment and it occasions this travel And was the title I gave you for the program But there is a broader story and I want to give you some historical context and also some little bit of future predictions I Plan to use all of my time And then we can have Q&A in the early part of the break for those of you who actually prefer that sort of thing So here we have a bunch of snippets from various terminal windows on the upper right you see some IPFW rules, that's the firewall and free VSD It may work elsewhere. That's what that's where I use it And it's simple enough it creates a couple of tables and then adds a couple of rules Basically, if you're already in one of these tables and you're trying to reach TCP port 444 Should be 443, but I didn't want to break HTTPS during my testing If you're already in the go table then it just lets your SIM packets out And if you're already in the no table it will stop your packets That's a TCP reset in this case If you are trying to do an outbound sin on port 443 really Which is the port used for HTTPS Then it diverts you to a program and we really have Whistle communications to thank for the ability to do all this because back in the day This is how they did NAT and we still have the divert capability even though I may be its only user And as in all firewalls after we're done perturbing the part we care about we let everything else through So you can see below that the traditional redevelop print loop that's in most programs Really we're reading things from the divert socket that are essentially raw packets So the thing that processes that has to start out by saying is this IPv4 or IPv6 and it works from there You can see down at the bottom that there's ability an ability now to ask questions from something called passive DNS This is a database a lot of people have them. I have one It's just made up of cash mist traffic from large populations And it means that you can sort of do the interesting cross-reference task that has not been possible Given the demise of PTR records in the DNS In other words, if you want to know what are all of the names that have recently pointed at a certain address There is a way to find out It's relatively performant enough to be used in line like this and You can see the the pseudocode there logic of that particular input routine is To just do an enumeration attack against an IP address Try every name that has been used has been seen pointed to that IP address as an SNI as a host keyword in an HTTPS transaction and find out if it answers the DNS over HTTP service which would be slash DNS hyphen query That's in RFC 8484 and then put it based on that put it that address into one of the two tables that you see again Up the upper right Toward the middle of the left you'll see an example of the sort of debugging output that you're getting when you try to do that Telnet that's at the top So anyway, I was thinking I would do a live demo, but that would take longer than this explanation What you if you're a sane Normal for this room person should be thinking right now is why would I ever do something like this? It's complicated. It's gonna break. It's gonna create problems What could its purpose possibly be? Let me explain This is the DNS architecture as Created in the mid 80s and more or less as it still is today I can't think of another system that has grown nine orders of magnitude without having to Change its fundamental architecture in any way unless it's IP itself and we could argue with IPv6 that it didn't So briefly what's happening, I know that at least half of you are experts on this but for the other half I'll just say Data has to get into the DNS from outside the DNS and it does that at the top of this diagram in the authority servers Usually if you're running bind or nsd or something like that There'll be a zone file that gets read and then offered over the DNS protocol its contents are then available for queries So the answers are coming in from the top the questions are coming in from the bottom They come from our applications our devices our IOT devices Us perhaps if we're still typing host names rather than clicking on links They go through what is called a stub resolver which starts out Knowing only one thing which is the address of the server it should use to actually get DNS service And that's the box in the middle So the questions come down the Excuse me questions come up the answers come down They meet the middle and that middle thing is where all of the complexity most of the danger Most of the money to be made And all the vulnerabilities in this system have come Now to credit the original creator here That cash on the left is what has made it possible for this architecture to scale nine orders of magnitude so what's happening there is if you're signed on to the Wi-Fi here you're using the Recursive name server that was assigned to you with DHCP And you ask a question that somebody else on that Wi-Fi has recently asked Chances are good. You're gonna get a copy of the answer they got Maybe with a smaller time to live field because it does expire at some point But the fact that not every query has to go all the way to the top of this diagram is the reason that we're still using DNS Now that we have billions of users instead of thousands of users Finally since we are in GDPR land I want to say that According to me my analysis of it and according to a number of lawyers I've consulted including the lawyers inside of some European telcos and universities also Japanese universities and American universities The thing on the bottom transactions between your phone or laptop or virtual server and its recursive server is Personally identifiable information because that device can be tied the IP address You're sending from can be tied to an individual and because the information you're asking for is third-party It demonstrates a third-party intent on your part You're not just asking some web server for something that it has which is unavoidable You're actually trusting somebody to know what third-party you intend to visit next and This analysis is much older than GDPR I knew that there was PII down there And so in all of my DNS analysis, we only look at the links between the middle and top box I don't want any PII to enter my analysis. I am lonely in that position by the way, so This is kind of still the topology I mean there's a lot of variation as far as which fiber to the home gateway or which Mobile telephone company might be going through but pretty much you've got a land even if it's Wi-Fi now You've got users and apps and they're on that land and you have maybe a campus or maybe your apartment And you have some ISP now From my point of view working on DNS since the late 80s I have watched the that middle box that recursive name server move further and further away from the users and Applications who depend on it. We used to have one on our land It would be running on maybe a back 750 or something like that and so our Our cache was very close to us this turned out to be very important for negative answers Because knowing that something is not going to work is actually a huge performance leading indicator In other words the faster you find out that that DNS lookup is for something that doesn't exist the faster You can get on to useful work. So changing that from a one millisecond latency on your land to a 25 millisecond latency on the far end of the internet If 25 milliseconds if you're lucky will change how many transactions per second and really every click of every web Browser is a transaction in this sense Anyway, it moved out of the land over to the campus and then from there to the ISP once we started doing Commercialization privatization a lot of people came into the internet who did not want to run a name server they just wanted an internet connection for whatever reason and They expected the ISP to provide things like recursive name service But That is now under under fire all of this is under fire because there's money to be made moving it even further away So the first major battle in the war for control over the DNS resolution path was when Verisign who's in the DNS business Made a deal with site finders in the advertising business and said What if we could direct a whole bunch of traffic towards some address? And tell you in a side channel of what name they thought they were using When they reached your address so that you could then craft an advertisement So that somebody who went to you know typographic error calm would end up at the site finder Advertising server seeing whatever set of ads you thought was appropriate for the typographical error. They had made and Then both being Large corporate persons. They both thought this was a fine plan So they did that Therefore there was a wildcard at it at the apex of calm which meant that you could no longer get a negative answer from them Because if a wildcard exists then nothing Doesn't exist it will synthesize an answer for whatever question you may ask Actually, I think that's a poor design for wildcarding and a lot of people have had a lot of Wishes that it had been otherwise, but that's what we've got So there was a huge outcry of this Because this is the early 2000s not everybody was using every.com name for web The way they pretty much do now statistically now It's likely that if you're making a DNS transactions because you intend to connect to an HTTPS server But there's still a small marginal population who makes queries for the purpose of reaching an SMTP server or an NTP server or something else and what happened in this case is that the server that they were returning the address of had to find a way to constructively Reject everything that was coming to it as a result of that wildcard But there were also huge privacy problems This was really a gigantic uproar. So at ISC my non-profit at that time we were responsible for bind since the Berkeley team had kind of let go of it in the late 80s So we added a feature called delegation only so that we could actually just say in the recursive server if you get Something you get an a record from the dot-com servers You actually get an answer instead of of some ns records pointing you at a different server Then that's a that's an error and you should pretend that you had gotten a negative answer in other words we restored service and we did this rapidly it took about 40 hours and then somebody immediately said Lawsuit and so we changed it to be Delegation only except in other words instead of enumerating in your config file that the top level domains you would treat this way You instead had to enumerate the top level domains that you would not treat this way And that way somebody who was recommending that you add this configuration was not guilty of Conspiracy and restraint of trade as they called it We had this in bind nine and a bunch of people demanded it in bind eight because for whatever reason they were still running it And then there were lawsuits As a member of the ICANN security and stability committee I was sued along with every other member They didn't actually intend any harm against me I knew people had verisigned then I know people have verisigned now But they needed this to be a conspiracy in restraint for trade They couldn't just go after one party there had to be a whole bunch of people working together or the law didn't apply So Olaf Kolkman made some very cool t-shirts, and I don't know where mine is but I am a very crime site finder accredited co-conspirator and The lawsuit ended as lawsuits do they settled out of court for terms undisclosed And a lot of us were left wondering was this just a game was this them trying to Set themselves up for the next renegotiation of the dot-com contract so that they could get more money per year for domain name You know because again corporate persons have broad and tangled agendas anyway There were skirmishes before this Anytime somebody intends to move into into territory they there are scouting expeditions And so there had been all kinds of advertising redirection happening at the ISP level There were companies that were selling modified versions of bind that had this feature if you want to call it that added to it And the reason was simply that the ISP market was a race to the bottom the margins were very thin They famously said that if you were AOL and any customer ever called your support help desk for any reason Then you would never make a profit off of that customer no longer. How long they stayed a member of AOL? So that's the situation they were in therefore anything that they could scrape money off the side of as it went by They did and this DNS thing was it was a big deal, but this was really the first time it reached the level of newspaper headlines so Open DNS Came into existence at about that time sometime in the mid early 2000s Late mid I don't know somewhere in there and they said you know There's no reason to do recursive name service on the land or in the ISP We could do it as an anycast service and just put servers west coast east coast Europe etc and And People could just Bypass their ISP and use us for their recursive name service And I of course thought well that nobody would be dumb enough to do that, but I was wrong They they got a lot of customers At one point I remember them saying that they had 21 million Daily IP addresses hitting their services and that was back then at a time that Comcast was only claiming 18 million so it gives you an idea about how you can get everybody in the world to send you their data And think that you're doing them a favor. It's Wow, I was not ready to be part of that revolution. Let me tell you and They did the normal set of things that smart companies do they tried something They didn't care how controversial it was because it turns out that even bad publicity is better than no publicity Their question was is this going to help us grow the company and if it didn't then they failed fast They got out of that business tried something else So the first thing they tried is that advertising redirection thing that I told you about They would look at the name that you asked for it Not just in comm but any name you asked for and see number one Does it exist because if it does they're going to give you that answer, but if it doesn't oh boy They could do all kinds of stuff machine learning was not a marketable term at the time So I'm not sure what they called it when speaking to investors But they had all kinds of fancy ways to see if there was somebody who had bought some Advertising keyword that corresponded to the name that you Had asked for that didn't exist and then they would send you to an ad service that would would offer you something about that I Didn't make the money so they stopped doing it They tried something else. They still wanted to be in the ad business and they said gee there's this new Google thing Let's intercept www.google.com So when people asked for that instead of getting a Google address they get an open DNS address And they didn't lie. They didn't show the Google logo on the search page that you knew that you had been redirected And they didn't steal exactly because after you typed in your keywords They would then redirect you to Google so the next thing you saw after hitting the I'm feeling lucky button was the Google answer to your question They did not data mine the answers that you got from Google What they wanted to do was to associate the keywords you had asked for with your IP address So that they could figure out how to help other people sell you targeted ads And if you're wondering Why did Google decide to enter the DNS business and create 8.8.8.8 it was the same month so one could view this as a Happy accident for Google because they get a lot of benefit from running that but I don't believe that that was their plan until Open DNS did this So what you're seeing here is a lot of Ambition a lot of innovation applied to the task of making companies more successful so that their investors will be happier And finally I want to say that you know we've got 1.1 now Which is cloudflare and we've got 9.9 which really is IBM and 8.8 of course There are 200 more addresses out there that are end on end on end on end You know you should think about whether this is going to be your retirement is to go set up a service like this and sell ads actually don't so The next problem that we faced was due to the wide success of 8.8 and open DNS and Who knows what how many other wide area any casted recursive servers there were Something that the content delivery networks had been doing stopped working They were using the source address of the cash mist transaction that came from your recursive name server Because it had to go to their authority server Therefore they knew the IP address of the recursive name server that you were using and they could use the topology of that name server In other words, where is it in the world or where is it at least on the network is it in? Europe northern or southern is it you know in Asia as it's in South America North America And that way if they had mirrors of the content you wanted that were everywhere in the world they could use the Source IP address of the cash miss from your recursive server To decide which of the mirror servers that could answer you should answer you I Have always called this stupid DNS tricks and if you Google that term you'll find an article in a cmq written by me about that Nevertheless it stopped working because the topology of whichever recursive name server You were now using was now far across the internet from you and could no longer be used as any kind of predictor a little on a Good predictor of where your subsequent web fetch was going to come from Since this was the principal marketing advantage that they had when trying to sell CDN services You might imagine that there was a bit of a panic So they said what we really need you to do is add the End users IP address subnet to the cash mess so that when we receive a cash mess From open DNS or Google or what have you we will know what network the end user is on that you are serving in that case This is Bizarre Because it's an information leak and it's telling more people that you don't need to have know it who you are when you did something And the IETF predictably said you know, this is a business problem that you created by having a CDN Why don't you solve it without adding complexity? so they did Not do that they they created EDNS client subnet as a private Extension that was then widely adopted by all of the recursive name server operators because they didn't want to be known that G if you use 8.8, then you won't get good web service from all the people that aren't Google And the web people didn't want it to be known that they didn't actually know where you were Which server you should be getting service from so they were powerfully Incentive incentivize to create the system anyway, and then after they did so they came back to the IETF and said okay You said no we did it anyway now it's in broad use Would you like to have it documented as an RFC or would you just like this to be a text file somewhere and at that point the RFC Excuse me the IETF did what they had to do which was to fold their tent and say I guess you win and That is how you get large populations of people who don't want to cooperate to cooperate. It's a textbook example I've used it myself Although I like to think in better in service of better ethics than that I do want to say the CDNs client subnet thing is a disaster for privacy Because while you're supposed to include only the network like say the class C or 56 if it's an IPv6 a huge number of middle box vendors Did not read that part of the specification and they include the entire slash 32 or the entire slash 128 And I know this because I am one of the operators of the sea root server at cogent communications, and so I have seen it so the number of people who are having their entire address leaked is High enough that it would be really disturbing If it were published about which is why I'm working with the DNS or people to publish about it So this is the new topology, which is where you go All the way out to the internet through your land your campus your ISP and out to the far side of the internet to talk to a recursive server who then Includes your IP address when they have to go down to the CDM So that that CDM will know which corner of the internet you are probably coming from because you could no longer tell because the original architecture of the DNS was not monetizable enough by these these folks Now at the time DNS was not encrypted In other words everything that I just described was either a UDP packet in clear text or a TCP session in clear text And it was possible for anybody in that long string of pearls between you and those other endpoints to find out Exactly what you were looking at and if they were fast enough or if they were on path They could cause you to receive the wrong answer And a number of different initiatives have gone on to try and solve that problem DNS sec for example was I Think just turned 25 years old and has almost 5% Penetration of the of the market so we'll see how that goes but that with DNS sec We didn't make anything more private. We just made it more authentic So when DNS sec is used you're still speaking clear text It's just that the answer includes digital signatures Which you can verify against published keys to make sure that you know when you've been lied to So that was good, but it wasn't good enough especially after the Snowden disclosures so More or less triggered by the Snowden Flight to Hong Kong and the subsequent disclosures the internet activities board who are the putative grown-ups at the IETF said And wrote an RFC about this. They said all right. That's it game over Everything has to be encrypted now no new protocols in clear text and everybody go fix the existing protocols and You know that may or may not have been an overreaction, but it was certainly a gateway to Current circumstance that is the excuse people had to do the things they've done now before that it happened Dan Bernstein had tried to solve this problem with something called DNS crypt But it was there didn't seem to be an obvious call for it and it was pretty hard to understand So it never really caught on But after the Snowden disclosures The DNS working group said all right. We need a special working group just for this. Yeah, which is deep rev I think and we're going to Make the DNS protocol Crypted and they did this only for the TCP side There is a datagram TLS standard, but nobody uses it I don't know why it got to be standardized if nobody was going to use it But nevertheless nobody uses it so we don't have this for UDP But at least DNS over TLS on TCP now works and speaking as somebody who has implemented the DNS over TCP port 53 protocol a few times and defended any number of attacks against it I can tell you that the old DNS TCP protocol was terrible And there was no way to keep it working under even the slightest attack You know a pearl script that I could type on one line of the shell can bring down the TCP portion of any DNS over port 53 server So I was glad to see it get worked on My only request to the team who did work on it on deep for DNS over TLS Was please get a new port number because there are so many servers who will not be able to negotiate From the old protocol to the new protocol And I really don't want to cause widespread brokenness And so they did listen to me on that and everything else they did they did well We are in a position now Where we've got a TCP protocol that is so good that we could use it persistently that means that your phone could maintain a TCP connection to its recursive name server all day long and not have to negotiate TCP and TLS and so forth For every query as it does now So this is really a great advancement However, it was not enough for the web people they interpreted the internet activities boards RFC about the Snowden disclosures differently than the DNS working group had done web people said part of privacy is That no one can see what you're doing Including that no one can tell that you're making a DNS lookup So they crafted something called DNS over HTTPS Which is now making the rounds So I'm gonna talk a little more about that But let me start out by saying that By putting it on this port They have mixed it in with all of the other traffic that we see right because almost everything uses TCP 443 I don't get a lot of TCP 80 traffic in my net flows anymore And they did this deliberately there is a line in the introductory paragraph of RFC 8484 that it says This protocol was designed to prevent interference by on path it on path actors in DNS operations And so it's not unblockable by accident It has no features that DNS over TLS didn't already have a year earlier Except that it is designed to prevent interference by an online They're on path attackers such as a system administrator network administrator parental's controls device or CISO Or authoritarian government I suppose So let me go through that. I Do want to say Public service announcement this business of monitoring your own DNS and Possibly telling your DNS that certain truths ought to be withheld from your your smartphone or your your your home Wi-Fi Really does work and I have been part of two open source open protocol Unpatented completely free to you You don't know anybody a nickel if you use them protocols for both getting telemetry out of your server and Inserting policy into it all under programmatic control So if you don't know about DNS tap TAP Or if you don't know about the response policy zone DNS firewall, which is DNS RPZ And you take nothing else away from this Presentation, I hope you'll at least Google those things Every open source name server that you can find supports both So you don't have to change what name server you're running or anything else this these are things we should all be doing that the Doh community thinks that we should not be doing So first I want to say this is a political project When you argue about whether something can be blocked You're not making a technical statement. You're making a political statement You're talking about what people should be allowed to do Because the technical problem is already solved TLS is the underlying crypto protocol of HTTPS So nobody could argue that either one has stronger crypto The difference is that one can be stopped at the firewall and the other one can't and if you developed a protocol with that in Mind that is a political project Not unlike Tor although Tor has a lot of very fine technologists So It's a big lie The justification that this will somehow keep you out of jail in an authoritarian regime you can now be a dissident and Operate freely without worrying about having your door kicked in is totally not true Because if you think about the powers of an on-path attacker they are in the position to run TCP dump on your house and So yeah, they'll see that you had a couple of packets on port 443 to some server that You know, maybe it supports DOH. Maybe they think it could support DOH Maybe it doesn't support DOH, but either way they can't decrypt it anymore and And so you're safe as far as them reading your DNS transaction However, unless you're using a VPN the very next thing you're gonna do is send a TCP SIN packet to some IP address Or some other packet to some IP address and because IP sec even if it were it used only Encrypts the payload not the headers because the routers have to be able to see these addresses, right? so they know what your answer was and by what you do next and Trivial data science applied to that will tell them what your question had to be So you get no actual privacy from a nation's data attacker and The idea that that you would or that you could is crazy And so I view that as a big lie being used to sold some sell something that is going to do more harm globally than good ever There are other problems if you have local naming then the devices that use DOH won't know about that I realize local naming is not in broad use But it is still in some use and now a number of people are gonna be coming to corporate help desk saying I can't reach The cafeteria anymore. Well, that's because you're not using my DNS server And I'm the only one in the world who knows where your cafeteria is So I'm gonna hurry this up a little bit. I got 10 minutes. I was just told So I understand that there is a lot of goodwill and that trying to help people in authoritarian regimes does not make you evil On the other hand if the global cost is going to be felt more harshly by people who are on your side It means you didn't think through the game theory of what you were working on And what this will actually lead to is full proxy a lot of networks that used to allow HTTPS outbound because they could intercept it. They could inspect it They could look for patterns of malware or what have you are now in the in the face of TLS 1.3 and Encrypted SNIs they're just gonna have to insist that everything go through a proxy and that everything all data be decrypted and strip searched at the door This turns out to be illegal in some countries like Germany And it's illegal for some websites in other countries For example, if you're an employee using the company's equipment in Britain Great Britain And you visit your online banking site and they see what you did then they've broken the law So this really is the biggest culture where the internet has had yet But I got to say I'm still responsible for the traffic that leaves my network I established that principle when I started the first anti-span company back in the mid 90s People would say oh, that's my customer. They're doing that. I can't stop them Actually, it's coming from you and I can stop you so you got to choose which of those you want to have have happened And people gradually learned that they will be held responsible for the emissions of their network The chemical polluter business model of just putting your factory by the river and letting the people downstream cope as best they can Was stopped but now it has restarted. I don't have a choice about what leaves my network and it's going to get worse Because there are still questions and it turns out that the web relies on advertising And so their technology optimizes for that first and foremost And if they can include the dns relationships that you will need to fetch the accompanying javascript files or Style files or pictures or whatever it is. They can include all that dns information in meta headers Then you don't have to make any questions And you they can get the time to your eyeball meeting the first photon of the next ad Down to the theoretical minimum They're not going to include any dns second information here Which means that website defacements that add bitcoin mining to what was otherwise a safe website to visit Will now start bitcoin miners in your browser without giving the local Network administrator any opportunity to have monitored the transactions that led to that or perhaps to filter them out They call this uh beyond corp the perimeter less network Mozilla has taken this Seriously, they have implemented it and they are now turning it on by default They're not asking their users in north america if they want to use doh to cloud flare. They're just flipping the switch Uh, they say that they have a contracted place with cloud flare that makes that safe I say they're a nonprofit public benefit charity And I shouldn't have to opt out of something that they have chosen for me the The google approach with chrome Is that they will use doh to your system resolver if they think they know a url that would get the same answer If you're using 8.8.8.8 they will switch that from old dns to new dns and do it in the browser rather than asking the system resolver But if you're using a name server to google doesn't recognize they don't do that It's very hard to be in a world where google is the hero Up until the publication of rfc 8484 Um, internet was a cooperative network. You had to speak the protocol that the other side expected or you couldn't communicate You had to respect global identifier assignments like ip addresses domain names Um And you could withdraw your participation as I did with the first anti spam project You could in other words as any of the actors named on this slide move The gap in your particular line segment up or down in order to say that communication is not welcome here Now we have an rfc that explains How you can get your yourself heard even if somebody else wishes to withdraw their consent That's a brave new world Um So, you know giving people bad choices and letting them pick the least bad Of which all will be good for you Is tried and true and that is the way politics has always been practiced in the history books I read And that's what's happening here They are expecting me to choose from the menu that that I've given on this slide and I'm going to do something that isn't that I'm going to make my own way Because consent matters I still think that all communications should be consensual I'm not ready to change that because a product manager at the mozilla corporation thinks I should Or cloud flare thinks I should So that Odd looking demo I gave you is something that is Actually mostly half-assed working. I'll see how I can get it working if anyone wants to see it Um, it's obviously a prototype. This will have a long way to go before its commercial strength But the idea of doing an enumeration attack against an IP addresses HDTBS server to find out if any of the names that have been seen pointing at it Support the DOH protocol and then blacklisting that address works and There's been a change in patent law in the us Prior art is nowhere near as powerful as it once was first to file as the new regime So I filed a patent on this Which I will be releasing to the community for the under the usual If you don't sue me then you get to use my patent rules Because first to file was the one that was going to have the right to determine who got to do this. So it was me So I said this Seemed reasonable at the time even seems reasonable in retrospect To a reporter earlier this week and they published it and As part of publishing it they asked Mozilla and cloud flare for comments And what each of them said is there's nothing to see here move along We understood there was a problem and we have solved it You know we all deal with a lot of corporate persons in our lives and We know when misdirection and redirection is being applied And we also know some of you anyway know that it takes at least an order of magnitude more energy to combat Bullshit than to generate it So I'm not sure how far I'm going to go in this discussion with these particular people I am very happy that gdpr is something that they are afraid of So at least here In this country, I don't think mozilla is going to be turning this on by default But here's the here's the issue I have never used ebay from my net bsd email account Therefore the the fact that there is an image that contains both the ebay logo and my net bsd Login means that I have been spammed by somebody who's trying to steal from me And I need the right and the capability to make sure that all devices including mozilla browsers iot light bulbs everything on my network Checks with my filtering before they decide to contact that dns server Um That is a net good for the world that I have that ability and that others also have that ability So the idea that somehow we're going to treat parents and sissos the same way we treat authoritarian regimes Was wrong on the face of it and somebody early on in the planning part of doh should have said but wait, what if this is evil? Those are the old days So um I understand that we've all got stuff to do on any given day We've got to add a feature or fix a bug ship a product Upgrade something whatever it is we got to do that's what we get paid for And trying to think about every butterfly effect that could possibly happen in the future as a result of what we got to do today Would paralyze any of us and so we don't we are selective about what we How we go about worrying about side effects when we're deploying something And that's natural. There's nothing particularly evil about that unless you give it no thought whatsoever Which clearly is happening and You know dns is a distributed coherent reliable autonomous hierarchical database is the first of its kind And now that I see how the world treats it i'm suspecting that it will be the last of its kind Nothing else like this will be allowed to exist And while I really cherish my role trying to keep the thing running Writing code writing rfc is running servers I got to say that it's a wonderful problem to have it's End dimensional puzzle solving where the puzzles and the number of dimensions are changing as you're solving it is just totally cool But I would love it if the people who are making it harder would stop doing that because it was hard enough before they came So What we're seeing in our politics today is a lot of polarization a lot of extremisms A lot of fact-free attestations And uh, this is brutal This is uh Now in our world our consent is not being asked for We're being told what the devices and apps In our possession are going to do maybe if we ask or preferably we're not being told because we don't need to know There's a big argument about the freedom to tinker And if we don't get up on our hind legs and put uh fists in our hands We're going to be we're going to have the network that minitel uh, or Some x 400 x 25 provider wanted us to have all along Where there are powerful corporations who control the protocols and they control the activities And we are their customers and perhaps their servants I will not go into that good night quietly Thank you very much for coming. I'm open for questions It really is to break those of you willing to give up the break we can do two three four five questions If you have one, please come up to this microphone Which is not on yet, is it? Hi paul. Thanks very much for giving us a historical perspective as well as a technical detail In the ongoing discussion. I wonder where The outcry of the corporate world is Because as far as I know if I'm not completely mistaken Doh will completely break any corporate network that relies on active directory Because it's mandatory that all the client applications use the main controllers as their local resolvers Unless all that nicely integrated kerberos held up and which microsoft actually does quite well breaks so The various corporate people who have been made aware of this Have certainly said what you said, you know, I've got compliance issues that I can no longer meet with this Certainly the ceo of british telecom ought to be worried about going to jail if he can no longer follow the uk law about the various online child abuse Preventions that are required by his network by the by the federal law there The parental controls people are also up at arms about it Sadly what we're getting from the corporate pr people at the companies who want to push this on us is a lot of Simplistic ignorance Like well, you've got the ability to control the configuration of mozilla through some sort of group permissions or whatever So just use that and then we won't ever turn it on because you will have told us in your corporate controls not to do that As we in this room know that does not address the byod problem, which is not well solved anyway And somebody coming from home with their Name servers set to the wrong thing used to have it not work unless they fixed it to use the corporate name servers Once they went on the wi-fi now it'll work just fine And that was maybe not the explicit intent, but it's an outcome that is allowed for by the explicit intents that have been stated so What I predict is going to happen is that once we have tls 1.3 with encrypted sni The traditional https passive or sort of a transparent interception That's been done on outbound connections by the palo Alto networks Firewall for example and other next next generation firewalls is going to stop working At which point They're going to move to a model that requires that the proxy be explicitly set Otherwise you can't get out on this protocol This is going to be hugely expensive Especially for embedded controllers and iot and industrial control Where they don't give you a setting for what should my proxy be there's nothing in the dhcp assignment that tells you By the way, you need a web proxy, but I suspect that they're going to be pushing for that fairly soon The other thing they're going to be doing is forcing a fallback to tls 1.1 Where transparent interception is still possible Um, so I know that it's going to be very expensive and that there's going to be a lot of people hurt by it And I know that the corporate people I've talked to are usually surprised. They have not heard that this risk is coming That's why I travel If you permit me one more, um, this is all about internet facing traffic but uh If doh gets deployed into corporate networks with operators not knowing it will break local service discovery And all that fancy domain single sign on for all those internet web applications ERP systems and whatever you have there all hell will be breaking loose. Yes, and I don't see this anywhere on the radar it's I've raised this, uh, trust me, right? I Have tried to secure such networks and I sell services to people who secure such networks And so I that's very much on my lips to say this all hell is going to break loose Sadly the people who are pushing this are by and large 20-somethings who have not tried to secure networks like that uh, what they've told me is that uh The network hasn't had a perimeter for a long time and you've been living on borrowed time and you should just Uh remove your firewall and put all of your security in the end point and what I've tried to explain is The last network that works that way might be turned off 50 years from now But that's optimistic and you we can't just throw the poison into the room and say, okay cope with that Right, you know, we needed a We needed some kind of a public conversation about this and instead what we're getting is unilateralism from a bunch of political activists So right now I am contributing to the polarization of the debate I don't know how to stop but I will stop because we have to seek a common future There's a project encrypted-dns.org Um, that a number of companies some on each side of that question Have all agreed to join so that we can have discussions, write position papers, meet in person Perhaps with nerf baseball bats. I don't know what that will be Um, because we all agree that this should be encrypted. We don't agree about what side effects are acceptable or desirable I'm really sorry about the TTL for the slot expired Thank you Great honor to have you here. Thank you The greater honor to be invited. Thank you