|author||Paul Frazee <firstname.lastname@example.org>||2018-05-07 13:18:09 -0500|
|committer||Paul Frazee <email@example.com>||2018-05-07 13:18:09 -0500|
Add security-and-privacy section to dns DEP
1 files changed, 25 insertions, 1 deletions
diff --git a/proposals/0000-dns.md b/proposals/0000-dns.md
index ae923fc..5c3b1ce 100644
@@ -91,7 +91,22 @@ The `/.well-known/dat` file must match this schema:
( 'TTL=' [0-9]* )?
+# Security and Privacy
+Two issues to consider:
+ - **Security**: Can we trust the lookup results for a name?
+ - **Privacy**: Who sees the DNS lookups?
+Traditional DNS provides neither security or privacy. All looks occur over plaintext UDP. To provide security, a separate system must authenticate the record. (In the case of HTTPS records, the SSL Certificate provides authentication.)
+Dat does not currently have a DNS authentication record (no equivalent to the SSL certificate). Therefore a lookup using UDP can not be secured.
+To solve this, this DEP recommends using [DNS-over-HTTPS](#dns-over-https).
Until PKI can authenticate the DNS lookups (ie via SSL certificates or equivalent) there is a risk that the DNS lookup will be intercepted by an adversary. To protect against this, the client should use DNS-over-HTTPS to lookup the DNS TXT records.
@@ -101,6 +116,15 @@ Current providers:
+This solution improves on both the security and privacy of DNS lookup:
+ - **Security**. Requests to the DNS provider are authenticated using the provider's SSL certificate.
+ - **Privacy**. DNS lookups are encrypted on the wire and only made visible to the DNS provider.
+DNS-over-HTTPS still requires trust in the provider to give correct responses, but this is an improvement to UDP DNS lookups, which can be trivially MITMed by malicious actors on the network.
+Whereas traditional DNS leaks name lookups to everyone on the network, DNS-over-HTTPS only reveals them to the DNS provider. This still provides some opportunity for tracking, but the opportunity is reduced to the provider alone.