Closed Bug 1543811 Opened 5 years ago Closed 3 years ago

EDNS Padding support for encrypted DNS transports

Categories

(Core :: Networking: DNS, enhancement, P3)

Product:
Core
Component:
Networking: DNS
Version:
66 Branch
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
95 Branch
Tracking Flags:
Tracking Status
firefox95 --- fixed

People

(Reporter: n-mzbz, Assigned: manuel)

References

(Blocks 1 open bug)

Details

(Keywords: sec-want, Whiteboard: [necko-triaged][trr])

Attachments

(3 files)

Bug 1543811 - EDNS Padding support for encrypted DNS transports r=#necko
48 bytes, text/x-phabricator-request
Details | Review
Bug 1543811 - Add test cases for EncodeRequest with padding r=#necko
48 bytes, text/x-phabricator-request
Details | Review
Bug 1543811 - Add integration test case for trr requests with padding r=#necko
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0

Steps to reproduce:

Firefox supports DoH and there is an enhancement request for DoT.
https://bugzilla.mozilla.org/show_bug.cgi?id=1434852
https://bugzilla.mozilla.org/show_bug.cgi?id=1348406

With the availability of encrypted DNS transports in firefox traffic analysis mitigations like padding are becoming relevant.

This enhancement request is about adding support for EDNS padding support to firefox.

related RFCs:

https://tools.ietf.org/html/rfc8310#section-11.1
https://tools.ietf.org/html/rfc7830
https://tools.ietf.org/html/rfc8467

Type: defect → enhancement

Is this a duplication of bug 1542754, nusenu?

Flags: needinfo?(n-mzbz)

You linked to bug 1542754 which is about supporting ESNI without requiring DoH, I don't see any overlap there.

Flags: needinfo?(n-mzbz)

one more note:

padding could also happen on the HTTP/2 layer as mentioned in
https://tools.ietf.org/html/rfc8484#section-4.1
https://tools.ietf.org/html/rfc7540#section-10.7

I don't think that either RFC 8484 or RFC 7540 define the specifics of the proposed padding.

Moreover, if the goal is to find a good balance between privacy and performance (i.e., don't pad the link to capacity) then the padding should probably be tailored to the respective application, i.e., DNS.

RFC 8467 (mentioned in the description of this bug) seems to describe a specific and reasonable padding strategy.
Specifically section 4.1 "Block-Level Padding" produces query sizes that are multiples of 128 bytes.
Response sizes are multiples of 468 bytes.

Someone could for instance study the DNS queries and responses generated when visiting the top 1,000 websites according to Cisco Umbrella (http://s3-us-west-1.amazonaws.com/umbrella-static/index.html) and get an idea of out how much the data overhead would be.

Priority: -- → P3
Whiteboard: [necko-triaged]
Whiteboard: [necko-triaged] → [necko-triaged][trr]
See Also: → 1604591
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee: nobody → mbucher
Blocks: 1734165
Blocks: 1734579
Pushed by mbucher@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5b0d115a9b6e
EDNS Padding support for encrypted DNS transports r=necko-reviewers,valentin
https://hg.mozilla.org/integration/autoland/rev/cfdd0fddbce9
Add test cases for EncodeRequest with padding r=necko-reviewers,valentin
https://hg.mozilla.org/integration/autoland/rev/6ee09543a37f
Add integration test case for trr requests with padding r=necko-reviewers,valentin
See Also: 1604591
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: