Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

PRIVACY POLICY FOR DNS SERVER NOMINATION

IP.com Disclosure Number: IPCOM000238669D
Publication Date: 2014-Sep-10
Document File: 4 page(s) / 61K

Publishing Venue

The IP.com Prior Art Database

Related People

Tirumaleswar Reddy: AUTHOR [+3]

Abstract

Techniques are presented to use Domain Name Server (DNS) privacy policy for identifying legitimate DNS servers and maximizing opportunity to use Datagram Transport Layer Security (DTLS) for DNS privacy. The precedence policy assists to address downgrade attacks. The precedence policy also helps to select networks which either provide D(TLS) capable DNS recursive server(s) or permits to establish a D(TLS) session with well-known trusted public recursive DNS servers. The D(TLS) session is established with trusted DNS servers for privacy.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 46% of the total text.

Page 01 of 4

PRIVACY POLICY FOR DNS SERVER NOMINATION

AUTHORS:

Tirumaleswar Reddy Prashanth Patil

Dan Wing

CISCO SYSTEMS, INC.

ABSTRACT

    Techniques are presented to use Domain Name Server (DNS) privacy policy for identifying legitimate DNS servers and maximizing opportunity to use Datagram Transport Layer Security (DTLS) for DNS privacy. The precedence policy assists to address downgrade attacks. The precedence policy also helps to select networks which either provide D(TLS) capable DNS recursive server(s) or permits to establish a D(TLS) session with well-known trusted public recursive DNS servers. The D(TLS) session is established with trusted DNS servers for privacy.

DETAILED DESCRIPTION

    Domain Name Server (DNS) queries and responses are visible to network elements on the path between the DNS client and its server. These queries and responses can contain privacy-sensitive information which is valuable to protect. An active attacker can send bogus responses causing misdirection of the subsequent connection.

    To counter passive listening and active attacks, DNS over Datagram Transport Layer Security (DTLS) (DNSoD) [http://tools.ietf.org/html/draft-wing-dnsop-dnsodtls-
01], DNS over TLS [http://tools.ietf.org/html/draft-hzhwm-start-tls-for-dns-00] provide confidential DNS communication for stub resolvers, recursive resolvers, iterative resolvers and authoritative server.

    There are additional problems. As (D)TLS provides integrity protection, protection from on-path attackers sending bogus responses is provided by simply using
(D)TLS. That is, a device on the path between a DNS client and its DNS server cannot simply inject a bogus DNS response, as could be done with normal DNS. However, that

Copyright 2014 Cisco Systems, Inc.
1


Page 02 of 4

protection is not particularly strong, because that attacker could intercept the (D)TLS handshake itself and pretend to be the actual DNS server.

    In addition, DNS over (D)TLS is susceptible to downgrade attacks. Since a client is unaware of the DNS server capabilities, the process of determining (D)TLS support on the DNS server could be comprised resulting in the client not being able to use (D)TLS even if the server did offer support for (D)TLS, i.e., sending a Client Hello in the clear or sending a DNS query to determine (D)TLS support on the DNS server could be compromised.

    Techniques are presented herein to address the problems described above and to define a DNS privacy policy for a host. The privacy policy enables a host to select networks that either provide (D)TLS capable DNS servers or provide access to well known, trusted DNS servers. This is extremely useful for users who have privacy concerns. For example, a user with a strict privacy policy may only choose to access the Internet over a Wi-FiĀ® network offered by a public venue that has a DNS server with
(D)TLS capabilities or that permits access to well known, trusted public DNS servers. See FIG. 1 below for an example environment.

FIG. 1

    The first...