Hi all-- I just pushed an individual submission that folks in DPRIVE might be interested in:
https://datatracker.ietf.org/doc/draft-dkg-dprive-demux-dns-http/ It describes how a TLS server can offer both HTTPS and DNS-over-TLS on the same port because valid initial messages from each protocol are always distinguishable by the server. I have a functional implementation listening on TCP port 443 on dns.cmrg.net right now, if anyone wants to experiment with it. Consider all the possibilities of this terrible layering violation! Both of these commands works just fine: wget -O- https://dns.cmrg.net/ kdig +tls +tls-ca +tls-hostname=dns.cmrg.net @dns.cmrg.net:443 www.ietf.org I believe my analysis of DNS and HTTP message framing is correct, but if that's not the case, i hope someone will helpfully correct me. Constructive criticism is welcome on-list, and minor editorial cleanup can be made as merge requests to https://gitlab.com/dkg/hddemux or by private e-mail. Please send flames by private e-mail only :) --dkg
--- Begin Message ---A new version of I-D, draft-dkg-dprive-demux-dns-http-00.txt has been successfully submitted by Daniel Kahn Gillmor and posted to the IETF repository. Name: draft-dkg-dprive-demux-dns-http Revision: 00 Title: Demultiplexing Streamed DNS from HTTP Document date: 2017-04-24 Group: Individual Submission Pages: 16 URL: https://www.ietf.org/internet-drafts/draft-dkg-dprive-demux-dns-http-00.txt Status: https://datatracker.ietf.org/doc/draft-dkg-dprive-demux-dns-http/ Htmlized: https://tools.ietf.org/html/draft-dkg-dprive-demux-dns-http-00 Htmlized: https://datatracker.ietf.org/doc/html/draft-dkg-dprive-demux-dns-http-00 Abstract: DNS over TCP and traditional HTTP are both stream-oriented, client- speaks-first protocols. They can both be run over a stream-based security protocol like TLS. A server accepting a stream-based client can distinguish between a valid stream of DNS queries and valid stream of HTTP requests by simple observation of the first few octets sent by the client. This can be done without any external demultiplexing mechanism like TCP port number or ALPN. Implicit multiplexing of the two protocols over a single listening port can be useful for obscuring the presence of DNS queries from a network observer, which makes it relevant for DNS privacy. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat
--- End Message ---
signature.asc
Description: PGP signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
