| RFC 9250 | DNS over Dedicated QUIC | May 2022 |
| Huitema, et al. | Standards Track | [Page] |
This document describes the use of QUIC to provide transport confidentiality for DNS.The encryption provided by QUIC has similar properties to those provided by TLS,while QUIC transport eliminates the head-of-line blocking issues inherent withTCP and provides more efficient packet-loss recovery than UDP. DNS over QUIC(DoQ) has privacy properties similar to DNS over TLS (DoT) specified inRFC 7858, and latency characteristics similar to classic DNS over UDP. Thisspecification describes the use of DoQ as a general-purpose transportfor DNS and includes the use of DoQ for stub to recursive,recursive to authoritative, and zone transfer scenarios.¶
This is an Internet Standards Track document.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained athttps://www.rfc-editor.org/info/rfc9250.¶
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Domain Name System (DNS) concepts are specified in "Domain names - concepts andfacilities"[RFC1034]. The transmission of DNS queries and responses overUDP and TCP is specified in "Domain names - implementation and specification"[RFC1035].¶
This document presents a mapping of the DNS protocol over theQUIC transport[RFC9000][RFC9001]. DNS over QUIC is referred to here as DoQ,in line with "DNS Terminology"[DNS-TERMS].¶
The goals of the DoQ mapping are:¶
In order to achieve these goals, and to support ongoing work on encryption ofDNS, the scope of this document includes:¶
In other words, this document specifies QUIC as a general-purposetransport for DNS.¶
The specific non-goals of this document are:¶
Specifying the transmission of an application over QUIC requires specifying howthe application's messages are mapped to QUIC streams, and generally how theapplication will use QUIC. This is done for HTTP in "Hypertext TransferProtocol Version 3 (HTTP/3)"[HTTP/3]. The purpose of thisdocument is to define the way DNS messages can be transmitted over QUIC.¶
DNS over HTTPS (DoH)[RFC8484] can be used with HTTP/3 to get some of thebenefits of QUIC. However, a lightweight direct mapping for DoQ canbe regarded as a more natural fit for both the recursive to authoritative andzone transfer scenarios, which rarely involve intermediaries. In thesescenarios, the additional overhead of HTTP is not offset by, for example, benefits ofHTTP proxying and caching behavior.¶
In this document,Section 3 presents the reasoning that guidedthe proposed design.Section 4 specifies the actual mapping of DoQ.Section 5 presents guidelines on the implementation,usage, and deployment of DoQ.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14[RFC2119][RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This section and its subsections present the design guidelines that were usedfor DoQ. While all other sections in this document are normative, this sectionis informative in nature.¶
DoT[RFC7858] defines how to mitigate some of the issues described in "DNSPrivacy Considerations"[RFC9076] by specifying how to transmit DNS messagesover TLS. The "Usage Profiles for DNS over TLS and DNS over DTLS"[RFC8310]specify Strict and Opportunistic usage profiles for DoT including how stubresolvers can authenticate recursive resolvers.¶
QUIC connection setup includes the negotiation of security parameters usingTLS, as specified in "Using TLS to Secure QUIC"[RFC9001],enabling encryption of the QUIC transport. Transmitting DNS messages over QUICwill provide essentially the same privacy protections as DoT[RFC7858]including Strict and Opportunistic usage profiles[RFC8310]. Furtherdiscussion on this is provided inSection 7.¶
QUIC is specifically designed to reduce protocol-induced delays, with featuressuch as:¶
This mapping of DNS to QUIC will take advantage of these features inthree ways:¶
These considerations are reflected in the mapping of DNS trafficto QUIC streams inSection 4.2.¶
Using QUIC might allow a protocol to disguise its purpose from devices on thenetwork path using encryption and traffic analysis resistance techniques likepadding, traffic pacing, and traffic shaping. This specification does notinclude any measures that are designed to avoid such classification;the padding mechanisms defined inSection 5.4 are intended to obfuscate the specificrecords contained in DNS queries and responses, but not the fact that this is DNS traffic.Consequently, firewalls and other middleboxes mightbe able to distinguish DoQ from other protocols that use QUIC, like HTTP, andapply different treatment.¶
The lack of measures in this specification to avoid protocol classification is not an endorsement of such practices.¶
As stated inSection 1, this document does not specify support forserver-initiated transactions within established DoQ connections. That is, onlythe initiator of the DoQ connection may send queries over the connection.¶
DSO does support server-initiated transactions within existing connections.However, DoQ as defined here does not meet the criteria for an applicabletransport for DSO because it does not guarantee in-order delivery of messages;seeSection 4.2 of [RFC8490].¶
DoQ connections are established as described in the QUIC transportspecification[RFC9000]. During connection establishment, DoQ support isindicated by selecting the Application-Layer Protocol Negotiation (ALPN) token "doq" in the crypto handshake.¶
By default, a DNS server that supports DoQMUST listen for and accept QUICconnections on the dedicated UDP port 853 (Section 8), unless there is a mutual agreement touse another port.¶
By default, a DNS client desiring to use DoQ with a particular serverMUSTestablish a QUIC connection to UDP port 853 on the server, unless there is amutual agreement to use another port.¶
DoQ connectionsMUST NOT use UDP port 53. This recommendation against use ofport 53 for DoQ is to avoid confusion between DoQ and the use of DNS over UDP[RFC1035]. The risk of confusion exists even if two parties agreed onport 53, as other parties without knowledge of that agreement might stilltry to use that port.¶
In the stub to recursive scenario, the use of port 443 as a mutually agreedalternative port can be operationally beneficial, since port 443 is used by many services using QUIC and HTTP-3 and is thus less likelyto be blocked than other ports. Several mechanisms for stubs to discoverrecursives offering encrypted transports, including the use of custom ports, arethe subject of ongoing work.¶
The mapping of DNS traffic over QUIC streams takes advantage of the QUIC streamfeatures detailed inSection 2 of [RFC9000], the QUIC transport specification.¶
DNS query/response traffic[RFC1034][RFC1035]follows a simple pattern in which the client sends a query, and theserver provides one or more responses (multiple responses can occur in zonetransfers).¶
The mapping specified here requires that the client select a separate QUICstream for each query. The server then uses the same stream to provide all theresponse messages for that query. In order for multiple responses to beparsed, a 2-octet length field is used in exactly the same way as the 2-octetlength field defined for DNS over TCP[RFC1035]. The practical result of thisis that the content of each QUIC stream is exactly the same as the content of aTCP connection that would manage exactly one query.¶
All DNS messages (queries and responses) sent over DoQ connectionsMUST beencoded as a 2-octet length field followed by the message content as specifiedin[RFC1035].¶
The clientMUST select the next available client-initiated bidirectional streamfor each subsequent query on a QUIC connection, in conformance with the QUICtransport specification[RFC9000]. Packet losses and other network events mightcause queries to arrive in a different order. ServersSHOULD process queriesas they arrive, as not doing so would cause unnecessary delays.¶
The clientMUST send the DNS query over the selected stream andMUST indicatethrough the STREAM FIN mechanism that no further data will be sent on thatstream.¶
The serverMUST send the response(s) on the same stream andMUST indicate, afterthe last response, through the STREAM FIN mechanism that no further data will besent on that stream.¶
Therefore, a single DNS transaction consumes a single bidirectional client-initiated stream.This means that the client's first query occurs on QUIC stream 0, the second on4, and so on (seeSection 2.1 of [RFC9000]).¶
ServersMAY defer processing of a query until the STREAM FIN has been indicatedon the stream selected by the client.¶
Servers and clientsMAY monitor the numberof "dangling" streams. These are open streams where the following events have not occurred after implementation-defined timeouts:¶
ImplementationsMAY impose a limit on the number of such dangling streams. If limits are encountered, implementationsMAY close the connection.¶
When sending queries over a QUIC connection, the DNS Message IDMUST be set to0. The stream mapping for DoQ allows for unambiguous correlation of queriesand responses, so the Message ID field is not required.¶
This has implications for proxying DoQ messages to and from other transports.For example, proxies may have to manage the fact that DoQ can support a largernumber of outstanding queries on a single connection than, for example, DNS over TCP,because DoQ is not limited by the Message ID space. This issue already exists for DoH,where a Message ID of 0 is recommended.¶
When forwarding a DNS message from DoQ over another transport, a DNS Message IDMUST be generated according to the rules of the protocol that is in use. Whenforwarding a DNS message from another transport over DoQ, the Message IDMUSTbe set to 0.¶
The following error codes are defined for use when abruptly terminating streams,for use as application protocol error codes whenaborting reading of streams, or for immediately closing connections:¶
No error. This is used when the connection or stream needs to be closed, butthere is no error to signal.¶
The DoQ implementation encountered an internal error and is incapable ofpursuing the transaction or the connection.¶
The DoQ implementation encountered a protocol error and is forcibly abortingthe connection.¶
A DoQ client uses this to signal that it wants to cancel anoutstanding transaction.¶
A DoQ implementation uses this to signal when closing a connection due to excessive load.¶
A DoQ implementation uses this in the absence of a more specific error code.¶
An alternative error code used for tests.¶
SeeSection 8.4 for details on registering new error codes.¶
In QUIC, sending STOP_SENDING requests that a peer cease transmission on astream. If a DoQ client wishes to cancel an outstanding request, itMUST issuea QUIC STOP_SENDING, and itSHOULD use the error code DOQ_REQUEST_CANCELLED.ItMAY use a more specific error code registered according toSection 8.4.The STOP_SENDING request may be sent atany time but will have no effect if the server response has already beensent, in which case the client will simply discard the incoming response.The corresponding DNS transactionMUST be abandoned.¶
Servers that receive STOP_SENDING act in accordance withSection 3.5 of [RFC9000]. ServersSHOULD NOT continue processing a DNS transaction if they receive a STOP_SENDING.¶
ServersMAY impose implementation limits on the total number or rate of cancellation requests.If limits are encountered, serversMAY close the connection. In this case,servers wanting to help client debuggingMAY use the error code DOQ_EXCESSIVE_LOAD.There is always a trade-off between helping good faith clients debug issuesand allowing denial-of-service attackers to test server defenses; dependingon circumstances servers might very well choose to send different error codes.¶
Note that this mechanism provides a way for secondaries to cancel a single zonetransfer occurring on a given stream without having to close the QUICconnection.¶
ServersMUST NOT continue processing a DNS transaction if they receive a RESET_STREAMrequest from the client before the client indicates the STREAM FIN. The serverMUSTissue a RESET_STREAM to indicate that the transaction is abandoned unless:¶
Servers normally complete transactions by sending a DNS response (or responses)on the transaction's stream, including cases where the DNS response indicates aDNS error. For example, a clientSHOULD be notified of a Server Failure(SERVFAIL,[RFC1035]) through a response with the Response Code set toSERVFAIL.¶
If a server is incapable of sending a DNS response due to an internal error, itSHOULD issue a QUIC RESET_STREAM frame. The error codeSHOULD be set to DOQ_INTERNAL_ERROR. Thecorresponding DNS transactionMUST be abandoned. ClientsMAY limit the number ofunsolicited QUIC RESET_STREAM frames received on a connection before choosing to close the connection.¶
Note that this mechanism provides a way for primaries to abort a single zonetransfer occurring on a given stream without having to close the QUICconnection.¶
Other error scenarios can occur due to malformed, incomplete, or unexpectedmessages during a transaction. These include (but are not limited to):¶
If a peer encounters such an error condition, it is considered a fatal error. ItSHOULD forcibly abort the connection using QUIC's CONNECTION_CLOSE mechanismandSHOULD use the DoQ error code DOQ_PROTOCOL_ERROR. In some cases, itMAYinstead silently abandon the connection, which uses fewer of the local resourcesbut makes debugging at the offending node more difficult.¶
It is noted that the restrictions on use of the above EDNS(0) option hasimplications for proxying messages from TCP/DoT/DoH over DoQ.¶
This specification describes specific error codes in Sections4.3.1,4.3.2, and4.3.3. These error codes are meantto facilitate investigation of failures and other incidents. New errorcodes may be defined in future versions of DoQ or registered as specifiedinSection 8.4.¶
Because new error codes can be defined without negotiation, use of an errorcode in an unexpected context or receipt of an unknown error codeMUST betreated as equivalent to DOQ_UNSPECIFIED_ERROR.¶
ImplementationsMAY wish to test the support for the error code extensionmechanism by using error codes not listed in this document, or theyMAY useDOQ_ERROR_RESERVED.¶
Section 10 of [RFC9000], the QUIC transport specification, specifies thatconnections can be closed in three ways:¶
Clients and servers implementing DoQSHOULD negotiate use of the idle timeout.Closing on idle timeout is done without any packet exchange, which minimizesprotocol overhead. PerSection 10.1 of [RFC9000], the QUIC transport specification, theeffective value of the idle timeout is computed as the minimum of the valuesadvertised by the two endpoints. Practical considerations on setting the idletimeout are discussed inSection 5.5.2.¶
ClientsSHOULD monitor the idle time incurred on their connection to theserver, defined by the time spent since the last packet from the server hasbeen received. When a client prepares to send a new DNS query to the server, itSHOULD check whether the idle time is sufficiently lower than the idle timer. If itis, the clientSHOULD send the DNS query over the existing connection. If not,the clientSHOULD establish a new connection and send the query over thatconnection.¶
ClientsMAY discard their connections to the server before the idle timeoutexpires. A client that has outstanding queriesSHOULD close the connectionexplicitly using QUIC's CONNECTION_CLOSE mechanism and the DoQ error codeDOQ_NO_ERROR.¶
Clients and serversMAY close the connection for a variety of otherreasons, indicated using QUIC's CONNECTION_CLOSE. Client and serversthat send packets over a connection discarded by their peer mightreceive a stateless reset indication. If a connection fails, all thein-progress transactions on that connectionMUST be abandoned.¶
A clientMAY take advantage of the session resumption and 0-RTT mechanisms supported byQUIC transport[RFC9000] and QUIC TLS[RFC9001] if the server supports them.ClientsSHOULD considerpotential privacy issues associated with session resumption before deciding to usethis mechanism and specifically evaluate the trade-offs presented in the various sections of this document. The privacy issues are detailed in Sections7.1and7.2,and the implementation considerations are discussed inSection 5.5.3.¶
The 0-RTT mechanismMUST NOT be used to send DNS requests that are not"replayable" transactions. In this specification, only transactions that havean OPCODE of QUERY or NOTIFY are considered replayable; therefore, other OPCODESMUST NOTbe sent in 0-RTT data. SeeAppendix A for a detailed discussion of why NOTIFY isincluded here.¶
ServersMAY support session resumption, andMAY do that with or without supporting0-RTT, using the mechanisms described inSection 4.6.1 of [RFC9001].Servers supporting 0-RTTMUST NOT immediately processnon-replayable transactions received in 0-RTT data but insteadMUST adopt one of the following behaviors:¶
DoQ queries and responses are sent on QUIC streams, which in theory can carryup to 262 bytes. However, DNS messages are restricted in practice to a maximumsize of 65535 bytes. This maximum size is enforced by the use of a 2-octetmessage length field in DNS over TCP[RFC1035] and DoT[RFC7858], and by the definition of the "application/dns-message" for DoH[RFC8484]. DoQ enforces the same restriction.¶
The Extension Mechanisms for DNS (EDNS(0))[RFC6891] allow peers to specify theUDP message size. This parameter is ignored by DoQ. DoQ implementations alwaysassume that the maximum message size is 65535 bytes.¶
For the stub to recursive scenario, the authentication requirementsare the same as described in DoT[RFC7858] and "Usage Profiles for DNS overTLS and DNS over DTLS"[RFC8310].[RFC8932] states that DNS privacyservicesSHOULD provide credentials that clients can use to authenticate theserver. Given this, and to align with the authentication model for DoH, DoQ stubsSHOULD use a Strict usage profile. Client authentication for the encryptedstub to recursive scenario is not described in any DNS RFC.¶
For zone transfer, the authentication requirements are the same as described in[RFC9103].¶
For the recursive to authoritative scenario, authenticationrequirements are unspecified at the time of writing and are the subject ofongoing work in the DPRIVE WG.¶
If the establishment of the DoQ connection fails, clientsMAY attempt tofall back to DoT and then potentially cleartext, as specified in DoT[RFC7858] and "Usage Profiles for DNS over TLS and DNS over DTLS"[RFC8310], depending on their usage profile.¶
DNS clientsSHOULD remember server IP addresses that don't support DoQ.Mobile clients might also remember the lack of DoQ support bygiven IP addresses on a per-context basis (e.g., per network or provisioning domain).¶
Timeouts, connection refusals, and QUIC handshake failures are indicatorsthat a server does not support DoQ. ClientsSHOULD NOT attempt DoQ queries to aserver that does not support DoQ for a reasonable period (such as one hour perserver). DNS clients following an out-of-band key-pinned usage profile[RFC7858]MAY be more aggressive about retrying after DoQ connection failures.¶
Section 8 of [RFC9000], the QUIC transport specification, defines AddressValidation procedures to avoid servers being used in address amplificationattacks. DoQ implementationsMUST conform to this specification, which limitsthe worst-case amplification to a factor 3.¶
DoQ implementationsSHOULD consider configuring servers to use the AddressValidation using Retry Packets procedure defined inSection 8.1.2 of [RFC9000], the QUICtransport specification. This procedure imposes a 1-RTT delay forverifying the return routability of the source address of a client, similar tothe DNS Cookies mechanism[RFC7873].¶
DoQ implementations that configure Address Validation using Retry PacketsSHOULD implement the Address Validation for Future Connections proceduredefined inSection 8.1.3 of [RFC9000], the QUIC transport specification.This defines how servers can send NEW_TOKEN frames to clients after the clientaddress is validated in order to avoid the 1-RTT penalty during subsequentconnections by the client from the same address.¶
ImplementationsMUST protect against the traffic analysis attacks described inSection 7.5 by the judicious injection of padding. Thiscould be done either by padding individual DNS messages using theEDNS(0) Padding Option[RFC7830] or by padding QUIC packets (seeSection 19.1 of [RFC9000]).¶
In theory, padding at the QUIC packet level could result in better performance for the equivalentprotection, because the amount of padding can take into account non-DNS framessuch as acknowledgements or flow control updates, and also because QUIC packetscan carry multiple DNS messages. However, applications can only control theamount of padding in QUIC packets if the implementation of QUIC exposes adequate APIs. This leadsto the following recommendations:¶
Implementations might choose not to use a QUIC API for padding if it issignificantly simpler to reuse existing DNS message padding logic that isapplied to other encrypted transports.¶
In the absence of a standard policy for padding sizes, implementationsSHOULDfollow the recommendations of the Experimental status "Padding Policies forExtension Mechanisms for DNS (EDNS(0))"[RFC8467]. While Experimental,these recommendations are referenced because they are implemented and deployedfor DoT and provide a way for implementations to be fully compliant with thisspecification.¶
"DNS Transport over TCP - Implementation Requirements"[RFC7766] providesupdated guidance on DNS over TCP, some of which is applicable to DoQ. This section provides similar advice on connection handling for DoQ.¶
Historic implementations of DNS clients are known to open and close TCPconnections for each DNS query. To amortize connection setup costs, bothclients and serversSHOULD support connection reuse by sending multiple queriesand responses over a single persistent QUIC connection.¶
In order to achieve performance on par with UDP, DNS clientsSHOULD send theirqueries concurrently over the QUIC streams on a QUIC connection. That is, whena DNS client sends multiple queries to a server over a QUIC connection, itSHOULD NOT wait for an outstanding reply before sending the next query.¶
Proper management of established and idle connections is important to thehealthy operation of a DNS server.¶
An implementation of DoQSHOULD follow best practices similar to thosespecified for DNS over TCP[RFC7766], in particular with regard to:¶
Failure to do so may lead to resource exhaustion and denial of service.¶
Clients that want to maintain long duration DoQ connectionsSHOULD use the idletimeout mechanisms defined inSection 10.1 of [RFC9000], the QUIC transportspecification. Clients and serversMUST NOT send the edns-tcp-keepalive EDNS(0)Option[RFC7828] in any messages sent on a DoQ connection (because it isspecific to the use of TCP/TLS as a transport).¶
This document does not make specific recommendations for timeout values on idleconnections. Clients and servers should reuse and/or close connectionsdepending on the level of available resources. Timeouts may be longer duringperiods of low activity and shorter during periods of high activity.¶
Using 0-RTT for DoQ has many compelling advantages. Clientscan establish connections and send queries without incurring a connectiondelay. Servers can thus negotiate low values of the connectiontimers, which reduces the total number of connections that they need tomanage. They can do that because the clients that use 0-RTT will not incurlatency penalties if new connections are required for a query.¶
Session resumption and 0-RTT data transmission createprivacy risks detailed in Sections7.1 and7.2.The following recommendations are meant to reduce the privacyrisks while enjoying the performance benefits of 0-RTT data, subject to therestrictions specified inSection 4.5.¶
ClientsSHOULD use resumption tickets only once, asspecified inAppendix C.4 of [RFC8446]. Bydefault, clientsSHOULD NOT use session resumption if theclient's connectivity has changed.¶
Clients could receive address validation tokens from the server using theNEW_TOKEN mechanism; seeSection 8 of [RFC9000]. The associated trackingrisks are mentioned inSection 7.3.ClientsSHOULD only use the address validation tokens when they are also using sessionresumption thus avoiding additional tracking risks.¶
ServersSHOULD issue session resumption tickets with a sufficiently long lifetime (e.g., 6 hours),so that clients are not tempted to either keep the connection alive or frequently poll the serverto renew session resumption tickets.ServersSHOULD implement the anti-replay mechanisms specified inSection 8 of [RFC8446].¶
DoQ implementations might consider using the connection migration features definedinSection 9 of [RFC9000]. These features enable connections to continue operatingas the client's connectivity changes.As detailed inSection 7.4, these featurestrade off privacy for latency. By default, clientsSHOULD be configuredto prioritize privacy and start new sessions if their connectivity changes.¶
As specified inSection 7 of [RFC7766] "DNS Transport over TCP - ImplementationRequirements", resolvers areRECOMMENDED to support the preparingof responses in parallel and sending them out of order. In DoQ, they do that bysending responses on their specific stream as soon as possible, without waitingfor availability of responses for previously opened streams.¶
[RFC9103] specifies zone transfer over TLS (XoT)and includes updates to[RFC1995] (IXFR),[RFC5936] (AXFR), and[RFC7766]. Considerations relating to the reuse of XoT connectionsdescribed there apply analogously to zone transfers performed using DoQconnections. One reason for reiterating such specific guidance is thelack of effective connection reuse in existing TCP/TLS zone transferimplementations today. The following recommendations apply:¶
DoQ implementationsSHOULD¶
Servers and clients manage flow control using the mechanisms defined inSection 4 of [RFC9000]. These mechanisms allow clients and servers to specifyhow many streams can be created, how much data can be sent on a stream,and how much data can be sent on the union of all streams. For DoQ,controlling how many streams are created allows servers to control how manynew requests the client can send on a given connection.¶
Flow control exists to protect endpoint resources.For servers, global and per-stream flow control limits control how much data can be sent byclients. The same mechanismsallow clients to control how much data can be sent by servers.Values that are too small will unnecessarily limit performance.Values that are too large might expose endpoints to overload or memory exhaustion.Implementations or deployments will need to adjust flow control limits tobalance these concerns. In particular, zone transfer implementations will need to controlthese limits carefully to ensure both large and concurrent zone transfers are well managed.¶
Initial values of parameters control how many requests and how much data can besent by clients and servers at the beginning of the connection. These valuesare specified in transport parameters exchanged during the connection handshake.The parameter values received in the initial connection also control how many requests andhow much data can be sent by clients using 0-RTT data in a resumed connection.Using too small values of these initial parameters would restrict theusefulness of allowing 0-RTT data.¶
A Threat Analysis of the Domain Name System is found in[RFC3833].This analysis was written before the development of DoT, DoH, and DoQ, andprobably needs to be updated.¶
The security considerations of DoQ should be comparable to those of DoT[RFC7858]. DoT as specified in[RFC7858] only addresses the stub to recursive scenario, but the considerations about person-in-the-middleattacks, middleboxes, and caching of data from cleartext connections alsoapply for DoQ to the resolver to authoritative server scenario. As stated inSection 5.1, the authentication requirements for securing zone transfer using DoQ are the same as those for zone transfer over DoT; therefore, the general security considerations are entirely analogous to those described in[RFC9103].¶
DoQ relies on QUIC, which itself relies on TLS 1.3 and thus supports by defaultthe protections against downgrade attacks described in[BCP195].QUIC-specific issues and their mitigations are described inSection 21 of [RFC9000].¶
The general considerations of encrypted transports provided in "DNS PrivacyConsiderations"[RFC9076] apply to DoQ. The specificconsiderations provided there do not differ between DoT and DoQ, and they are notdiscussed further here. Similarly, "Recommendations for DNS Privacy ServiceOperators"[RFC8932] (which covers operational, policy, and securityconsiderations for DNS privacy services) is also applicable to DoQ services.¶
QUIC incorporates the mechanisms of TLS 1.3[RFC8446], and this enables QUICtransmission of "0-RTT" data. This can provide interesting latency gains, butit raises two concerns:¶
These issues are developed in Sections7.1 and7.2.¶
The 0-RTT data can be replayed by adversaries. That data may trigger queries bya recursive resolver to authoritative resolvers. Adversaries may be able topick a time at which the recursive resolver outgoing traffic is observable andthus find out what name was queried for in the 0-RTT data.¶
This risk is in fact a subset of the general problem of observing the behaviorof the recursive resolver discussed in "DNS Privacy Considerations"[RFC9076]. The attack is partially mitigated by reducing the observabilityof this traffic. The mandatory replay protection mechanisms inTLS 1.3[RFC8446] limit but do not eliminate the risk of replay.0-RTT packets can only be replayed within a narrow window,which is only wide enough to account for variations in clock skew and network transmission.¶
The recommendation for TLS 1.3[RFC8446] is that the capability to use 0-RTTdata should be turned off by default and only enabled if the user clearlyunderstands the associated risks. In the case of DoQ, allowing 0-RTT dataprovides significant performance gains, and there is a concern that arecommendation to not use it would simply be ignored. Instead, a set ofpractical recommendations is provided in Sections4.5 and5.5.3.¶
The specifications inSection 4.5 block the most obviousrisks of replay attacks, as they only allow for transactions that willnot change the long-term state of the server.¶
The attacks described above apply to the stub resolver to recursive resolver scenario, but similar attacks might be envisaged in therecursive resolver to authoritative resolver scenario, and thesame mitigations apply.¶
The QUIC session resumption mechanism reduces the cost of re-establishing sessionsand enables 0-RTT data. There is a linkability issue associated with sessionresumption, if the same resumption token is used several times. Attackers on pathbetween client and server could observe repeated usage of the token anduse that to track the client over time or over multiple locations.¶
The session resumption mechanism allows servers to correlate the resumed sessionswith the initial sessions and thus to track the client. This creates a virtuallong duration session. The series of queries in that session can be used by theserver to identify the client. Servers can most probably do that already ifthe client address remains constant, but session resumption tickets also enabletracking after changes of the client's address.¶
The recommendations inSection 5.5.3 are designed tomitigate these risks. Using session tickets only once mitigatesthe risk of tracking by third parties. Refusing to resume a session if addresseschange mitigates the incremental risk of tracking by the server (but the risk oftracking by IP address remains).¶
The privacy trade-offs here may be context specific. Stub resolvers will have a strongmotivation to prefer privacy over latency since they often change location. However,recursive resolvers that use a small set of static IP addresses are more likely to prefer the reducedlatency provided by session resumption and may consider this a valid reason to useresumption tickets even if the IP address changed between sessions.¶
Encrypted zone transfer ([RFC9103]) explicitly doesnot attempt to hide the identity of the parties involved in the transfer; at thesame time, such transfers are not particularly latency sensitive. This means thatapplications supporting zone transfers may decide to apply the sameprotections as stub to recursive applications.¶
QUIC specifies address validation mechanisms inSection 8 of [RFC9000]. Useof an address validation token allows QUIC servers to avoid an extra RTT fornew connections. Address validation tokens are typically tied to an IP address.QUIC clients normally only use these tokens when setting up a new connectionfrom a previously used address. However, clients are not always aware that theyare using a new address. This could be due to NAT, or because the client doesnot have an API available to check if the IP address has changed (which can bequite often for IPv6). There is a linkability risk if clients mistakenly useaddress validation tokens after unknowingly moving to a new location.¶
The recommendations inSection 5.5.3 mitigatesthis risk by tying the usage of the NEW_TOKEN to that of session resumption,though this recommendation does not cover the case where the client is unawareof the address change.¶
A potential alternative to session resumption is the use of long duration sessions:if a session remains open for a long time, new queries can be sent without incurringconnection establishment delays. It is worth pointing out that the two solutions havesimilar privacy characteristics. Session resumption may allow servers to keep trackof the IP addresses of clients, but long duration sessions have the same effect.¶
In particular, a DoQ implementation might take advantage of the connection migrationfeatures of QUIC to maintain a session even if the client's connectivity changes,for example, if the client migrates from a Wi-Fi connection to a cellular networkconnection and then to another Wi-Fi connection. The server would beable to track the client location by monitoring the succession of IP addressesused by the long duration connection.¶
The recommendation inSection 5.5.4 mitigatesthe privacy concerns related to long duration sessions using multiple client addresses.¶
Even though QUIC packets are encrypted, adversaries can gain information fromobserving packet lengths, in both queries and responses, as well as packettiming. Many DNS requests are emitted by web browsers. Loading a specific webpage may require resolving dozens of DNS names. If an application adopts asimple mapping of one query or response per packet, or "one QUIC STREAM frameper packet", then the succession of packet lengths may provide enoughinformation to identify the requested site.¶
ImplementationsSHOULD use the mechanisms defined inSection 5.4 to mitigatethis attack.¶
This document creates a new registration for the identification of DoQ in the"TLS Application-Layer Protocol Negotiation (ALPN) Protocol IDs" registry[RFC7301].¶
The "doq" string identifies DoQ:¶
For both TCP and UDP, port 853 is currently reserved for "DNS query-response protocol run over TLS/DTLS"[RFC7858].¶
However, the specification for DNS over DTLS (DoD)[RFC8094] is experimental, limited to stub to resolver, and noimplementations or deployments currently exist to the authors' knowledge (even thoughseveral years have passed since the specification was published).¶
This specification additionally reserves the use of UDP port 853 forDoQ. QUIC version 1 was designed to be able to coexist with other protocols onthe same port, including DTLS; seeSection 17.2 of [RFC9000]. This meansthat deployments that serve DoD and DoQ (QUIC version 1) on thesame port will be able to demultiplex the two due to the second mostsignificant bit in each UDP payload. Such deployments ought to check thesignatures of future versions or extensions (e.g.,[GREASING-QUIC])of QUIC and DTLS before deploying them to serve DNS on the same port.¶
IANA has updated the following value in the "Service Name and TransportProtocol Port Number Registry" in the System range. The registry for that rangerequires IETF Review or IESG Approval[RFC6335].¶
domain-s¶
853¶
UDP¶
IESG¶
IETF Chair¶
DNS query-response protocol run over DTLS or QUIC¶
Additionally, IANA has updated the Description field for thecorresponding TCP port 853 allocation to be "DNS query-response protocol runover TLS" and removed[RFC8094] from the TCP allocation's Reference field for consistency and clarity.¶
IANA has registered the following value inthe "Extended DNS Error Codes" registry[RFC8914]:¶
IANA has added a registry for "DNS-over-QUIC Error Codes" on the"Domain Name System (DNS) Parameters" web page.¶
The "DNS-over-QUIC Error Codes" registry governs a 62-bit space. This space issplit into three regions that are governed by different policies:¶
Provisional reservations share the range of values larger than 0x3fwith some permanent registrations. This is by design to enable conversionof provisional registrations into permanent registrations without requiringchanges in deployed systems. (This design is aligned with the principlesset inSection 22 of [RFC9000].)¶
Registrations in this registryMUST include the following fields:¶
The assigned codepoint¶
"Permanent" or "Provisional"¶
Contact details for the registrant¶
In addition, permanent registrationsMUST include:¶
A short mnemonic for the parameter¶
A reference to a publicly available specification for the value (optional for provisional registrations)¶
A brief description of the error code semantics, whichMAY be a summary if aspecification reference is provided¶
Provisional registrations of codepoints are intended to allow for private useand experimentation with extensions to DoQ. However,provisional registrations could be reclaimed and reassigned for other purposes.In addition to the parameters listed above, provisional registrationsMUST include:¶
The date of last update to the registration¶
A request to update the date on any provisionalregistration can be made without review from the designated expert(s).¶
The initial content of this registry is shown inTable 1 and allentries share the following fields:¶
| Value | Error | Description |
|---|---|---|
| 0x0 | DOQ_NO_ERROR | No error |
| 0x1 | DOQ_INTERNAL_ERROR | Implementation error |
| 0x2 | DOQ_PROTOCOL_ERROR | Generic protocol violation |
| 0x3 | DOQ_REQUEST_CANCELLED | Request cancelled by client |
| 0x4 | DOQ_EXCESSIVE_LOAD | Closing a connection for excessive load |
| 0x5 | DOQ_UNSPECIFIED_ERROR | No error reason specified |
| 0xd098ea5e | DOQ_ERROR_RESERVED | Alternative error code used for tests |
This appendix discusses why it is considered acceptable to send NOTIFY(see[RFC1996]) in 0-RTT data.¶
Section 4.5 says "The 0-RTT mechanismMUST NOTbe used to send DNS requests that are not "replayable" transactions". Thisspecification supports sending a NOTIFY in 0-RTT data becausealthough a NOTIFY technically changes the state of the receiving server, theeffect of replaying NOTIFYs has negligible impact in practice.¶
NOTIFY messages prompt a secondary to either send an SOA query or an XFRrequest to the primary on the basis that a newer version of the zone isavailable. It has long been recognized that NOTIFYs can be forged and, intheory, used to cause a secondary to send repeated unnecessary requests to theprimary. For this reason, most implementations have some form of throttling of theSOA/XFR queries triggered by the receipt of one or more NOTIFYs.¶
[RFC9103] describes the privacy risks associated with both NOTIFY and SOA queriesand does not include addressing those risks within the scope of encrypting zonetransfers. Given this, the privacy benefit of using DoQ for NOTIFY is not clear,but for the same reason, sending NOTIFY as 0-RTT data has no privacy risk abovethat of sending it using cleartext DNS.¶
This document liberally borrows text from the HTTP/3 specification[HTTP/3] edited byMike Bishop and from the DoT specification[RFC7858] authored byZi Hu,Liang Zhu,John Heidemann,Allison Mankin,Duane Wessels, andPaul Hoffman.¶
The privacy issue with 0-RTT data and session resumption was analyzed byDaniel Kahn Gillmor (DKG) in a message to the IETF DPRIVE Working Group[DNS0RTT].¶
Thanks toTony Finch for an extensive review of the initial draft version of this document, and toRobert Evans for the discussion of 0-RTT privacy issues. Early reviews byPaul Hoffman andMartin Thomson and interoperability tests conducted by Stephane Bortzmeyer helped improve the definition of the protocol.¶
Thanks also toMartin Thomson andMartin Duke for their later reviews focusing on the low-level QUIC details, which helped clarify several aspects of DoQ. Thanks toAndrey Meshkov,Loganaden Velvindron,Lucas Pardue,Matt Joras,Mirja Kuelewind,Brian Trammell, andPhillip Hallam-Baker for their reviews and contributions.¶