| RFC 9230 | Oblivious DoH | June 2022 |
| Kinnear, et al. | Experimental | [Page] |
This document describes a protocol that allows clients to hide their IP addresses from DNS resolversvia proxying encrypted DNS over HTTPS (DoH) messages. This improves privacy ofDNS operations by not allowing any one server entity to be aware of both the client IPaddress and the content of DNS queries and answers.¶
This experimental protocol has been developed outside the IETF and is published here toguide implementation, ensure interoperability among implementations, and enablewide-scale experimentation.¶
This document is not an Internet Standards Track specification; it is published for examination, experimental implementation, and evaluation.¶
This document defines an Experimental Protocol for the Internet community. This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not candidates for any level of Internet Standard; see Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained athttps://www.rfc-editor.org/info/rfc9230.¶
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
DNS over HTTPS (DoH)[RFC8484] defines a mechanism to allow DNS messages to betransmitted in HTTP messages protected with TLS. This provides improved confidentialityand authentication for DNS interactions in various circumstances.¶
While DoH can prevent eavesdroppers from directly reading the contents of DNS exchanges,clients cannot send DNS queries to and receive answers from servers without revealingtheir local IP address (and thus information about the identity or location of the client)to the server.¶
Proposals such as Oblivious DNS[OBLIVIOUS-DNS] increase privacyby ensuring that no single DNS server is aware of both the client IP address and the messagecontents.¶
This document defines Oblivious DoH, an experimental protocol built on DoH that permits proxiedresolution, in which DNS messages are encrypted so that no server can independently readboth the client IP address and the DNS message contents.¶
As with DoH, DNS messages exchanged over Oblivious DoH are fully formed DNS messages.Clients that want to receive answers that are relevant to the network they are on withoutrevealing their exact IP address can thus use the EDNS0 Client Subnet option ([RFC7871],Section 7.1.2)to provide a hint to the resolver using Oblivious DoH.¶
This mechanism is intended to be used as one mechanism for resolving privacy-sensitivecontent in the broader context of DNS privacy.¶
This experimental protocol has been developed outside the IETF and is published here toguide implementation, ensure interoperability among implementations, and enablewide-scale experimentation. SeeSection 10 for more details about the experiment.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14[RFC2119][RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This document defines the following terms:¶
A client that sends DNS queries to an Oblivious Target, through an Oblivious Proxy. The Client is responsible for selecting the combination of Proxy and Target to use for a given query.¶
An HTTP server that proxies encrypted DNS queries and responses between an Oblivious Client and anOblivious Target and is identified by a URI Template[RFC6570] (seeSection 4.1).Note that this Oblivious Proxy is not acting as a full HTTP proxy but is instead a specializedserver used to forward Oblivious DNS messages.¶
An HTTP server that receives and decrypts encrypted Oblivious Client DNS queries from an Oblivious Proxyand returns encrypted DNS responses via that same Proxy. In order to provide DNS responses, the Targetcan be a DNS resolver, be co-located with a resolver, or forward to a resolver.¶
Throughout the rest of this document, we use the terms "Client", "Proxy", and "Target" to refer to an Oblivious Client, Oblivious Proxy, and Oblivious Target, respectively.¶
Oblivious DoH requires, at a minimum:¶
The mechanism for discovering and provisioning the Proxy URI Template and Target public keysis out of scope for this document.¶
Unlike direct resolution, oblivious hostname resolution over DoH involves three parties:¶
--- [ Request encrypted with Target public key ] -->+---------+ +-----------+ +-----------+| Client +-------------> Oblivious +-------------> Oblivious || <-------------+ Proxy <-------------+ Target |+---------+ +-----------+ +-----------+ <-- [ Response encrypted with symmetric key ] ---
Oblivious DoH queries are created by the Client and are sent to the Proxy as HTTPrequests using the POST method. Clients are configured with a Proxy URI Template[RFC6570] and the Target URI. The scheme for both the Proxy URI Template andthe Target URIMUST be "https". The Proxy URI Template uses the Level 3 encodingdefined inSection 1.2 of [RFC6570] and contains two variables: "targethost",which indicates the hostname of the Target server; and "targetpath",which indicates the path on which the Target is accessible. Examples ofProxy URI Templates are shown below:¶
https://dnsproxy.example/dns-query{?targethost,targetpath}https://dnsproxy.example/{targethost}/{targetpath}¶The URI TemplateMUST contain both the "targethost" and "targetpath" variables exactlyonce andMUST NOT contain any other variables. The variablesMUST be within the pathor query components of the URI. ClientsMUST ignore configurations that do not conformto this template. SeeSection 4.2 for an example request.¶
Oblivious DoH messages have no cache value, since both requests and responses areencrypted using ephemeral key material. Requests and responsesMUST NOT be cached.¶
ClientsMUST set the HTTP Content-Type header to "application/oblivious-dns-message"to indicate that this request is an Oblivious DoH query intended for proxying. ClientsalsoSHOULD set this same value for the HTTP Accept header.¶
A correctly encoded request has the HTTP Content-Type header "application/oblivious-dns-message",uses the HTTP POST method, and contains "targethost" and "targetpath" variables. If the Proxyfails to match the "targethost" and "targetpath" variables from the path, itMUST treat therequest as malformed. The Proxy constructs the URI of the Target with the "https" scheme, using the value of "targethost" as the URI host and the percent-decoded value of "targetpath" as theURI path. ProxiesMUST check that Client requests are correctly encoded andMUST return a4xx (Client Error) if the check fails, along with the Proxy-Status response headerwith an "error" parameter of type "http_request_error"[RFC9209].¶
ProxiesMAY choose to not forward connections to non-standard ports. In such cases, Proxiescan indicate the error with a 403 response status code, along with a Proxy-Status responseheader with an "error" parameter of type "http_request_denied" and with an appropriateexplanation in "details".¶
If the Proxy cannot establish a connection to the Target, it can indicate the error with a 502 response status code, along with a Proxy-Status response header with an "error" parameterwhose type indicates the reason. For example, if DNS resolution fails, the error type might be"dns_timeout", whereas if the TLS connection fails, the error type might be "tls_protocol_error".¶
Upon receipt of requests from a Proxy, TargetsMUST validate that the request has the HTTPContent-Type header "application/oblivious-dns-message" and uses the HTTP POST method.Targets can respond with a 4xx response status code if this check fails.¶
The following example shows how a Client requests that a Proxy, "dnsproxy.example",forward an encrypted message to "dnstarget.example". The URI Template for theProxy is "https://dnsproxy.example/dns-query{?targethost,targetpath}". The URI forthe Target is "https://dnstarget.example/dns-query".¶
:method = POST:scheme = https:authority = dnsproxy.example:path = /dns-query?targethost=dnstarget.example&targetpath=/dns-queryaccept = application/oblivious-dns-messagecontent-type = application/oblivious-dns-messagecontent-length = 106<Bytes containing an encrypted Oblivious DNS query>¶
The Proxy then sends the following request on to the Target:¶
:method = POST:scheme = https:authority = dnstarget.example:path = /dns-queryaccept = application/oblivious-dns-messagecontent-type = application/oblivious-dns-messagecontent-length = 106<Bytes containing an encrypted Oblivious DNS query>¶
The response to an Oblivious DoH query is generated by the Target. ItMUST set theContent-Type HTTP header to "application/oblivious-dns-message" for all successful responses.The body of the response contains an encrypted DNS message; seeSection 6.¶
The response from a TargetMUST set the Content-Type HTTP header to "application/oblivious-dns-message", and that same typeMUST be used on all successful responses sent by the Proxy to the Client. A ClientMUST only consider a response that contains theContent-Type header before processing the payload. A response without the appropriate headerMUST betreated as an error and be handled appropriately. All other aspects of the HTTP response and error handling areinherited from standard DoH.¶
Proxies forward responses from the Target to the Client, without any modifications to the body or status code.The Proxy alsoSHOULD add a Proxy-Status response header with a "received-status" parameter indicatingthat the status code was generated by the Target.¶
Note that if a Client receives a 3xx status code and chooses to follow a redirect, the subsequent requestMUST also be performed through a Proxy in order to avoid directly exposing requests to the Target.¶
Requests that cannot be processed by the Target result in 4xx (Client Error) responses. If the Targetand Client keys do not match, it is an authorization failure (HTTP status code 401; seeSection 15.5.2 of [HTTP]). Otherwise, if the Client's request is invalid, such as in the case of decryptionfailure, wrong message type, or deserialization failure, this is a bad request (HTTP status code 400; seeSection 15.5.1 of [HTTP]).¶
Even in the case of DNS responses indicating failure, such as SERVFAIL or NXDOMAIN, a successful HTTP responsewith a 2xx status code is used as long as the DNS response is valid. This is identical to how DoH[RFC8484]handles HTTP response codes.¶
The following example shows a 2xx (Successful) response that can be sent from a Target toa Client via a Proxy.¶
:status = 200content-type = application/oblivious-dns-messagecontent-length = 154<Bytes containing an encrypted Oblivious DNS response>¶
Proxies forward requests and responses between Clients and Targets as specified inSection 4.1.Metadata sent with these messages could inadvertently weaken or remove Oblivious DoH privacy properties.ProxiesMUST NOT send any Client-identifying information about Clients to Targets, such as"Forwarded" HTTP headers[RFC7239]. Additionally, ClientsMUST NOT include any private state inrequests to Proxies, such as HTTP cookies. SeeSection 11.3 for related discussion aboutClient authentication information.¶
In order to send a message to a Target, the Client needs to know a public key to usefor encrypting its queries. The mechanism for discovering this configuration isout of scope for this document.¶
Servers ought to rotate public keys regularly. It isRECOMMENDED that servers rotate keysevery day. Shorter rotation windows reduce the anonymity set of Clients that might usethe public key, whereas longer rotation windows widen the time frame of possible compromise.¶
An Oblivious DNS public key configuration is a structure encoded, using TLS-styleencoding[RFC8446], as follows:¶
struct { uint16 kem_id; uint16 kdf_id; uint16 aead_id; opaque public_key<1..2^16-1>;} ObliviousDoHConfigContents;struct { uint16 version; uint16 length; select (ObliviousDoHConfig.version) { case 0x0001: ObliviousDoHConfigContents contents; }} ObliviousDoHConfig;ObliviousDoHConfig ObliviousDoHConfigs<1..2^16-1>;¶TheObliviousDoHConfigs structure contains one or moreObliviousDoHConfig structures in decreasing order ofpreference. This allows a server to support multiple versions of Oblivious DoH and multiple sets of Oblivious DoHparameters.¶
AnObliviousDoHConfig structure contains a versioned representation of an Oblivious DoH configuration,with the following fields.¶
The version of Oblivious DoH for which this configuration is used. ClientsMUST ignore anyObliviousDoHConfig structure with a version they do not support. The version of Oblivious DoHspecified in this document is0x0001.¶
The length, in bytes, of the next field.¶
An opaque byte string whose contents depend on the version. For thisspecification, the contents are anObliviousDoHConfigContents structure.¶
AnObliviousDoHConfigContents structure contains the information needed to encrypt a message underObliviousDoHConfigContents.public_key such that only the owner of the corresponding privatekey can decrypt the message. The values forObliviousDoHConfigContents.kem_id,ObliviousDoHConfigContents.kdf_id, andObliviousDoHConfigContents.aead_idare described inSection 7 of [HPKE]. The fields in this structureare as follows:¶
The hybrid public key encryption (HPKE) key encapsulation mechanism (KEM) identifier corresponding topublic_key. ClientsMUST ignore anyObliviousDoHConfig structure with a key using a KEM they do not support.¶
The HPKE key derivation function (KDF) identifier corresponding topublic_key. ClientsMUST ignore anyObliviousDoHConfig structure with a key using a KDF they do not support.¶
The HPKE authenticated encryption with associated data (AEAD) identifier corresponding topublic_key. ClientsMUST ignore anyObliviousDoHConfig structure with a key using an AEAD they do not support.¶
The HPKE public key used by the Client to encrypt Oblivious DoH queries.¶
This section includes encoding and wire format details for Oblivious DoH, as wellas routines for encrypting and decrypting encoded values.¶
There are two types of Oblivious DoH messages: Queries (0x01) and Responses (0x02).Both messages carry the following information:¶
They are encoded using the following structure:¶
struct { opaque dns_message<1..2^16-1>; opaque padding<0..2^16-1>;} ObliviousDoHMessagePlaintext;¶Both Query and Response messages use theObliviousDoHMessagePlaintext format.¶
ObliviousDoHMessagePlaintext ObliviousDoHQuery;ObliviousDoHMessagePlaintext ObliviousDoHResponse;¶
An encryptedObliviousDoHMessagePlaintext parameter is carried in anObliviousDoHMessagemessage, encoded as follows:¶
struct { uint8 message_type; opaque key_id<0..2^16-1>; opaque encrypted_message<1..2^16-1>;} ObliviousDoHMessage;¶TheObliviousDoHMessage structure contains the following fields:¶
A one-byte identifier for the type of message. Query messages usemessage_type 0x01, and Responsemessages usemessage_type 0x02.¶
The identifier of the correspondingObliviousDoHConfigContents key. This is computed asExpand(Extract("", config), "odoh key id", Nh), whereconfig is theObliviousDoHConfigContents structureandExtract,Expand, andNh are as specified by the HPKE cipher suite KDF corresponding toconfig.kdf_id.¶
An encrypted message for the Oblivious Target (for Query messages) or Client (for Response messages).ImplementationsMAY enforce limits on the size of this field, depending on the size of plaintext DNSmessages. (DNS queries, for example, will not reach the size limit of 2^16-1 in practice.)¶
The contents ofObliviousDoHMessage.encrypted_message depend onObliviousDoHMessage.message_type.In particular,ObliviousDoHMessage.encrypted_message is an encryption of anObliviousDoHQuery messageif the message is a Query and an encryption ofObliviousDoHResponse if the message is a Response.¶
Clients use the following utility functions for encrypting a Query and decryptinga Response as described inSection 7.¶
def encrypt_query_body(pkR, key_id, Q_plain): enc, context = SetupBaseS(pkR, "odoh query") aad = 0x01 || len(key_id) || key_id ct = context.Seal(aad, Q_plain) Q_encrypted = enc || ct return Q_encrypted¶
def decrypt_response_body(context, Q_plain, R_encrypted, resp_nonce): aead_key, aead_nonce = derive_secrets(context, Q_plain, resp_nonce) aad = 0x02 || len(resp_nonce) || resp_nonce R_plain, error = Open(key, nonce, aad, R_encrypted) return R_plain, error¶
Thederive_secrets function is described below.¶
Targets use the following utility functions in processing queries and producingresponses as described inSection 8.¶
def setup_query_context(skR, key_id, Q_encrypted): enc || ct = Q_encrypted context = SetupBaseR(enc, skR, "odoh query") return context¶
def decrypt_query_body(context, key_id, Q_encrypted): aad = 0x01 || len(key_id) || key_id enc || ct = Q_encrypted Q_plain, error = context.Open(aad, ct) return Q_plain, error¶
def derive_secrets(context, Q_plain, resp_nonce): secret = context.Export("odoh response", Nk) salt = Q_plain || len(resp_nonce) || resp_nonce prk = Extract(salt, secret) key = Expand(odoh_prk, "odoh key", Nk) nonce = Expand(odoh_prk, "odoh nonce", Nn) return key, nonce¶Therandom(N) function returnsN cryptographically secure random bytesfrom a good source of entropy[RFC4086]. Themax(A, B) function returnsA ifA > B, andB otherwise.¶
def encrypt_response_body(R_plain, aead_key, aead_nonce, resp_nonce): aad = 0x02 || len(resp_nonce) || resp_nonce R_encrypted = Seal(aead_key, aead_nonce, aad, R_plain) return R_encrypted¶
LetM be a DNS message (query) a Client wishes to protect with Oblivious DoH.When sending an Oblivious DoH Query for resolvingM to an Oblivious Target withObliviousDoHConfigContentsconfig, a Client does the following:¶
ObliviousDoHQuery structure, carrying the message M and padding, to produce Q_plain.¶config.public_key to produce a public key pkR of typeconfig.kem_id.¶Q_encrypted = encrypt_query_body(pkR, key_id, Q_plain),wherekey_id is as computed inSection 6. Note also thatlen(key_id) outputs the length ofkey_idas a two-byte unsigned integer.¶ObliviousDoHMessage messageQ, whereQ.message_type = 0x01,Q.key_id carrieskey_id,andQ.encrypted_message = Q_encrypted.¶The Client then sendsQ to the Proxy according toSection 4.1.Once the Client receives a responseR, encrypted as specified inSection 8,it usesdecrypt_response_body to decryptR.encrypted_message (usingR.key_id asa nonce) and produce R_plain. ClientsMUST validateR_plain.padding (as all zeros)before usingR_plain.dns_message.¶
Targets that receive a Query message Q decrypt and process it as follows:¶
ObliviousDoHConfigContents information according toQ.key_id. If no such key exists,the TargetMAY discard the query, and if so, itMUST return a 401 (Unauthorized) responseto the Proxy. Otherwise, letskR be the private key corresponding to this public key,or one chosen for trial decryption.¶context = setup_query_context(skR, Q.key_id, Q.encrypted_message).¶Q_plain, error = decrypt_query_body(context, Q.key_id, Q.encrypted_message).¶Q_plain.padding is valid (all zeros), resolveQ_plain.dns_message as needed, yielding a DNS message M. Otherwise, if an errorwas returned or the padding was invalid, return a 400 (Client Error) response to the Proxy.¶ObliviousDoHResponseBody structure, carrying the messageM and padding,to produceR_plain.¶resp_nonce = random(max(Nn, Nk)).¶aead_key, aead_nonce = derive_secrets(context, Q_plain, resp_nonce).¶R_encrypted = encrypt_response_body(R_plain, aead_key, aead_nonce, resp_nonce).Thekey_id field used for encryption carriesresp_nonce in order for Clients toderive the same secrets. Also, theSeal function is the function that is associated with theHPKE AEAD.¶ObliviousDoHMessage messageR, whereR.message_type = 0x02,R.key_id = resp_nonce, andR.encrypted_message = R_encrypted.¶The Target then sendsR in a 2xx (Successful) response to the Proxy; seeSection 4.3.The Proxy forwards the messageR without modification back to the Client as the HTTP responseto the Client's original HTTP request. In the event of an error (non-2xx status code), theProxy forwards the Target error to the Client; seeSection 4.3.¶
Oblivious DoH uses HPKE for public key encryption[HPKE].In the absence of an application profile standard specifying otherwise, a compliantOblivious DoH implementationMUST support the following HPKE cipher suite:¶
This document describes an experimental protocol built on DoH. The purpose of thisexperiment is to assess deployment configuration viability and related performanceimpacts on DNS resolution by measuring key performance indicators such as resolutionlatency. Experiment participants will test various parameters affecting service operationand performance, including mechanisms for discovery and configuration of DoH Proxiesand Targets, as well as performance implications of connection reuse and pools whereappropriate. The results of this experiment will be used to influence future protocoldesign and deployment efforts related to Oblivious DoH, such as Oblivious HTTP[OHTP]. Implementations of DoH that are not involved in theexperiment will not recognize this protocol and will not participate in the experiment.It is anticipated that the use of Oblivious DoH will be widespread and that this experiment will be of long duration.¶
Oblivious DoH aims to keep knowledge of the true query origin and its contents known only to Clients.As a simplified model, consider a case where there exist two Clients C1 and C2, one Proxy P, andone Target T. Oblivious DoH assumes an extended Dolev-Yao style attacker[Dolev-Yao] that can observe allnetwork activity and can adaptively compromise either P or T, but not C1 or C2. Note that compromisingboth P and T is equivalent to collusion between these two parties in practice. Once compromised,the attacker has access to all session information and private key material. (This generalizes toarbitrarily many Clients, Proxies, and Targets, with the constraints that (1) not all Targets and Proxiesare simultaneously compromised and (2) at least two Clients are left uncompromised.) The attacker isprohibited from sending Client-identifying information, such as IP addresses, to Targets. (This wouldallow the attacker to trivially link a query to the corresponding Client.)¶
In this model, both C1 and C2 send Oblivious DoH queries Q1 and Q2, respectively, through P to T,and T provides answers A1 and A2. The attacker aims to link C1 to (Q1, A1) and C2 to (Q2, A2), respectively.The attacker succeeds if this linkability is possible without any additional interaction. (For example,if T is compromised, it could return a DNS answer corresponding to an entity it controls and then observethe subsequent connection from a Client, learning its identity in the process. Such attacks are out ofscope for this model.)¶
Oblivious DoH security prevents such linkability. Informally, this means:¶
Traffic analysis mitigations are outside the scope of this document. In particular, this documentdoes not prescribe padding lengths forObliviousDoHQuery andObliviousDoHResponse messages.ImplementationsSHOULD follow the guidance in[RFC8467] for choosing padding length.¶
Oblivious DoH security does not depend on Proxy and Target indistinguishability. Specifically, anon-path attacker could determine whether a connection to a specific endpoint is used for oblivious ordirect DoH queries. However, this has no effect on the confidentiality goals listed above.¶
Malicious Clients (or Proxies) can send bogus Oblivious DoH queries to Targets as a Denial-of-Service(DoS) attack. Target servers can throttle processing requests if such an event occurs. Additionally,since Targets provide explicit errors upon decryption failure, i.e., if ciphertext decryption failsor if the plaintext DNS message is malformed, Proxies can throttle specific Clients in response tothese errors. In general, however, Targets trust Proxies to not overwhelm the Target, and it isexpected that Proxies implement either some form of rate limiting or client authentication to limitabuse; seeSection 11.3.¶
Malicious Targets or Proxies can send bogus answers in response to Oblivious DoH queries. Responsedecryption failure is a signal that either the Proxy or Target is misbehaving. Clients can choose tostop using one or both of these servers in the event of such failure. However, as noted above, maliciousTargets and Proxies are out of scope for the threat model.¶
Proxies are free to enforce any forwarding policy they desire for Clients. For example, they can chooseto only forward requests to known or otherwise trusted Targets.¶
Proxies that do not reuse connections to Targets for many Clients may allow Targets to link individualqueries to unknown Targets. To mitigate this linkability vector, it isRECOMMENDED that Proxies pooland reuse connections to Targets. Note that this benefits performance as well as privacy, sincequeries do not incur any delay that might otherwise result from Proxy-to-Target connection establishment.¶
Depending on the deployment scenario, Proxies and Targets might require authentication before use.Regardless of the authentication mechanism in place, ProxiesMUST NOT reveal any Clientauthentication information to Targets. This is required so Targets cannot uniquely identifyindividual Clients.¶
Note that if Targets require Proxies to authenticate at the HTTP or application layer before use,this ought to be done before attempting to forward any Client query to the Target. This will allowProxies to distinguish 401 (Unauthorized) response codes due to authentication failure from401 response codes due to Client key mismatch; seeSection 4.3.¶
This document makes changes to the "Media Types" registry.The changes are described in the following subsection.¶
This document registers a new media type, "application/oblivious-dns-message".¶
ObliviousDoHMessage values, as definedinSection 6.1.¶Using DoH over anonymizing proxy services such as Tor can also achieve the desired goal of separatingquery origins from their contents. However, there are several reasons why such systems are undesirableas contrasted with Oblivious DoH:¶
This work is inspired by Oblivious DNS[OBLIVIOUS-DNS]. Thanks to all of theauthors of that document. Thanks toNafeez Ahamed,Elliot Briggs,Marwan Fayed,Jonathan Hoyland,Frederic Jacobs,Tommy Jensen,Erik Nygren,Paul Schmitt,Brian Swander, andPeter Wufor their feedback and input.¶