0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/1400 Thanks! 1 00:00:21,330 --> 00:00:23,489 OK, now for the first 2 00:00:23,490 --> 00:00:26,279 talk in the nightshift, basically it's 3 00:00:26,280 --> 00:00:28,629 encrypted DMs, the 4 00:00:28,630 --> 00:00:30,959 the good, bad and ugly of DNS 5 00:00:30,960 --> 00:00:33,239 over HTTPS and Sebastian 6 00:00:33,240 --> 00:00:35,669 is going to talk about that and 7 00:00:35,670 --> 00:00:37,259 all aspects of it. 8 00:00:37,260 --> 00:00:38,909 Please give him a warm welcome. 9 00:00:44,260 --> 00:00:45,310 Consider at least not one that's. 10 00:00:46,940 --> 00:00:47,940 OK. 11 00:00:48,580 --> 00:00:49,959 Hi, I'm Sebastian. 12 00:00:49,960 --> 00:00:51,069 Um, just 13 00:00:51,070 --> 00:00:53,679 a small heads up the subtitles 14 00:00:53,680 --> 00:00:55,749 actually borrowed by Daniel Steinberg. 15 00:00:55,750 --> 00:00:57,579 Daniel, so I thought, cool. 16 00:00:57,580 --> 00:00:59,829 Um, thanks, Daniel, for 17 00:00:59,830 --> 00:01:00,969 your title. 18 00:01:00,970 --> 00:01:03,549 Um, I work for Benjamin 19 00:01:03,550 --> 00:01:05,109 speaking online at news magazine. 20 00:01:05,110 --> 00:01:06,339 Name doesn't matter. 21 00:01:06,340 --> 00:01:08,439 Um, part of my work was going 22 00:01:08,440 --> 00:01:09,939 to the IETF meeting. 23 00:01:09,940 --> 00:01:11,739 So for those people who don't know, the 24 00:01:11,740 --> 00:01:13,629 IETF is the Internet Engineering Task 25 00:01:13,630 --> 00:01:15,729 Force. Those are the people who 26 00:01:15,730 --> 00:01:18,159 actually work on the protocols 27 00:01:18,160 --> 00:01:19,539 that make up the internet. 28 00:01:19,540 --> 00:01:22,149 So whenever there's an IETF standard, 29 00:01:22,150 --> 00:01:22,929 um, 30 00:01:22,930 --> 00:01:24,669 that is what the internet actually is 31 00:01:27,190 --> 00:01:27,699 at 32 00:01:27,700 --> 00:01:30,069 the ATF. Ninety nine and Prague, 33 00:01:30,070 --> 00:01:32,359 um, there was a so-called 34 00:01:32,360 --> 00:01:34,509 dispatch, so some developer comes up 35 00:01:34,510 --> 00:01:36,609 with a new idea and asked 36 00:01:36,610 --> 00:01:39,279 the IETF if they want to work on 37 00:01:39,280 --> 00:01:40,779 their idea or not. 38 00:01:40,780 --> 00:01:42,759 Um, they wanted to work on it. 39 00:01:42,760 --> 00:01:45,069 And that protocol was called 40 00:01:45,070 --> 00:01:46,269 DNS over. 41 00:01:46,270 --> 00:01:48,129 Yes, and it was dispatched and its own 42 00:01:48,130 --> 00:01:49,059 working group. 43 00:01:49,060 --> 00:01:51,159 So there were people that worked just on 44 00:01:51,160 --> 00:01:53,679 that protocol, and I'm 45 00:01:53,680 --> 00:01:55,929 gonna tell you why they worked 46 00:01:55,930 --> 00:01:57,469 on DNS over. 47 00:01:57,470 --> 00:01:58,470 Yes. 48 00:01:58,960 --> 00:02:00,639 Um, so I have 49 00:02:00,640 --> 00:02:02,559 to actually read this for you because 50 00:02:02,560 --> 00:02:05,199 it's maybe a bit too small for slides. 51 00:02:05,200 --> 00:02:06,549 So in the middle, you can see Eric 52 00:02:06,550 --> 00:02:08,769 Restera. He's the CTO of Firefox 53 00:02:08,770 --> 00:02:09,819 for Mozilla. 54 00:02:09,820 --> 00:02:12,039 So he's doing all the technical bits 55 00:02:12,040 --> 00:02:13,040 for Firefox. 56 00:02:14,110 --> 00:02:16,239 And he was explaining, uh, Deveau 57 00:02:16,240 --> 00:02:18,369 h to some people in an audience, 58 00:02:18,370 --> 00:02:20,709 just like I do now, I'm on Twitter. 59 00:02:20,710 --> 00:02:23,019 Somebody then said the right 60 00:02:23,020 --> 00:02:24,639 answer is that everyone 61 00:02:24,640 --> 00:02:25,329 should 62 00:02:25,330 --> 00:02:27,519 be running a feature complete caching and 63 00:02:27,520 --> 00:02:29,769 forwarding resolver on localhost. 64 00:02:29,770 --> 00:02:31,809 All the rest of these discussions and 65 00:02:31,810 --> 00:02:34,569 noise from companies that want eyeballs. 66 00:02:34,570 --> 00:02:35,709 Um yeah. 67 00:02:35,710 --> 00:02:36,999 So for those of you 68 00:02:37,000 --> 00:02:38,559 who may not 69 00:02:38,560 --> 00:02:40,629 know actually any of those words, 70 00:02:40,630 --> 00:02:42,189 you're the actual target audience of the 71 00:02:42,190 --> 00:02:43,190 O-H 72 00:02:44,290 --> 00:02:45,459 for all the others. 73 00:02:45,460 --> 00:02:47,469 While you may learn something about DNS 74 00:02:47,470 --> 00:02:49,569 as well, um, that's what I'm here 75 00:02:49,570 --> 00:02:50,570 for. 76 00:02:51,010 --> 00:02:53,469 Um, so in the beginning 77 00:02:53,470 --> 00:02:54,949 there was no DNS. 78 00:02:54,950 --> 00:02:57,129 Um, as we all know, computers 79 00:02:57,130 --> 00:02:59,349 talk to each other by IP. 80 00:02:59,350 --> 00:03:01,269 The thing is, um, 81 00:03:01,270 --> 00:03:03,129 how do you map an IP address to an 82 00:03:03,130 --> 00:03:04,899 excellent machine? 83 00:03:04,900 --> 00:03:06,219 Well, it's kind of hard. 84 00:03:06,220 --> 00:03:08,439 You all may know that there's an 85 00:03:08,440 --> 00:03:10,629 ETSI slash hosts file on 86 00:03:10,630 --> 00:03:11,709 your device. 87 00:03:11,710 --> 00:03:13,929 Um, basically any operating 88 00:03:13,930 --> 00:03:15,789 system out there has this file 89 00:03:16,870 --> 00:03:17,799 with DNS. 90 00:03:17,800 --> 00:03:20,019 That file is actually not necessary, but 91 00:03:20,020 --> 00:03:20,739 we still use it. 92 00:03:20,740 --> 00:03:23,019 And first file, uh, 93 00:03:23,020 --> 00:03:25,659 full source file. It's like 40 years 94 00:03:25,660 --> 00:03:26,660 old. 95 00:03:28,170 --> 00:03:30,599 And this was used before the internet 96 00:03:30,600 --> 00:03:32,369 actually existed in the app on it. 97 00:03:32,370 --> 00:03:34,679 They had a few problems with that 98 00:03:34,680 --> 00:03:36,389 at each node of the ARPANET. 99 00:03:36,390 --> 00:03:39,359 They had to manually maintain 100 00:03:39,360 --> 00:03:41,759 the hosts file and in order to sync 101 00:03:41,760 --> 00:03:43,679 them, they had to phone them. 102 00:03:43,680 --> 00:03:45,449 They had to actually send letters to each 103 00:03:45,450 --> 00:03:47,609 other in order to sync the names for 104 00:03:47,610 --> 00:03:50,579 other IP addresses and computers 105 00:03:50,580 --> 00:03:51,999 that didn't work out quite well. 106 00:03:52,000 --> 00:03:53,759 So they ended up with a lot of different 107 00:03:53,760 --> 00:03:56,219 names for these same computers, which is 108 00:03:56,220 --> 00:03:57,779 basically a clusterfuck and you don't 109 00:03:57,780 --> 00:03:58,780 really want this. 110 00:04:00,300 --> 00:04:02,789 So after 15 years and with the growing 111 00:04:02,790 --> 00:04:04,049 ARPANET, 112 00:04:04,050 --> 00:04:04,829 they 113 00:04:04,830 --> 00:04:06,899 came up with an idea which we now 114 00:04:06,900 --> 00:04:07,900 know as DNS. 115 00:04:09,280 --> 00:04:11,469 The basic idea is to automate 116 00:04:11,470 --> 00:04:13,809 the mapping of an IP to domain 117 00:04:13,810 --> 00:04:15,969 names or vice versa. 118 00:04:15,970 --> 00:04:18,129 So if an client asks for an 119 00:04:18,130 --> 00:04:20,319 IP of a domain, 120 00:04:20,320 --> 00:04:22,509 some server answers and gives you 121 00:04:22,510 --> 00:04:23,469 the IP address. 122 00:04:23,470 --> 00:04:26,359 That's still how DNS resolution 123 00:04:26,360 --> 00:04:28,599 resolution now works. 124 00:04:28,600 --> 00:04:30,669 Nothing changed in 125 00:04:30,670 --> 00:04:32,350 this idea for the last 30 years. 126 00:04:35,200 --> 00:04:36,369 So they 127 00:04:36,370 --> 00:04:38,229 before they actually started on the 128 00:04:38,230 --> 00:04:40,060 technical bits, they started 129 00:04:41,290 --> 00:04:43,479 working on the idea of how should 130 00:04:43,480 --> 00:04:43,959 our system 131 00:04:43,960 --> 00:04:44,869 work? 132 00:04:44,870 --> 00:04:47,199 The basic idea is you've got a worldwide 133 00:04:47,200 --> 00:04:49,449 global hierarchy where you put 134 00:04:49,450 --> 00:04:51,939 all your domain names into it. 135 00:04:51,940 --> 00:04:54,009 Then you've got decentralized service, 136 00:04:54,010 --> 00:04:56,469 thousands of service that take care 137 00:04:56,470 --> 00:04:57,470 of that hierarchy. 138 00:04:59,110 --> 00:05:01,239 In order to do this, you need 139 00:05:01,240 --> 00:05:03,579 standards. So any single server 140 00:05:03,580 --> 00:05:06,069 in that system 141 00:05:06,070 --> 00:05:07,989 needs to speak the same language in order 142 00:05:07,990 --> 00:05:09,009 for this system to work. 143 00:05:10,120 --> 00:05:10,599 It took them 144 00:05:10,600 --> 00:05:12,819 like five or six years to actually 145 00:05:12,820 --> 00:05:15,549 standardize that kind of system. 146 00:05:15,550 --> 00:05:17,979 This was in November 1987, 147 00:05:17,980 --> 00:05:20,409 and we still use this system 148 00:05:20,410 --> 00:05:21,399 today. 149 00:05:21,400 --> 00:05:23,619 Like this is one of the oldest protocols 150 00:05:23,620 --> 00:05:25,329 you still use daily, 151 00:05:25,330 --> 00:05:25,869 heavily 152 00:05:25,870 --> 00:05:26,949 daily. 153 00:05:26,950 --> 00:05:28,329 This is what the hierarchy in the 154 00:05:28,330 --> 00:05:30,579 original standard looks like. 155 00:05:30,580 --> 00:05:32,829 So you may see there's a top node 156 00:05:32,830 --> 00:05:34,929 on it and then you've got a tree. 157 00:05:34,930 --> 00:05:37,179 That tree goes into different top level 158 00:05:37,180 --> 00:05:38,979 domains. Am I held on the edge of the 159 00:05:38,980 --> 00:05:41,109 wrapper? Like more than 30 years ago? 160 00:05:41,110 --> 00:05:43,449 There were not that many trees. 161 00:05:44,740 --> 00:05:46,809 And then it gets split down, 162 00:05:46,810 --> 00:05:48,219 and each 163 00:05:48,220 --> 00:05:49,480 branching nodes 164 00:05:50,720 --> 00:05:52,599 may be what you now know as a name 165 00:05:52,600 --> 00:05:55,089 server, or it may not be. 166 00:05:55,090 --> 00:05:56,529 But that's the important thing. 167 00:05:56,530 --> 00:05:58,749 We've got still this like 168 00:05:58,750 --> 00:06:00,850 tree hierarchy in Danas today. 169 00:06:02,380 --> 00:06:03,609 So how does this work? 170 00:06:03,610 --> 00:06:05,679 So let's take a look at events that 171 00:06:05,680 --> 00:06:08,469 succeed at the E for this event. 172 00:06:08,470 --> 00:06:10,509 If you want to know the IP address of 173 00:06:10,510 --> 00:06:11,559 that domain, 174 00:06:12,730 --> 00:06:14,949 you asked the root servers that 175 00:06:14,950 --> 00:06:17,380 top nodes in the tree hierarchy. 176 00:06:18,620 --> 00:06:21,049 OK. Rich Server is responsible 177 00:06:21,050 --> 00:06:22,720 for the DEA. 178 00:06:24,620 --> 00:06:26,809 Then you get an answer with this, 179 00:06:26,810 --> 00:06:28,159 you go a step a little 180 00:06:28,160 --> 00:06:29,209 further 181 00:06:29,210 --> 00:06:31,999 in the case of the dope, the E tilde, 182 00:06:32,000 --> 00:06:34,219 the people responsible for this. 183 00:06:34,220 --> 00:06:36,649 The Dinnick, you may know them 184 00:06:36,650 --> 00:06:38,869 and you ask their servers, OK, 185 00:06:38,870 --> 00:06:41,359 who in your zone data 186 00:06:41,360 --> 00:06:43,639 is responsible for CCC 187 00:06:43,640 --> 00:06:44,779 duty? 188 00:06:44,780 --> 00:06:46,909 You get an answer and 189 00:06:46,910 --> 00:06:48,529 then you do this as well with the name 190 00:06:48,530 --> 00:06:50,749 servers from the classical 191 00:06:50,750 --> 00:06:53,089 computer club and you get an answer. 192 00:06:54,720 --> 00:06:56,579 Just to give you a picture of how this 193 00:06:56,580 --> 00:06:57,389 works. 194 00:06:57,390 --> 00:06:59,369 That top 195 00:06:59,370 --> 00:07:01,529 note in the hierarchy, the root servers, 196 00:07:02,820 --> 00:07:03,449 there are more 197 00:07:03,450 --> 00:07:05,339 than 4000 physical servers 198 00:07:06,480 --> 00:07:08,849 out there to work with 199 00:07:08,850 --> 00:07:10,979 the daily DNS without those 200 00:07:10,980 --> 00:07:11,819 servers. 201 00:07:11,820 --> 00:07:13,259 Nothing at all would work. 202 00:07:17,590 --> 00:07:20,529 So as I explained, you 203 00:07:20,530 --> 00:07:23,199 go to traverse the tree 204 00:07:23,200 --> 00:07:24,200 top down. 205 00:07:25,770 --> 00:07:27,449 But that's not actually how it works and 206 00:07:27,450 --> 00:07:28,450 make it recursive. 207 00:07:29,820 --> 00:07:31,889 And at each point in 208 00:07:31,890 --> 00:07:33,809 the tree where it's promising, you can 209 00:07:33,810 --> 00:07:36,719 actually catch previously 210 00:07:36,720 --> 00:07:39,059 seen IP addresses. 211 00:07:39,060 --> 00:07:40,649 This is what we call 212 00:07:40,650 --> 00:07:41,429 a case 213 00:07:41,430 --> 00:07:43,529 solving process, if you 214 00:07:43,530 --> 00:07:45,059 remember the slide with the 215 00:07:45,060 --> 00:07:47,430 tweet in the beginning. 216 00:07:48,510 --> 00:07:50,879 This may be important for the 217 00:07:50,880 --> 00:07:53,160 actual DOJ employment deployment. 218 00:07:55,050 --> 00:07:56,579 Then there are stuff resolved. 219 00:07:56,580 --> 00:07:58,679 So these asking several 220 00:07:58,680 --> 00:08:00,689 different servers and traversing the 221 00:08:00,690 --> 00:08:02,459 three doesn't actually happen on your 222 00:08:02,460 --> 00:08:03,460 device. 223 00:08:04,110 --> 00:08:06,149 What's happening on your device is called 224 00:08:06,150 --> 00:08:08,909 a stop resolver because it actually 225 00:08:08,910 --> 00:08:09,719 is not doing 226 00:08:09,720 --> 00:08:11,989 anything for real. 227 00:08:11,990 --> 00:08:14,189 Um, it still works that way that you 228 00:08:14,190 --> 00:08:16,289 ask yourself resolver for an IP 229 00:08:16,290 --> 00:08:17,489 address 230 00:08:17,490 --> 00:08:20,219 and you get that. 231 00:08:20,220 --> 00:08:23,219 But the sub resolver just 232 00:08:23,220 --> 00:08:25,379 forwards your 233 00:08:25,380 --> 00:08:28,409 request to an actual recursive resolver. 234 00:08:28,410 --> 00:08:29,279 From that, 235 00:08:29,280 --> 00:08:31,649 the sub resolver gets the actual answer 236 00:08:31,650 --> 00:08:32,650 for the IP address. 237 00:08:34,020 --> 00:08:36,389 And this is what ends up in your 238 00:08:36,390 --> 00:08:37,390 operating system. 239 00:08:38,460 --> 00:08:40,319 And what declines on the chart is 240 00:08:40,320 --> 00:08:41,320 actually use. 241 00:08:43,200 --> 00:08:45,269 Um, so how do 242 00:08:45,270 --> 00:08:46,739 they talk to each other, all those 243 00:08:46,740 --> 00:08:48,689 thousands of server world, right? 244 00:08:48,690 --> 00:08:50,849 Well, as I said, they first 245 00:08:50,850 --> 00:08:52,859 came up with the idea of the day A. 246 00:08:52,860 --> 00:08:54,869 And then they worked on the technical 247 00:08:54,870 --> 00:08:56,609 bits. These are actually two different 248 00:08:56,610 --> 00:08:58,829 standards. So rc, ten thirty 249 00:08:58,830 --> 00:09:01,079 four is the idea 250 00:09:01,080 --> 00:09:03,179 the description of how the DNS 251 00:09:03,180 --> 00:09:04,439 works? I see. 252 00:09:04,440 --> 00:09:06,539 Ten thirty five is the 253 00:09:06,540 --> 00:09:07,529 technical bits. 254 00:09:07,530 --> 00:09:09,869 How do we work on the wire with 255 00:09:09,870 --> 00:09:11,939 that system so they all know and 256 00:09:11,940 --> 00:09:13,649 understand what they're actually talking 257 00:09:13,650 --> 00:09:14,650 about? 258 00:09:15,270 --> 00:09:17,339 Um, one 259 00:09:17,340 --> 00:09:17,459 of 260 00:09:17,460 --> 00:09:19,919 the most important things is that 261 00:09:19,920 --> 00:09:22,229 only a specific um, name 262 00:09:22,230 --> 00:09:22,769 servers 263 00:09:22,770 --> 00:09:23,770 are. 264 00:09:24,210 --> 00:09:26,549 Well, operative name servers 265 00:09:26,550 --> 00:09:29,279 for specific parts of the domain, 266 00:09:29,280 --> 00:09:31,139 like the root servers for all the top 267 00:09:31,140 --> 00:09:32,140 level domains, 268 00:09:33,600 --> 00:09:34,919 and you can split this out. 269 00:09:34,920 --> 00:09:36,999 And remember the 270 00:09:37,000 --> 00:09:39,189 tree from the hierarchy. 271 00:09:39,190 --> 00:09:41,339 And you can actually draw circles for 272 00:09:41,340 --> 00:09:43,499 each name server in those branches. 273 00:09:45,630 --> 00:09:47,789 And this is a DNS zone that's going 274 00:09:47,790 --> 00:09:49,350 to be important in the next slides. 275 00:09:50,550 --> 00:09:52,769 Each of those zones has so-called resorts 276 00:09:52,770 --> 00:09:53,909 records. 277 00:09:53,910 --> 00:09:54,569 They are 278 00:09:54,570 --> 00:09:56,429 more or less a database with 279 00:09:58,140 --> 00:09:58,319 a 280 00:09:58,320 --> 00:10:00,509 lot of info on the actual DNS 281 00:10:00,510 --> 00:10:02,579 in them. So domain names, 282 00:10:02,580 --> 00:10:04,769 IP addresses, a lot 283 00:10:04,770 --> 00:10:07,169 of other different things on how 284 00:10:08,370 --> 00:10:10,379 the DNS actually works. 285 00:10:10,380 --> 00:10:11,789 Some of them are really, really 286 00:10:11,790 --> 00:10:14,429 important. Like which made server 287 00:10:14,430 --> 00:10:16,499 belongs to a specific 288 00:10:16,500 --> 00:10:19,169 domain because 289 00:10:19,170 --> 00:10:21,239 you can just random bits of our on 290 00:10:21,240 --> 00:10:23,549 CCC dot dot, 291 00:10:23,550 --> 00:10:24,509 for example. 292 00:10:24,510 --> 00:10:26,399 But this would be a different server than 293 00:10:26,400 --> 00:10:29,039 the web server on CCTV, 294 00:10:29,040 --> 00:10:31,049 and you can actually differentiate them 295 00:10:31,050 --> 00:10:33,239 on the level of DNS and you make 296 00:10:33,240 --> 00:10:34,830 this with the resource records. 297 00:10:35,940 --> 00:10:37,950 Those which are resource records 298 00:10:40,050 --> 00:10:41,279 have an 299 00:10:42,660 --> 00:10:44,849 encoding representation, so they 300 00:10:44,850 --> 00:10:47,429 are not text files. 301 00:10:47,430 --> 00:10:49,649 So whenever you ask your stuff resolver 302 00:10:49,650 --> 00:10:51,749 or any other resolver, I'll send you a 303 00:10:51,750 --> 00:10:53,009 DNS server. 304 00:10:53,010 --> 00:10:55,859 They are not sending text like an HDP. 305 00:10:55,860 --> 00:10:57,359 They're sending an 306 00:10:57,360 --> 00:10:59,369 hex and binary 307 00:10:59,370 --> 00:11:00,779 encoded, 308 00:11:00,780 --> 00:11:02,849 not an octet and 309 00:11:02,850 --> 00:11:04,799 coded message. 310 00:11:05,880 --> 00:11:08,699 Each resource records has specifics 311 00:11:08,700 --> 00:11:11,099 on how you encode those resource records 312 00:11:11,100 --> 00:11:12,179 into an octet 313 00:11:13,230 --> 00:11:13,709 that's all 314 00:11:13,710 --> 00:11:14,729 in ten thirty five. 315 00:11:14,730 --> 00:11:16,919 So if you ever want to have 316 00:11:16,920 --> 00:11:19,079 an, well, week long project, if you're 317 00:11:19,080 --> 00:11:21,029 on holidays, you can actually implement 318 00:11:21,030 --> 00:11:22,709 this. There are a lot of tutorials to do 319 00:11:22,710 --> 00:11:24,929 this. It's not that hard. 320 00:11:24,930 --> 00:11:27,239 The kernel code 321 00:11:27,240 --> 00:11:29,339 like the C code for code 322 00:11:29,340 --> 00:11:31,709 to implement IPC 10:34, 323 00:11:31,710 --> 00:11:33,839 it's like 700 lines or so. 324 00:11:33,840 --> 00:11:35,459 So it's not that hard. 325 00:11:35,460 --> 00:11:36,460 It's doable. 326 00:11:38,040 --> 00:11:39,689 And the most important thing for the rest 327 00:11:39,690 --> 00:11:41,789 of my talk is, um, 328 00:11:41,790 --> 00:11:43,859 all those bits and pieces that are going 329 00:11:43,860 --> 00:11:46,229 thrown around in the internet are done. 330 00:11:46,230 --> 00:11:47,230 Um? 331 00:11:48,100 --> 00:11:50,229 On Port 53 332 00:11:50,230 --> 00:11:52,539 and complete in plain text 333 00:11:52,540 --> 00:11:53,859 via UDP. 334 00:11:53,860 --> 00:11:56,019 That's why it's now called the 335 00:11:56,020 --> 00:11:58,600 or 53 because it's on Port 53 336 00:12:00,010 --> 00:12:00,879 before 337 00:12:00,880 --> 00:12:02,079 just a few years ago. 338 00:12:02,080 --> 00:12:04,219 That was DNS, but DNS 339 00:12:04,220 --> 00:12:06,399 has changed, so we had to find, well, 340 00:12:06,400 --> 00:12:08,889 a new name for the old school DNS 341 00:12:08,890 --> 00:12:10,840 and the well, new school DNS. 342 00:12:13,210 --> 00:12:15,609 As I said, it's completely unencrypted. 343 00:12:15,610 --> 00:12:17,739 Everything is in plain text 344 00:12:17,740 --> 00:12:20,469 and there is no authentication at all. 345 00:12:20,470 --> 00:12:22,329 They never thought 346 00:12:22,330 --> 00:12:24,339 when they when they made DNS, they never 347 00:12:24,340 --> 00:12:26,649 thought that you would have billions 348 00:12:26,650 --> 00:12:28,119 of people in the internet. 349 00:12:28,120 --> 00:12:30,189 So whenever you ask and 350 00:12:30,190 --> 00:12:32,259 names of you are not, there's no 351 00:12:32,260 --> 00:12:34,179 way for you to be sure that you're 352 00:12:34,180 --> 00:12:36,399 actually talking to the server 353 00:12:36,400 --> 00:12:37,659 you wanted to talk to. 354 00:12:37,660 --> 00:12:39,100 There's no authentication at all. 355 00:12:40,570 --> 00:12:41,679 So what? 356 00:12:41,680 --> 00:12:44,199 This DNS 357 00:12:44,200 --> 00:12:46,509 over 4:53 358 00:12:46,510 --> 00:12:48,429 can be tricked, so any men in the 359 00:12:48,430 --> 00:12:50,259 middle knows 360 00:12:50,260 --> 00:12:51,260 or can know 361 00:12:52,330 --> 00:12:54,549 what domains you're asking the IP address 362 00:12:54,550 --> 00:12:55,479 for. 363 00:12:55,480 --> 00:12:57,729 It can be blocked to block Port 53, 364 00:12:57,730 --> 00:12:59,679 and none of your business will ever work. 365 00:13:00,700 --> 00:13:03,159 You can manipulate 366 00:13:03,160 --> 00:13:05,139 anything that runs over this, so you can 367 00:13:05,140 --> 00:13:07,329 just if young men in the middle 368 00:13:07,330 --> 00:13:08,589 and there's no authentication, you can 369 00:13:08,590 --> 00:13:11,229 just send bogus answers. 370 00:13:11,230 --> 00:13:13,029 Um, and 371 00:13:13,030 --> 00:13:14,859 you can actually redirect 372 00:13:14,860 --> 00:13:16,959 um requests 373 00:13:18,320 --> 00:13:19,479 on 374 00:13:19,480 --> 00:13:21,909 DNS over Port fifty three. 375 00:13:21,910 --> 00:13:23,979 So I asked the names of of the 376 00:13:23,980 --> 00:13:25,689 CCC, but the men in the middle, the 377 00:13:25,690 --> 00:13:27,969 points me to a rogue name server 378 00:13:27,970 --> 00:13:30,159 and gets me a different IP address, which 379 00:13:30,160 --> 00:13:31,809 works quite easily because there is no 380 00:13:31,810 --> 00:13:32,810 authentication at all. 381 00:13:35,860 --> 00:13:36,860 It gets ugly. 382 00:13:38,350 --> 00:13:40,749 So these kind of well known 383 00:13:40,750 --> 00:13:42,849 features are actually used now 384 00:13:42,850 --> 00:13:44,889 by people as features. 385 00:13:44,890 --> 00:13:47,949 So for the last 30 years, a lot of admins 386 00:13:47,950 --> 00:13:50,859 got used to be able to do this. 387 00:13:50,860 --> 00:13:53,589 So they are now using 388 00:13:53,590 --> 00:13:55,719 the unauthenticated of bullshit 389 00:13:55,720 --> 00:13:57,490 of DNS over 53 390 00:13:59,110 --> 00:14:00,219 to make what 391 00:14:00,220 --> 00:14:01,959 most people call supervision. 392 00:14:01,960 --> 00:14:03,549 So they filter out your 393 00:14:04,810 --> 00:14:06,820 requests on a block level. 394 00:14:09,180 --> 00:14:11,249 Hijacking is actually what 395 00:14:11,250 --> 00:14:13,529 I find really funny is hijacking 396 00:14:13,530 --> 00:14:15,330 like redirecting you to a different page 397 00:14:16,800 --> 00:14:18,479 is used as a feature worldwide and a 398 00:14:18,480 --> 00:14:20,609 captive portal whenever you enter 399 00:14:21,720 --> 00:14:22,999 a public Wi-Fi. 400 00:14:23,000 --> 00:14:25,439 You have to accept some 401 00:14:25,440 --> 00:14:26,549 some terms and conditions. 402 00:14:28,260 --> 00:14:30,509 You may have recognized that those kind 403 00:14:30,510 --> 00:14:32,789 of portal pages don't 404 00:14:32,790 --> 00:14:35,759 come up if you use an H2 TPS connection, 405 00:14:35,760 --> 00:14:38,249 because if you use HD IPS display 406 00:14:38,250 --> 00:14:39,629 you want to talk to is actually 407 00:14:39,630 --> 00:14:40,739 authenticated. 408 00:14:40,740 --> 00:14:43,679 But if the provider of the access point 409 00:14:43,680 --> 00:14:45,029 with the name server that you want to 410 00:14:45,030 --> 00:14:47,219 talk to tries 411 00:14:47,220 --> 00:14:49,589 to redirect you on the captive 412 00:14:49,590 --> 00:14:51,809 portal page, there's a mismatch, so 413 00:14:51,810 --> 00:14:53,939 you can't access the log 414 00:14:53,940 --> 00:14:55,619 in page for the public Wi-Fi. 415 00:14:55,620 --> 00:14:57,600 That's because they fuck up DNS. 416 00:14:59,100 --> 00:15:01,289 Side note there's actually an IETF 417 00:15:01,290 --> 00:15:03,659 working group that works on fixing this. 418 00:15:03,660 --> 00:15:05,999 So they're working on a protocol to make 419 00:15:06,000 --> 00:15:07,379 this work. 420 00:15:07,380 --> 00:15:09,719 Um, Google kind of slipped 421 00:15:09,720 --> 00:15:11,819 around this. They have just 422 00:15:11,820 --> 00:15:14,189 probing your role in Android 423 00:15:14,190 --> 00:15:16,259 whenever you, um, 424 00:15:16,260 --> 00:15:17,009 access a public 425 00:15:17,010 --> 00:15:18,839 Wi-Fi Android 426 00:15:18,840 --> 00:15:20,039 probes. 427 00:15:20,040 --> 00:15:22,679 This public, you are out 428 00:15:22,680 --> 00:15:23,999 and then you get redirected. 429 00:15:24,000 --> 00:15:26,069 You can also do this with SSL 430 00:15:26,070 --> 00:15:27,719 dot com. Highly recommend. 431 00:15:29,920 --> 00:15:32,249 Um, so as I said, DNS 432 00:15:32,250 --> 00:15:34,469 is kind of strange, and 433 00:15:34,470 --> 00:15:35,549 it's used, 434 00:15:35,550 --> 00:15:37,889 um, in, well, 435 00:15:37,890 --> 00:15:39,059 not 436 00:15:39,060 --> 00:15:40,769 that good of ways. 437 00:15:40,770 --> 00:15:41,949 So in the end 438 00:15:41,950 --> 00:15:44,789 of the 1990s, 439 00:15:44,790 --> 00:15:46,319 a lot of people, 440 00:15:46,320 --> 00:15:47,849 um, saw 441 00:15:47,850 --> 00:15:50,099 that the unauthenticated part 442 00:15:50,100 --> 00:15:52,319 of DNS is going to be a problem. 443 00:15:52,320 --> 00:15:54,599 So they came up with what we now know 444 00:15:54,600 --> 00:15:56,819 as DNS like DNS stands for 445 00:15:56,820 --> 00:15:59,009 domain name system security 446 00:15:59,010 --> 00:16:01,679 extensions and the name extensions 447 00:16:01,680 --> 00:16:04,199 is because they just add 448 00:16:04,200 --> 00:16:06,599 new resource records to the old ones. 449 00:16:06,600 --> 00:16:08,669 So it should be, um, 450 00:16:08,670 --> 00:16:10,469 compatible to the old standard. 451 00:16:11,870 --> 00:16:14,279 Um, the idea is that using 452 00:16:14,280 --> 00:16:15,869 zones were the key. 453 00:16:15,870 --> 00:16:18,709 So each root server zone 454 00:16:18,710 --> 00:16:19,139 um 455 00:16:19,140 --> 00:16:21,279 assigned with the key, and then you can 456 00:16:21,280 --> 00:16:24,149 this. You can traverse the 457 00:16:24,150 --> 00:16:25,799 tree in the hierarchy 458 00:16:25,800 --> 00:16:27,299 and add 459 00:16:27,300 --> 00:16:29,609 signatures to those new zones 460 00:16:29,610 --> 00:16:31,589 for any single name server. 461 00:16:31,590 --> 00:16:33,899 So and with this, 462 00:16:33,900 --> 00:16:36,089 you can actually authenticate the name 463 00:16:36,090 --> 00:16:37,829 server you're talking to. 464 00:16:37,830 --> 00:16:40,139 So the answer you get 465 00:16:40,140 --> 00:16:42,419 from those names so that you can trust 466 00:16:42,420 --> 00:16:43,420 is tamper proof. 467 00:16:44,430 --> 00:16:47,129 Problem is, it's still unencrypted. 468 00:16:48,210 --> 00:16:50,639 So whenever you use 469 00:16:50,640 --> 00:16:52,169 DNS like, 470 00:16:52,170 --> 00:16:53,159 um, 471 00:16:53,160 --> 00:16:55,589 people on the way, I can still see 472 00:16:55,590 --> 00:16:57,689 what you are requesting. 473 00:16:57,690 --> 00:17:00,209 They are not able to manipulate 474 00:17:00,210 --> 00:17:02,069 the route. They are not able to 475 00:17:02,070 --> 00:17:03,279 manipulate the answer. 476 00:17:03,280 --> 00:17:05,939 You still get the correct IP address, 477 00:17:05,940 --> 00:17:07,499 but do you really want your employer to 478 00:17:07,500 --> 00:17:08,909 know that you're serving porn up in your 479 00:17:08,910 --> 00:17:09,929 free time? 480 00:17:09,930 --> 00:17:11,099 Hmm. Maybe not. 481 00:17:12,450 --> 00:17:14,019 Um, there are 482 00:17:14,020 --> 00:17:15,568 other problems with the NSA, 483 00:17:15,569 --> 00:17:16,949 so it's 484 00:17:16,950 --> 00:17:18,779 really, really hard to deploy, it turns 485 00:17:18,780 --> 00:17:19,559 out. 486 00:17:19,560 --> 00:17:21,358 Um, it's hard to tell 487 00:17:21,359 --> 00:17:24,269 how many servers actually use the NSA, 488 00:17:24,270 --> 00:17:26,669 but current estimates between 489 00:17:26,670 --> 00:17:28,739 15 and 20 percent 490 00:17:28,740 --> 00:17:30,779 of all the names of us out there actually 491 00:17:30,780 --> 00:17:32,429 use the NSA, 492 00:17:32,430 --> 00:17:32,609 and 493 00:17:32,610 --> 00:17:34,559 they had 20 years of time. 494 00:17:34,560 --> 00:17:36,719 So that may not be a viable 495 00:17:36,720 --> 00:17:39,389 solution to actually make DNS 496 00:17:39,390 --> 00:17:41,579 tamper proof, DNS tamper proof. 497 00:17:43,140 --> 00:17:45,539 And as I said, 498 00:17:45,540 --> 00:17:47,159 you've got stuff results that don't 499 00:17:47,160 --> 00:17:48,809 actually use any resolving. 500 00:17:48,810 --> 00:17:50,909 Um, but they just refer you to 501 00:17:50,910 --> 00:17:51,910 another name server 502 00:17:53,070 --> 00:17:55,229 on your operating system, and 503 00:17:55,230 --> 00:17:57,479 they would need to 504 00:17:57,480 --> 00:17:59,069 validate the signatures. 505 00:18:00,190 --> 00:18:02,019 But there are not 506 00:18:02,020 --> 00:18:04,089 any actually deployed 507 00:18:04,090 --> 00:18:05,769 some results to do this. 508 00:18:05,770 --> 00:18:07,959 So the Microsoft 509 00:18:07,960 --> 00:18:10,179 Surface area in the North 510 00:18:10,180 --> 00:18:12,369 is able to 511 00:18:12,370 --> 00:18:14,679 understand that they get the NSX 512 00:18:14,680 --> 00:18:17,049 signed results records, 513 00:18:17,050 --> 00:18:19,569 but it's just not validated if the 514 00:18:19,570 --> 00:18:20,950 signature is actually valid. 515 00:18:22,030 --> 00:18:24,369 And this is the case with Linux and bases 516 00:18:24,370 --> 00:18:25,419 as well. 517 00:18:25,420 --> 00:18:26,649 If you're running those operating 518 00:18:26,650 --> 00:18:28,959 systems, you can of course validate 519 00:18:28,960 --> 00:18:31,569 your DNS signature. 520 00:18:31,570 --> 00:18:33,669 But in Germany, you would then have 521 00:18:33,670 --> 00:18:35,629 the problem that, for example, the 522 00:18:35,630 --> 00:18:37,709 Foote's boxes by M 523 00:18:37,710 --> 00:18:39,879 typical home router in Germany, you see 524 00:18:39,880 --> 00:18:41,640 the main goods box. 525 00:18:43,090 --> 00:18:45,219 If you use the NSA in 526 00:18:45,220 --> 00:18:47,049 your home environment on the client 527 00:18:47,050 --> 00:18:49,209 devices, you wouldn't be able to 528 00:18:49,210 --> 00:18:50,259 resolve Fitzsimons 529 00:18:50,260 --> 00:18:51,729 box because it's 530 00:18:51,730 --> 00:18:52,809 just a bogus domain name. 531 00:18:52,810 --> 00:18:55,179 It's out of the actual hierarchy. 532 00:18:55,180 --> 00:18:56,499 So there is no second option. 533 00:18:56,500 --> 00:18:58,299 If you validate signatures, you won't get 534 00:18:58,300 --> 00:19:00,069 an answer and you can't access your 535 00:19:00,070 --> 00:19:01,449 router anymore. 536 00:19:01,450 --> 00:19:03,490 So the Nasdaq has problems. 537 00:19:05,980 --> 00:19:06,980 Then 10 years later, 538 00:19:09,190 --> 00:19:10,989 people actually thought, OK, 539 00:19:10,990 --> 00:19:12,729 what about 540 00:19:12,730 --> 00:19:14,889 encrypting the actual DNS? 541 00:19:14,890 --> 00:19:17,199 Like, make it all secure and encrypt what 542 00:19:17,200 --> 00:19:18,999 we put on the wire? 543 00:19:19,000 --> 00:19:21,489 This grew out of the open b c, folks, 544 00:19:21,490 --> 00:19:23,859 but you may know folks 545 00:19:23,860 --> 00:19:26,439 from OPEC or have heard how they work. 546 00:19:26,440 --> 00:19:28,659 They're not really sent out, so they just 547 00:19:28,660 --> 00:19:30,069 implement stuff and see you think it's 548 00:19:30,070 --> 00:19:32,349 secure and say, Yeah, well, we've 549 00:19:32,350 --> 00:19:33,849 got a solution. 550 00:19:33,850 --> 00:19:35,949 Use our solution that worked with 551 00:19:35,950 --> 00:19:37,059 open associates. 552 00:19:37,060 --> 00:19:39,339 But this only worked because 553 00:19:39,340 --> 00:19:41,529 some people at ATF actually thought, OK, 554 00:19:41,530 --> 00:19:43,569 well, we use the implementation for our 555 00:19:43,570 --> 00:19:44,589 son, not because it's the best 556 00:19:46,000 --> 00:19:47,079 with the NSA. 557 00:19:47,080 --> 00:19:49,719 It never got any track record. 558 00:19:49,720 --> 00:19:52,419 So DNS sec DNS script 559 00:19:52,420 --> 00:19:54,819 is no IETF standard. 560 00:19:54,820 --> 00:19:57,009 Nobody uses this out there. 561 00:19:57,010 --> 00:19:59,409 You can go to the DNS crypt 562 00:19:59,410 --> 00:20:00,989 website 563 00:20:00,990 --> 00:20:01,629 and download 564 00:20:01,630 --> 00:20:02,649 the client. 565 00:20:02,650 --> 00:20:04,959 Um, make it work and have 566 00:20:04,960 --> 00:20:06,189 encrypted DNS. 567 00:20:06,190 --> 00:20:08,259 But if you use this, you can only talk to 568 00:20:08,260 --> 00:20:10,569 a really, really few 569 00:20:10,570 --> 00:20:12,099 name servers because the name server has 570 00:20:12,100 --> 00:20:13,689 to support this as well. 571 00:20:13,690 --> 00:20:15,789 So if you're running open AC on 572 00:20:15,790 --> 00:20:18,159 your own server somewhere in the network, 573 00:20:18,160 --> 00:20:20,409 you can then run a DNS script 574 00:20:20,410 --> 00:20:21,609 capable name. 575 00:20:21,610 --> 00:20:23,559 So yeah, that's that's not going to work 576 00:20:23,560 --> 00:20:25,419 on your laptop or think about your 577 00:20:25,420 --> 00:20:27,109 grandma. Is she going to do this? 578 00:20:27,110 --> 00:20:28,110 No. 579 00:20:30,560 --> 00:20:32,689 So the IATF got a wake 580 00:20:32,690 --> 00:20:35,539 up call by the Snowden revelations in 581 00:20:35,540 --> 00:20:37,879 2013, and 582 00:20:37,880 --> 00:20:39,259 they actually made a standard that 583 00:20:39,260 --> 00:20:39,919 says 584 00:20:39,920 --> 00:20:42,019 that pervasive monitoring 585 00:20:42,020 --> 00:20:43,519 by state actors, 586 00:20:43,520 --> 00:20:45,829 uh, should be, uh, uh, 587 00:20:47,480 --> 00:20:49,609 um, taken like an 588 00:20:49,610 --> 00:20:50,539 attack. 589 00:20:50,540 --> 00:20:53,869 So anybody working on IETF protocols 590 00:20:53,870 --> 00:20:55,939 should implement 591 00:20:55,940 --> 00:20:57,979 upcoming protocols in a way that you 592 00:20:57,980 --> 00:20:59,839 can't do that kind of pervasive 593 00:20:59,840 --> 00:21:02,419 monitoring that the Snowden revelations 594 00:21:02,420 --> 00:21:03,420 revealed. 595 00:21:04,250 --> 00:21:06,619 Um, and 596 00:21:06,620 --> 00:21:08,749 one of the first things the ATF 597 00:21:08,750 --> 00:21:11,419 thought about was DNS because DNS 598 00:21:11,420 --> 00:21:14,119 was one of the last protocols 599 00:21:14,120 --> 00:21:14,599 that 600 00:21:14,600 --> 00:21:16,039 at that time was still completely 601 00:21:16,040 --> 00:21:17,119 unencrypted. 602 00:21:17,120 --> 00:21:19,849 So they really, uh, quickly 603 00:21:19,850 --> 00:21:22,579 started and working group 604 00:21:22,580 --> 00:21:23,689 to solve that. 605 00:21:23,690 --> 00:21:25,939 That was the DNS private exchange 606 00:21:25,940 --> 00:21:28,519 deprive deprive 607 00:21:28,520 --> 00:21:30,889 came up with DNS over. 608 00:21:30,890 --> 00:21:31,999 Uh, tell us. 609 00:21:32,000 --> 00:21:34,219 So we've got this really, really nice 610 00:21:34,220 --> 00:21:35,269 encryption protocol. 611 00:21:35,270 --> 00:21:37,579 Tell us we've got a lot of really 612 00:21:37,580 --> 00:21:39,919 good or really remote implementation for 613 00:21:39,920 --> 00:21:41,269 to tell us. 614 00:21:41,270 --> 00:21:43,789 But any operating system out there 615 00:21:43,790 --> 00:21:45,049 supports us. 616 00:21:45,050 --> 00:21:47,179 So why not just encapsulate the 617 00:21:47,180 --> 00:21:49,339 DNS traffic in us and 618 00:21:49,340 --> 00:21:50,689 put it on the wire? 619 00:21:50,690 --> 00:21:52,189 Then it's encrypted and nobody can 620 00:21:52,190 --> 00:21:53,190 complain. 621 00:21:54,480 --> 00:21:56,579 And this kind of works. 622 00:21:56,580 --> 00:21:59,159 So if you're using yacht, 623 00:21:59,160 --> 00:22:00,749 it is actually encrypted. 624 00:22:00,750 --> 00:22:03,599 Nobody in the middle can see 625 00:22:03,600 --> 00:22:05,130 what you are asking a name server. 626 00:22:06,450 --> 00:22:07,829 But the thing is, 627 00:22:07,830 --> 00:22:10,109 the traffic can still be monitored 628 00:22:10,110 --> 00:22:12,059 because the actual Senate says that you 629 00:22:12,060 --> 00:22:14,789 must use Port 853, 630 00:22:14,790 --> 00:22:16,919 just like you must use Port 80 631 00:22:16,920 --> 00:22:17,920 for HP. 632 00:22:18,870 --> 00:22:19,889 There's no way around it. 633 00:22:19,890 --> 00:22:21,509 You can still see traffic on there. 634 00:22:23,640 --> 00:22:24,869 And with this, 635 00:22:24,870 --> 00:22:26,939 whenever you see traffic, you may be 636 00:22:26,940 --> 00:22:29,429 able to analyze or block it. 637 00:22:29,430 --> 00:22:31,739 So the easiest way to 638 00:22:31,740 --> 00:22:34,469 block Dot you would be just to block 639 00:22:34,470 --> 00:22:37,259 the port, and nobody would be able to, 640 00:22:37,260 --> 00:22:38,729 well, ask 641 00:22:38,730 --> 00:22:40,799 for encrypted DNS answers, 642 00:22:40,800 --> 00:22:43,109 which is kind of lame. 643 00:22:45,600 --> 00:22:47,669 So then there 644 00:22:47,670 --> 00:22:49,739 was DNS over ITPS 645 00:22:49,740 --> 00:22:50,740 Drage. 646 00:22:52,350 --> 00:22:54,479 This was worked on after 647 00:22:54,480 --> 00:22:57,419 Dot, and this 648 00:22:57,420 --> 00:22:59,729 was basically based 649 00:22:59,730 --> 00:23:01,379 on the idea that D.O.T. 650 00:23:01,380 --> 00:23:02,549 can be blocked. 651 00:23:02,550 --> 00:23:04,649 And the idea was how 652 00:23:04,650 --> 00:23:07,319 are we able to work around the 653 00:23:07,320 --> 00:23:08,249 well 654 00:23:08,250 --> 00:23:09,569 blocking feature of the yacht? 655 00:23:11,640 --> 00:23:14,159 The basic idea is that you just mix 656 00:23:14,160 --> 00:23:16,529 DNS within any other 657 00:23:16,530 --> 00:23:17,719 traffic. 658 00:23:17,720 --> 00:23:19,979 Um, if you would block 659 00:23:19,980 --> 00:23:21,089 traffic. 660 00:23:21,090 --> 00:23:22,799 None of your clients would work anymore 661 00:23:22,800 --> 00:23:23,999 for anything. 662 00:23:24,000 --> 00:23:26,519 So even in the work environment, nobody 663 00:23:26,520 --> 00:23:27,520 would be able to work. 664 00:23:28,530 --> 00:23:31,559 So the idea is if you use that protocol, 665 00:23:31,560 --> 00:23:32,559 you can't 666 00:23:32,560 --> 00:23:33,839 block 667 00:23:33,840 --> 00:23:35,369 DNS requests and answers. 668 00:23:38,210 --> 00:23:40,439 You can't track it because it's encrypted 669 00:23:40,440 --> 00:23:42,749 and you can't really modify any 670 00:23:42,750 --> 00:23:45,119 of it because you can't see anything 671 00:23:45,120 --> 00:23:47,099 and you just see eight steps traffic, but 672 00:23:47,100 --> 00:23:48,119 you don't know what it is. 673 00:23:49,230 --> 00:23:51,299 And when I was at IETF 99, 674 00:23:51,300 --> 00:23:53,489 this was kind of like a revelation for me 675 00:23:53,490 --> 00:23:54,869 because it was really, really 676 00:23:56,340 --> 00:23:58,709 nice and easy idea to just 677 00:23:58,710 --> 00:24:00,839 encrypt and make DNS. 678 00:24:02,010 --> 00:24:04,409 Well, I really, really like that idea 679 00:24:04,410 --> 00:24:05,410 from the beginning. 680 00:24:06,420 --> 00:24:08,699 It got then resized like a year 681 00:24:08,700 --> 00:24:09,700 ago. 682 00:24:11,400 --> 00:24:13,249 So how this this works? 683 00:24:13,250 --> 00:24:15,329 Um, so as I said, we've got this 684 00:24:15,330 --> 00:24:17,369 resource records that are pushed into 685 00:24:17,370 --> 00:24:19,769 octet that are make up their 686 00:24:19,770 --> 00:24:21,899 packages on UDP on Port 687 00:24:21,900 --> 00:24:22,900 53. 688 00:24:23,700 --> 00:24:25,869 We use this kind 689 00:24:25,870 --> 00:24:27,749 of encoding just as an issue. 690 00:24:27,750 --> 00:24:29,849 The payload you can use, get and 691 00:24:29,850 --> 00:24:31,919 post requests get an 692 00:24:31,920 --> 00:24:32,920 answer for it 693 00:24:34,050 --> 00:24:34,919 if you 694 00:24:34,920 --> 00:24:37,079 import a lot of libraries that 695 00:24:37,080 --> 00:24:38,399 do all this. 696 00:24:38,400 --> 00:24:40,529 This is just, uh, just a few lines of 697 00:24:40,530 --> 00:24:42,219 Python. And so you have two important DNS 698 00:24:42,220 --> 00:24:44,459 slip that makes your DNS request 699 00:24:44,460 --> 00:24:46,949 and then you have to import the H2 Tips 700 00:24:46,950 --> 00:24:49,469 Library. And then you basically 701 00:24:49,470 --> 00:24:51,869 tell your client to please make a request 702 00:24:53,010 --> 00:24:54,719 and then you get the answer. 703 00:24:54,720 --> 00:24:56,399 Literally, it's like ten or fifteen lines 704 00:24:56,400 --> 00:24:58,019 of Python. It's really, really nice. 705 00:24:58,020 --> 00:24:59,099 Really easy. 706 00:24:59,100 --> 00:25:01,169 A really usable, uh, if 707 00:25:01,170 --> 00:25:03,509 you've got a few hours of time, try 708 00:25:03,510 --> 00:25:03,989 it out. 709 00:25:03,990 --> 00:25:04,990 It's really, really good. 710 00:25:06,480 --> 00:25:08,579 You can use it in Firefox and Chrome 711 00:25:08,580 --> 00:25:09,829 as of now. 712 00:25:09,830 --> 00:25:11,849 Um, they publish that. 713 00:25:11,850 --> 00:25:13,949 Both of them published implementation 714 00:25:13,950 --> 00:25:15,539 like months and years ago. 715 00:25:16,590 --> 00:25:18,959 And on top of that, there are standalone 716 00:25:18,960 --> 00:25:20,309 clients out there if you just want to 717 00:25:20,310 --> 00:25:22,289 play around with DOHC. 718 00:25:22,290 --> 00:25:24,659 Uh, cool supported like for 719 00:25:24,660 --> 00:25:25,349 100 720 00:25:25,350 --> 00:25:26,219 like 721 00:25:26,220 --> 00:25:28,169 one and a half years, you can use the 722 00:25:28,170 --> 00:25:30,249 agent code and then 723 00:25:30,250 --> 00:25:32,399 OK. HTP, one 724 00:25:32,400 --> 00:25:34,469 of the most used Java libraries, 725 00:25:35,580 --> 00:25:37,379 supports debate. 726 00:25:37,380 --> 00:25:39,599 So if you build a client that really 727 00:25:39,600 --> 00:25:42,029 needs encrypted DNS, 728 00:25:42,030 --> 00:25:43,619 uh, look at those libraries. 729 00:25:44,630 --> 00:25:46,169 Um, this 730 00:25:46,170 --> 00:25:47,670 is taken from the Senate 731 00:25:48,780 --> 00:25:50,819 after 84 84. 732 00:25:50,820 --> 00:25:52,289 So how the system works, we've got the 733 00:25:52,290 --> 00:25:54,359 URL template like 734 00:25:54,360 --> 00:25:56,579 the, uh uh, DNS gravy on 735 00:25:56,580 --> 00:25:57,580 example dot com. 736 00:25:59,070 --> 00:26:01,259 Um, we make a get request on 737 00:26:01,260 --> 00:26:02,700 TPS to that server. 738 00:26:04,310 --> 00:26:06,799 As you can see, the DNS query, 739 00:26:06,800 --> 00:26:09,049 it's just a bunch of encoded 740 00:26:09,050 --> 00:26:11,149 stuff in the 741 00:26:11,150 --> 00:26:13,279 sand that they use base64, you and 742 00:26:13,280 --> 00:26:14,720 coding without putting 743 00:26:15,860 --> 00:26:18,079 to make the resource 744 00:26:18,080 --> 00:26:20,719 records just smaller. 745 00:26:20,720 --> 00:26:22,879 You could use all of 746 00:26:22,880 --> 00:26:25,009 the actual octet, but that would 747 00:26:25,010 --> 00:26:27,079 be, um, well, it 748 00:26:27,080 --> 00:26:28,999 would be just too long and too much. 749 00:26:29,000 --> 00:26:30,260 So we use base64 750 00:26:31,760 --> 00:26:34,639 and we call this a DNS message 751 00:26:34,640 --> 00:26:35,640 on HDD. 752 00:26:36,770 --> 00:26:38,419 Really, really easy to understand if you 753 00:26:38,420 --> 00:26:40,609 know anything about it. 754 00:26:40,610 --> 00:26:42,529 Just look into the RC 755 00:26:43,670 --> 00:26:46,099 how this this works on the server side. 756 00:26:48,130 --> 00:26:49,899 So the coal project by Daniel Sandberg 757 00:26:49,900 --> 00:26:52,569 actually provides a list of public 758 00:26:52,570 --> 00:26:55,179 service. So if you just want to use 759 00:26:55,180 --> 00:26:58,299 Firefox or Chrome or any other client 760 00:26:58,300 --> 00:27:00,489 and try DNS over, 761 00:27:00,490 --> 00:27:03,669 yes, you can use several 762 00:27:03,670 --> 00:27:05,169 different services. 763 00:27:05,170 --> 00:27:07,269 A lot of big commercial DNS 764 00:27:07,270 --> 00:27:09,729 providers supports 765 00:27:09,730 --> 00:27:12,219 DNS over the cheapest Google Cloudflare 766 00:27:12,220 --> 00:27:13,270 quote nine from IBM 767 00:27:14,320 --> 00:27:15,049 and 768 00:27:15,050 --> 00:27:17,259 digitalization of trials runs 769 00:27:17,260 --> 00:27:18,609 their own DNS server. 770 00:27:18,610 --> 00:27:20,859 Um, the DNS server from 771 00:27:20,860 --> 00:27:23,079 them supports Dottie 772 00:27:23,080 --> 00:27:24,789 and Stuart. 773 00:27:24,790 --> 00:27:27,339 Please don't spend their DNS server. 774 00:27:27,340 --> 00:27:29,679 Um, the hyphen mentioned, 775 00:27:29,680 --> 00:27:31,929 uh, runs their DOHC 776 00:27:31,930 --> 00:27:34,509 server on the Congress 777 00:27:34,510 --> 00:27:35,829 on a specific domain. 778 00:27:35,830 --> 00:27:37,539 So if you want to play around with the 779 00:27:37,540 --> 00:27:39,699 O-H after this talk, um, 780 00:27:39,700 --> 00:27:41,079 take a look at the key. 781 00:27:41,080 --> 00:27:43,269 Um, they have a lot of, uh, 782 00:27:43,270 --> 00:27:45,759 explanation of how to use their five 783 00:27:45,760 --> 00:27:48,220 d h server at Congress. 784 00:27:49,240 --> 00:27:51,609 And finally, British Telecom is the first 785 00:27:51,610 --> 00:27:54,009 big commercial ISP in the world 786 00:27:54,010 --> 00:27:56,199 that is now testing the deployment of 787 00:27:56,200 --> 00:27:57,450 DNS over its chips. 788 00:27:58,790 --> 00:28:01,149 Um, you can use, uh, 789 00:28:01,150 --> 00:28:02,859 do you age on your own servers? 790 00:28:02,860 --> 00:28:03,860 Of course. 791 00:28:05,120 --> 00:28:08,219 So you just need a URL template and. 792 00:28:08,220 --> 00:28:11,159 Pass whatever requests you get for this, 793 00:28:11,160 --> 00:28:13,229 there is UN tutorial 794 00:28:13,230 --> 00:28:16,559 for engineers on how you do this. 795 00:28:16,560 --> 00:28:17,939 It's really straightforward. 796 00:28:17,940 --> 00:28:20,069 The idea is that you use Engine X just 797 00:28:20,070 --> 00:28:22,289 as a proxy for an actual result. 798 00:28:22,290 --> 00:28:24,689 So you take the request form of this 799 00:28:24,690 --> 00:28:26,669 resolve resolver the resolve it gives you 800 00:28:26,670 --> 00:28:29,459 back the resource and then Engine X 801 00:28:29,460 --> 00:28:31,500 pushes this back to the client. 802 00:28:32,550 --> 00:28:34,799 So if you're running a website, you can 803 00:28:34,800 --> 00:28:37,139 put this website into an the 804 00:28:37,140 --> 00:28:39,689 server. So if you really care about your 805 00:28:39,690 --> 00:28:41,160 security, please do this. 806 00:28:43,650 --> 00:28:44,849 How does this look? 807 00:28:44,850 --> 00:28:45,749 Look on the server side. 808 00:28:45,750 --> 00:28:47,669 As I said, we've got this thing message 809 00:28:47,670 --> 00:28:50,519 with, uh, which is unsanitized 810 00:28:50,520 --> 00:28:52,319 and 8.4mm. 811 00:28:53,850 --> 00:28:56,099 And this is, as I said, the actual 812 00:28:56,100 --> 00:28:58,529 DNS format on the wire. 813 00:28:58,530 --> 00:29:01,199 That's what that's what's, uh, 814 00:29:01,200 --> 00:29:03,509 sending in the Senate. 815 00:29:05,100 --> 00:29:07,229 So the server answers with an 816 00:29:07,230 --> 00:29:08,279 OK message. 817 00:29:08,280 --> 00:29:11,099 Um, you get the content lengths, you get 818 00:29:11,100 --> 00:29:12,689 the maximum age 819 00:29:12,690 --> 00:29:13,079 off 820 00:29:13,080 --> 00:29:15,029 that request, so you can actually catch 821 00:29:15,030 --> 00:29:16,679 that request. 822 00:29:16,680 --> 00:29:18,869 And then you've got a hex encoding of 823 00:29:18,870 --> 00:29:21,239 the actual DNS answer, which resolver 824 00:29:21,240 --> 00:29:23,429 actually can use powers and 825 00:29:23,430 --> 00:29:25,109 gives you the IP address of whatever 826 00:29:25,110 --> 00:29:26,110 you're asking for. 827 00:29:27,740 --> 00:29:29,159 Um, problem 828 00:29:29,160 --> 00:29:30,299 is on the 829 00:29:31,560 --> 00:29:33,899 deployment side outside of the 830 00:29:33,900 --> 00:29:36,569 web HD sphere 831 00:29:36,570 --> 00:29:38,909 you can't really use um, 832 00:29:38,910 --> 00:29:41,039 do you edge with currently 833 00:29:41,040 --> 00:29:42,389 available 834 00:29:42,390 --> 00:29:43,499 methods 835 00:29:43,500 --> 00:29:44,759 and Microsoft announced that they're 836 00:29:44,760 --> 00:29:47,099 going to support you H and Windows 10 837 00:29:47,100 --> 00:29:48,359 just a few months ago. 838 00:29:48,360 --> 00:29:50,519 There is no implementation, 839 00:29:50,520 --> 00:29:52,739 no really nothing on what 840 00:29:52,740 --> 00:29:54,869 they want to do on how they want to work. 841 00:29:54,870 --> 00:29:56,159 They just announced they're going to 842 00:29:56,160 --> 00:29:57,449 support the protocol. 843 00:29:57,450 --> 00:29:59,549 But so, uh, from my point of 844 00:29:59,550 --> 00:30:01,949 view, it's really good because no 845 00:30:01,950 --> 00:30:03,209 other OS level 846 00:30:03,210 --> 00:30:06,029 resolver has this 847 00:30:06,030 --> 00:30:06,269 on 848 00:30:06,270 --> 00:30:07,679 their agenda. 849 00:30:07,680 --> 00:30:09,749 None, uh, system 850 00:30:09,750 --> 00:30:12,029 defaults implemented D.O.T., 851 00:30:12,030 --> 00:30:14,639 but they don't validate the 852 00:30:14,640 --> 00:30:15,569 TALF certificate. 853 00:30:15,570 --> 00:30:17,769 So you can just, yeah, 854 00:30:17,770 --> 00:30:19,529 that just doesn't work. 855 00:30:19,530 --> 00:30:21,299 Why you still us if you don't validate 856 00:30:21,300 --> 00:30:22,529 the certificates. 857 00:30:22,530 --> 00:30:23,530 Um? 858 00:30:24,370 --> 00:30:26,469 So they're in the point 859 00:30:26,470 --> 00:30:28,119 of the operating system, you basically 860 00:30:28,120 --> 00:30:30,369 can't use the 861 00:30:30,370 --> 00:30:31,689 as of now. 862 00:30:31,690 --> 00:30:34,089 Um, if you're running 863 00:30:34,090 --> 00:30:36,249 a kind of commercial name server 864 00:30:36,250 --> 00:30:39,219 yourself, you may know the nastiest. 865 00:30:39,220 --> 00:30:42,009 Um, this actually supports, 866 00:30:42,010 --> 00:30:43,749 uh, du h. 867 00:30:43,750 --> 00:30:45,999 Um, this actually supports 868 00:30:46,000 --> 00:30:48,849 SEO H without TLC, 869 00:30:48,850 --> 00:30:50,289 so you can play around with all the 870 00:30:50,290 --> 00:30:52,149 encryption without validating certificate 871 00:30:52,150 --> 00:30:54,339 if you just want to look at what 872 00:30:54,340 --> 00:30:55,340 is actually happening. 873 00:30:56,590 --> 00:30:59,469 And then there's Bind Bind US, the 874 00:30:59,470 --> 00:31:01,899 most widely used DNS server in the world, 875 00:31:01,900 --> 00:31:04,209 um, by and was co-developed 876 00:31:04,210 --> 00:31:06,009 with the actual DNS standard. 877 00:31:06,010 --> 00:31:08,199 Um, they pride themselves for actually 878 00:31:08,200 --> 00:31:10,479 supporting anything that is 879 00:31:10,480 --> 00:31:13,029 happening within DNS, but they just 880 00:31:13,030 --> 00:31:15,099 waited and waited 881 00:31:15,100 --> 00:31:17,199 and waited and waited and 882 00:31:17,200 --> 00:31:19,959 didn't do anything on DOHC 883 00:31:19,960 --> 00:31:22,269 because none of their clients would pay 884 00:31:22,270 --> 00:31:23,679 for the development. 885 00:31:23,680 --> 00:31:26,139 Finally, just a few months ago, the IOC 886 00:31:26,140 --> 00:31:28,539 announced that Mozilla is going to 887 00:31:28,540 --> 00:31:31,509 pay for the DOHC support in mind. 888 00:31:31,510 --> 00:31:33,669 So after that, even your ISP that 889 00:31:33,670 --> 00:31:36,489 runs Bines may be able to 890 00:31:36,490 --> 00:31:38,679 support DOHC without 891 00:31:38,680 --> 00:31:39,759 any trouble. 892 00:31:39,760 --> 00:31:41,349 They just need to upgrade their minds. 893 00:31:43,030 --> 00:31:45,219 Um, so current state of 894 00:31:45,220 --> 00:31:47,589 the available client 895 00:31:47,590 --> 00:31:48,640 situation on DOHC. 896 00:31:49,810 --> 00:31:52,149 Um, with Chrome and 897 00:31:52,150 --> 00:31:53,859 the maybe upcoming Windows 10 898 00:31:53,860 --> 00:31:54,860 implementation, 899 00:31:55,930 --> 00:31:56,930 um, 900 00:31:57,460 --> 00:31:59,709 you can use the H and it's 901 00:31:59,710 --> 00:32:01,989 used automatically if 902 00:32:01,990 --> 00:32:04,269 your predefined 903 00:32:04,270 --> 00:32:06,429 DNS server also 904 00:32:06,430 --> 00:32:08,199 uses the UAH. 905 00:32:08,200 --> 00:32:10,059 So let's say you've got 906 00:32:10,060 --> 00:32:10,719 Google 907 00:32:10,720 --> 00:32:12,849 eight eight eight eight as your DNS 908 00:32:12,850 --> 00:32:13,839 server. 909 00:32:13,840 --> 00:32:16,209 Um, if you do this, 910 00:32:16,210 --> 00:32:17,649 um, they 911 00:32:17,650 --> 00:32:19,809 kind of guess that you want to use. 912 00:32:19,810 --> 00:32:22,089 Do you h- have you using Chrome and then 913 00:32:22,090 --> 00:32:24,279 they just transparently upgrade you to do 914 00:32:24,280 --> 00:32:26,949 H and you're gonna use this? 915 00:32:26,950 --> 00:32:29,169 Um, this works with 916 00:32:29,170 --> 00:32:31,119 a bunch of other servers like eight or 917 00:32:31,120 --> 00:32:34,089 nine, uh, different providers. 918 00:32:34,090 --> 00:32:36,279 Um, in Chrome, we don't know 919 00:32:36,280 --> 00:32:37,749 what Microsoft is going to do with 920 00:32:37,750 --> 00:32:39,099 Windows 10, but they said they've wanted 921 00:32:39,100 --> 00:32:40,390 to do this as well. 922 00:32:41,640 --> 00:32:44,199 Um, Firefox 923 00:32:44,200 --> 00:32:46,359 defaults to using DNS 924 00:32:46,360 --> 00:32:48,099 over its peers in the US. 925 00:32:49,420 --> 00:32:52,389 Um, unfortunately, 926 00:32:52,390 --> 00:32:54,699 this got a lot of heated 927 00:32:54,700 --> 00:32:57,489 discussion because they use a predefined 928 00:32:57,490 --> 00:32:59,559 server in Firefox rather than opt 929 00:32:59,560 --> 00:33:01,599 out. So whenever you're going to install 930 00:33:01,600 --> 00:33:04,119 a new Firefox with the UC English, 931 00:33:04,120 --> 00:33:05,739 uh, location. 932 00:33:06,870 --> 00:33:09,089 You're going to use Cloudflare 933 00:33:09,090 --> 00:33:11,130 as your DOGE server provider. 934 00:33:14,240 --> 00:33:16,639 And as of a few weeks ago, 935 00:33:16,640 --> 00:33:18,739 Firefox also supports 936 00:33:18,740 --> 00:33:20,899 a next audience, which is also 937 00:33:20,900 --> 00:33:23,059 new upcoming commercial 938 00:33:23,060 --> 00:33:24,859 DNS provider in the US. 939 00:33:24,860 --> 00:33:27,019 But as I said, this only happens 940 00:33:27,020 --> 00:33:29,479 if you're running the US international 941 00:33:29,480 --> 00:33:31,160 location of Firefox. 942 00:33:34,160 --> 00:33:36,439 OK, so just a short 943 00:33:36,440 --> 00:33:36,829 recap. 944 00:33:36,830 --> 00:33:38,149 I should be used to you. 945 00:33:38,150 --> 00:33:40,519 As I said, it's encrypted and 946 00:33:40,520 --> 00:33:42,199 standard compliant, encrypted, not like 947 00:33:42,200 --> 00:33:43,200 DNS script. 948 00:33:44,090 --> 00:33:46,369 Typically, DOHC servers are 949 00:33:46,370 --> 00:33:48,439 faster than normal name 950 00:33:48,440 --> 00:33:49,879 servers. 951 00:33:49,880 --> 00:33:52,369 That's because we use HTP. 952 00:33:52,370 --> 00:33:54,979 For the last 25 years, HTTP 953 00:33:54,980 --> 00:33:57,409 was optimized and pushing content 954 00:33:57,410 --> 00:33:58,369 fast. 955 00:33:58,370 --> 00:34:00,289 That never happened with the NAS because, 956 00:34:00,290 --> 00:34:02,179 well, just wait for the UDP packet. 957 00:34:02,180 --> 00:34:03,979 And if it's not the rights to a new one, 958 00:34:05,420 --> 00:34:07,250 HDD never worked that way, and 959 00:34:08,510 --> 00:34:08,928 thousands 960 00:34:08,929 --> 00:34:11,479 of engineers worked on making 961 00:34:11,480 --> 00:34:12,829 HP faster. 962 00:34:12,830 --> 00:34:14,959 That's why a deal is most of the 963 00:34:14,960 --> 00:34:16,819 time faster than DNS. 964 00:34:16,820 --> 00:34:18,468 You can reuse load balancers, you can 965 00:34:18,469 --> 00:34:20,119 reuse caching infrastructure, you can 966 00:34:20,120 --> 00:34:20,928 reuse a CD. 967 00:34:20,929 --> 00:34:21,929 And 968 00:34:23,060 --> 00:34:24,349 on top of that, 969 00:34:24,350 --> 00:34:26,448 we typically use HP to 970 00:34:26,449 --> 00:34:28,369 it for the UAH and then you get 971 00:34:28,370 --> 00:34:30,229 multiplexing and the server push. 972 00:34:30,230 --> 00:34:32,689 So you actually get your answers faster 973 00:34:32,690 --> 00:34:33,690 by design. 974 00:34:34,699 --> 00:34:36,468 The bad thing is 975 00:34:36,469 --> 00:34:38,149 they are not that many DNS servers out 976 00:34:38,150 --> 00:34:40,819 there. So there may be a centralization 977 00:34:40,820 --> 00:34:42,110 which runs 978 00:34:43,850 --> 00:34:45,919 against the actual goal of making 979 00:34:45,920 --> 00:34:48,109 DNS decentralized, which may 980 00:34:48,110 --> 00:34:49,459 be a problem. 981 00:34:49,460 --> 00:34:51,678 The Senate actually says that you can 982 00:34:51,679 --> 00:34:54,109 use HPC for a lot of different 983 00:34:54,110 --> 00:34:56,718 monitoring, and the Snowden revelations 984 00:34:56,719 --> 00:34:57,739 showed us. 985 00:34:57,740 --> 00:35:00,409 This is also used so you can 986 00:35:00,410 --> 00:35:03,529 infer a lot of 987 00:35:03,530 --> 00:35:05,599 well specifics on the 988 00:35:05,600 --> 00:35:08,209 HPC traffic, even if it's encrypted, 989 00:35:08,210 --> 00:35:09,889 which is stuff that you may not want to 990 00:35:09,890 --> 00:35:10,890 do. 991 00:35:12,590 --> 00:35:13,910 Then their deployment problems. 992 00:35:14,930 --> 00:35:17,119 You may have internal and external 993 00:35:17,120 --> 00:35:20,209 networks, like if you deploy a DNS 994 00:35:20,210 --> 00:35:23,209 in your company, you may have 995 00:35:23,210 --> 00:35:24,919 specific domains that are just known 996 00:35:24,920 --> 00:35:26,839 inside your company and are just resolved 997 00:35:26,840 --> 00:35:28,099 inside your company. 998 00:35:28,100 --> 00:35:30,119 Typically, you would just announce your 999 00:35:30,120 --> 00:35:32,509 own name. So I had the TCP IP 1000 00:35:32,510 --> 00:35:34,579 and this own name 1001 00:35:34,580 --> 00:35:36,499 server would resolve your own 1002 00:35:36,500 --> 00:35:36,829 made 1003 00:35:36,830 --> 00:35:37,219 up 1004 00:35:37,220 --> 00:35:38,220 domain 1005 00:35:38,840 --> 00:35:40,489 with the O-H. It won't work because it's 1006 00:35:40,490 --> 00:35:42,019 encrypted on a different channel, on a 1007 00:35:42,020 --> 00:35:44,299 different port and the clients 1008 00:35:44,300 --> 00:35:46,399 of your. While users will never 1009 00:35:46,400 --> 00:35:48,889 get this name server, 1010 00:35:48,890 --> 00:35:51,019 which is a department problem, especially 1011 00:35:51,020 --> 00:35:52,020 in enterprises. 1012 00:35:52,850 --> 00:35:54,919 And then there's a problem on 1013 00:35:54,920 --> 00:35:57,649 how do I actually get to an 1014 00:35:57,650 --> 00:35:58,189 age server? 1015 00:35:58,190 --> 00:36:00,289 Because I mean, 1016 00:36:00,290 --> 00:36:02,389 I need a domain for my DNS server 1017 00:36:02,390 --> 00:36:04,309 in order to resolve domains. 1018 00:36:04,310 --> 00:36:06,119 Isn't that a bit weird? 1019 00:36:06,120 --> 00:36:08,239 Um, yeah. 1020 00:36:09,800 --> 00:36:10,849 Uh, yeah. 1021 00:36:10,850 --> 00:36:12,909 The actually parts of the so it can be a 1022 00:36:12,910 --> 00:36:15,739 C community that prides themselves 1023 00:36:15,740 --> 00:36:17,959 with working for security and invented 1024 00:36:17,960 --> 00:36:19,009 DNS script. 1025 00:36:19,010 --> 00:36:21,069 They deactivated the 1026 00:36:21,070 --> 00:36:23,120 H in their Firefox implementation 1027 00:36:24,380 --> 00:36:26,419 because they just don't like Mozilla. 1028 00:36:26,420 --> 00:36:28,129 Although I don't know, they maybe don't, 1029 00:36:28,130 --> 00:36:30,199 uh, like security features. 1030 00:36:30,200 --> 00:36:32,269 I don't know. They just didn't want you. 1031 00:36:32,270 --> 00:36:34,280 Which is kind of stupid, in my opinion. 1032 00:36:36,260 --> 00:36:38,029 The ISPs in the UK actually called 1033 00:36:38,030 --> 00:36:40,159 Mozilla and and some internet villain 1034 00:36:40,160 --> 00:36:42,259 because they're deploying the O-H. 1035 00:36:42,260 --> 00:36:44,779 Like, who is going to 1036 00:36:44,780 --> 00:36:46,129 fuck up the internet? 1037 00:36:46,130 --> 00:36:47,869 Of course, that's going to mean Mozilla. 1038 00:36:47,870 --> 00:36:48,870 Like, are you kidding me? 1039 00:36:49,850 --> 00:36:52,069 The same kind of same fight 1040 00:36:52,070 --> 00:36:54,589 happened in the US. 1041 00:36:54,590 --> 00:36:56,329 A lot of ISPs and their lobbying 1042 00:36:56,330 --> 00:36:58,819 companies actually wrote letters 1043 00:36:58,820 --> 00:37:01,549 to Congress that the deployment of, OTOH, 1044 00:37:01,550 --> 00:37:03,919 it's going to be an anti-competitive 1045 00:37:03,920 --> 00:37:04,939 behavior. 1046 00:37:04,940 --> 00:37:07,549 But how is your ISP 1047 00:37:07,550 --> 00:37:09,739 in competition with 1048 00:37:09,740 --> 00:37:11,359 your browser? 1049 00:37:11,360 --> 00:37:12,619 OK, so this 1050 00:37:12,620 --> 00:37:13,849 works 1051 00:37:13,850 --> 00:37:15,169 in that way that they think 1052 00:37:15,170 --> 00:37:16,669 that if 1053 00:37:16,670 --> 00:37:19,549 Google and Chrome ever uses their 1054 00:37:19,550 --> 00:37:21,859 Google DNS servers, yeah, 1055 00:37:21,860 --> 00:37:24,109 the ISPs will never be able to 1056 00:37:24,110 --> 00:37:26,239 send you advertisements 1057 00:37:26,240 --> 00:37:28,339 over DNS or, hey, check your DNS 1058 00:37:28,340 --> 00:37:30,739 in order to said you total Iceman's. 1059 00:37:30,740 --> 00:37:32,569 So they then now are competing with 1060 00:37:32,570 --> 00:37:34,339 Google on that space, and that would be 1061 00:37:34,340 --> 00:37:35,340 anti-competitive. 1062 00:37:37,010 --> 00:37:39,209 Um, I've asked, 1063 00:37:39,210 --> 00:37:41,269 uh, that's my day job! 1064 00:37:41,270 --> 00:37:43,759 As journalists asked ISPs in Germany 1065 00:37:43,760 --> 00:37:46,309 how how they're going to solve this. 1066 00:37:46,310 --> 00:37:47,719 I really didn't get any answer. 1067 00:37:47,720 --> 00:37:49,489 They just don't care. They just wait 1068 00:37:49,490 --> 00:37:51,619 because, well, we are in Germany and 1069 00:37:51,620 --> 00:37:53,329 digitalization just needs time. 1070 00:37:54,350 --> 00:37:56,479 Uh, the well, 1071 00:37:56,480 --> 00:37:57,979 most liked answer from you was from the 1072 00:37:57,980 --> 00:38:00,049 US, a telecom, they said, due 1073 00:38:00,050 --> 00:38:01,879 respect for data ownership. 1074 00:38:01,880 --> 00:38:04,339 But if I encrypt my DNS, I 1075 00:38:04,340 --> 00:38:06,949 and I choose my own name server. 1076 00:38:06,950 --> 00:38:09,769 How is that bad for data ownership? 1077 00:38:09,770 --> 00:38:11,899 It may be bad for the data ownership of 1078 00:38:11,900 --> 00:38:13,519 Deutsche Telekom that outsource data. 1079 00:38:16,390 --> 00:38:17,559 They said also, the 1080 00:38:17,560 --> 00:38:18,909 browser makers flipped over the 1081 00:38:18,910 --> 00:38:20,829 production model of the internet, 1082 00:38:20,830 --> 00:38:22,869 according to that, the production model 1083 00:38:22,870 --> 00:38:24,699 is selling user data. 1084 00:38:26,110 --> 00:38:27,129 That's your ISP. 1085 00:38:27,130 --> 00:38:28,660 That's the most used ISP in Germany. 1086 00:38:29,710 --> 00:38:31,359 You're not paying them to actually get 1087 00:38:31,360 --> 00:38:33,249 internet. You're paying them to sell your 1088 00:38:33,250 --> 00:38:34,510 data. That's kind of weird. 1089 00:38:36,010 --> 00:38:38,349 And they also said if you use 1090 00:38:38,350 --> 00:38:40,719 the O-H in a browser, then the browser 1091 00:38:40,720 --> 00:38:41,739 makers will see, 1092 00:38:43,000 --> 00:38:43,629 well, 1093 00:38:43,630 --> 00:38:45,909 the traffic of the browser. 1094 00:38:45,910 --> 00:38:47,529 Isn't that the kind of thing the browser 1095 00:38:47,530 --> 00:38:49,090 does sending traffic 1096 00:38:50,140 --> 00:38:51,609 back and forth? 1097 00:38:51,610 --> 00:38:53,139 I really didn't get what they want to 1098 00:38:53,140 --> 00:38:54,140 tell me. 1099 00:38:55,220 --> 00:38:58,149 Um, then there's a lot of 1100 00:38:58,150 --> 00:39:00,279 that is just plain old nonsense 1101 00:39:00,280 --> 00:39:01,659 out there. 1102 00:39:01,660 --> 00:39:03,579 A famous German blogger 1103 00:39:03,580 --> 00:39:05,909 that has had a 1104 00:39:05,910 --> 00:39:07,659 has said that 1105 00:39:07,660 --> 00:39:09,879 few users, Jason and 1106 00:39:09,880 --> 00:39:11,619 he published this 1107 00:39:11,620 --> 00:39:15,219 without any, uh, 1108 00:39:15,220 --> 00:39:17,049 well, knowledge on the protocol. 1109 00:39:17,050 --> 00:39:18,879 And as I said, it was standardized. 1110 00:39:18,880 --> 00:39:20,979 You just have to look into the Senate 1111 00:39:20,980 --> 00:39:23,859 and it says if you're using HP 1112 00:39:23,860 --> 00:39:26,319 in the specific context that I 1113 00:39:26,320 --> 00:39:28,029 explained, there is no chasen you don't 1114 00:39:28,030 --> 00:39:29,229 need. Jason passes. 1115 00:39:29,230 --> 00:39:31,769 Your DNS request will not fail 1116 00:39:31,770 --> 00:39:33,819 just because you have a space more or 1117 00:39:33,820 --> 00:39:34,820 less. 1118 00:39:35,830 --> 00:39:37,419 Then there was a case where 1119 00:39:37,420 --> 00:39:39,999 a malware resolved 1120 00:39:40,000 --> 00:39:42,369 their domain name 1121 00:39:42,370 --> 00:39:44,499 for the command and control server while 1122 00:39:44,500 --> 00:39:45,969 an its connection. 1123 00:39:45,970 --> 00:39:47,949 They didn't use the Senate for this, but 1124 00:39:47,950 --> 00:39:50,349 a lot of media called said that 1125 00:39:50,350 --> 00:39:53,139 this malware uses Stewart, 1126 00:39:53,140 --> 00:39:55,449 and that's why the H is bad. 1127 00:39:55,450 --> 00:39:57,759 But how many military examples 1128 00:39:57,760 --> 00:40:00,249 out there using ace encryption? 1129 00:40:01,560 --> 00:40:03,659 This is bad 1130 00:40:03,660 --> 00:40:05,549 because Mary uses this. 1131 00:40:05,550 --> 00:40:07,170 It's completely nonsense argument. 1132 00:40:08,910 --> 00:40:11,039 Then there was a talk this year 1133 00:40:11,040 --> 00:40:12,989 by Paul whichthey, who actually wrote a 1134 00:40:12,990 --> 00:40:14,399 lot of stuff in mind and who really, 1135 00:40:14,400 --> 00:40:15,400 really knows science. 1136 00:40:16,620 --> 00:40:18,719 And he compared Google to the East India 1137 00:40:18,720 --> 00:40:21,449 company because they're using their age. 1138 00:40:21,450 --> 00:40:22,949 I don't know if you know the East India 1139 00:40:22,950 --> 00:40:25,169 company, but for like 20 or 50 years, 1140 00:40:25,170 --> 00:40:27,569 there is state actor inside 1141 00:40:27,570 --> 00:40:29,789 the British government taking part in 1142 00:40:29,790 --> 00:40:32,339 slave trade, opium wars 1143 00:40:32,340 --> 00:40:34,559 like horrible, 1144 00:40:34,560 --> 00:40:36,419 horrible stuff and war crimes, and 1145 00:40:36,420 --> 00:40:38,669 they're comparing Google to this. 1146 00:40:38,670 --> 00:40:39,119 Hmm. 1147 00:40:39,120 --> 00:40:40,799 I don't know if that's actually a good 1148 00:40:40,800 --> 00:40:42,529 argument. And then there's one by a vet 1149 00:40:42,530 --> 00:40:44,609 who are actually working 1150 00:40:44,610 --> 00:40:47,639 for Pardon, who produce 1151 00:40:47,640 --> 00:40:48,640 the nastiest. 1152 00:40:49,680 --> 00:40:52,289 And he says that the O-H 1153 00:40:52,290 --> 00:40:53,919 violates net neutrality. 1154 00:40:55,170 --> 00:40:55,589 So if 1155 00:40:55,590 --> 00:40:57,749 you, as a user, choose your 1156 00:40:57,750 --> 00:40:58,859 own name server 1157 00:40:58,860 --> 00:40:59,639 with 1158 00:40:59,640 --> 00:41:01,709 a specific protocol that 1159 00:41:01,710 --> 00:41:04,499 violates net neutrality, 1160 00:41:04,500 --> 00:41:05,489 I still don't 1161 00:41:05,490 --> 00:41:06,569 understand the argument. 1162 00:41:06,570 --> 00:41:08,729 He says that the 1163 00:41:08,730 --> 00:41:11,519 name server in the Old-School DNS 1164 00:41:11,520 --> 00:41:13,829 is but the request able 1165 00:41:13,830 --> 00:41:16,049 to get you faster routes 1166 00:41:16,050 --> 00:41:17,519 on their back end. 1167 00:41:17,520 --> 00:41:19,249 So if you're. 1168 00:41:19,250 --> 00:41:21,559 If the old school name sort of obviously 1169 00:41:21,560 --> 00:41:23,779 runs in the coming clean and you're now 1170 00:41:23,780 --> 00:41:26,210 using Cloudflare as your resolver, 1171 00:41:27,800 --> 00:41:29,989 I come I can't give you a faster 1172 00:41:29,990 --> 00:41:32,149 route anymore and that's why it's against 1173 00:41:32,150 --> 00:41:34,009 net neutrality. 1174 00:41:34,010 --> 00:41:36,109 I think, uh, that guy 1175 00:41:36,110 --> 00:41:38,359 has not really a good understanding 1176 00:41:38,360 --> 00:41:40,549 of what net neutrality actually is and 1177 00:41:40,550 --> 00:41:40,909 how 1178 00:41:40,910 --> 00:41:41,910 that should work. 1179 00:41:43,790 --> 00:41:44,959 And then there's a lot of shaming of 1180 00:41:44,960 --> 00:41:47,659 Mozilla. I mean, as I said before, 1181 00:41:47,660 --> 00:41:49,009 of course, Mozilla is going to fuck up 1182 00:41:49,010 --> 00:41:50,449 the internet because we all know that 1183 00:41:50,450 --> 00:41:52,779 company has no track record at all. 1184 00:41:52,780 --> 00:41:54,679 I'm sorry, that was sarcastic. 1185 00:41:55,680 --> 00:41:57,859 And the same goes for cloud fact. 1186 00:41:57,860 --> 00:42:00,109 Of course, Cloudflare is not an 1187 00:42:00,110 --> 00:42:02,359 honest or good company, 1188 00:42:02,360 --> 00:42:04,669 but Mozilla thought about 1189 00:42:04,670 --> 00:42:05,670 this. 1190 00:42:06,110 --> 00:42:07,110 Um, 1191 00:42:08,390 --> 00:42:10,459 I'm going to come to this, and 1192 00:42:10,460 --> 00:42:12,349 there are a lot of arguments that it's if 1193 00:42:12,350 --> 00:42:14,719 you centralized DNS on Cloudflare 1194 00:42:16,340 --> 00:42:19,069 Intelligence Agency will be 1195 00:42:19,070 --> 00:42:21,559 getting all your data, according 1196 00:42:21,560 --> 00:42:23,239 to the Snowden revelations. 1197 00:42:23,240 --> 00:42:26,149 They went, uh, the intelligence agency 1198 00:42:26,150 --> 00:42:28,669 went to the internet exchanges 1199 00:42:28,670 --> 00:42:31,069 and deployed men in the middle attacks, 1200 00:42:31,070 --> 00:42:33,229 the pervasive monitoring because it was 1201 00:42:33,230 --> 00:42:35,539 easier than coming up with court orders 1202 00:42:35,540 --> 00:42:37,939 for each single individual company 1203 00:42:37,940 --> 00:42:40,129 that runs a specific internet service. 1204 00:42:40,130 --> 00:42:42,319 So even if they come up 1205 00:42:42,320 --> 00:42:45,109 with a court order and go to the ISP and 1206 00:42:45,110 --> 00:42:47,299 want to get your data, um, 1207 00:42:47,300 --> 00:42:47,569 it's 1208 00:42:47,570 --> 00:42:48,709 still 1209 00:42:48,710 --> 00:42:50,809 way, way hotter, hotter than the 1210 00:42:50,810 --> 00:42:52,369 pervasive monitoring at the internet 1211 00:42:52,370 --> 00:42:54,379 exchange because there is no man in the 1212 00:42:54,380 --> 00:42:56,449 middle attack possible with 1213 00:42:56,450 --> 00:42:57,450 the. 1214 00:42:57,950 --> 00:42:59,569 And then there's arguments that opt out 1215 00:42:59,570 --> 00:43:01,669 of that because 1216 00:43:01,670 --> 00:43:04,369 why would you ever trust a company of 1217 00:43:04,370 --> 00:43:06,439 choices you don't know about and the 1218 00:43:06,440 --> 00:43:07,969 target audience for the O-H? 1219 00:43:07,970 --> 00:43:10,429 It's not you and the audience. 1220 00:43:10,430 --> 00:43:12,479 If you made it here, you know how DNS 1221 00:43:12,480 --> 00:43:13,729 works together. 1222 00:43:13,730 --> 00:43:15,169 Target audience for the O-H, it's 1223 00:43:16,220 --> 00:43:18,349 your grandma that doesn't know anything 1224 00:43:18,350 --> 00:43:19,350 about domain names. 1225 00:43:20,660 --> 00:43:22,159 And then again, there was this quote by a 1226 00:43:22,160 --> 00:43:23,599 famous German blogger. 1227 00:43:23,600 --> 00:43:25,909 Mozilla is waging a war against the users 1228 00:43:25,910 --> 00:43:27,739 because, yeah, you can't trust a company 1229 00:43:27,740 --> 00:43:28,819 like Mozilla. 1230 00:43:28,820 --> 00:43:30,469 What fucking stupidity. 1231 00:43:31,610 --> 00:43:32,989 So it's just remember the goal of the 1232 00:43:32,990 --> 00:43:35,149 O-H. We want encrypted DNS. 1233 00:43:36,260 --> 00:43:38,359 We want this for all, 1234 00:43:38,360 --> 00:43:38,569 and 1235 00:43:38,570 --> 00:43:40,729 not just for a few people who are able 1236 00:43:40,730 --> 00:43:43,129 to actually encrypt that data and make 1237 00:43:43,130 --> 00:43:45,109 specific configurations on their 1238 00:43:45,110 --> 00:43:46,110 operating system. 1239 00:43:47,120 --> 00:43:47,509 We want to 1240 00:43:47,510 --> 00:43:49,759 make pervasive monitoring harder 1241 00:43:49,760 --> 00:43:52,039 on a protocol level so that any 1242 00:43:52,040 --> 00:43:54,139 user out there that is using the 1243 00:43:54,140 --> 00:43:56,539 internet can rely on encrypted 1244 00:43:56,540 --> 00:43:58,969 data because we all 1245 00:43:58,970 --> 00:44:00,139 want better privacy. 1246 00:44:01,640 --> 00:44:03,919 So how is, uh, you 1247 00:44:03,920 --> 00:44:04,920 doing this? 1248 00:44:05,780 --> 00:44:06,769 You can 1249 00:44:06,770 --> 00:44:08,509 make an informed choice at the client 1250 00:44:08,510 --> 00:44:10,579 level, so you, as a user, can 1251 00:44:10,580 --> 00:44:12,769 choose to choose the path of 1252 00:44:12,770 --> 00:44:13,879 encrypted DNS 1253 00:44:13,880 --> 00:44:15,109 and privacy. 1254 00:44:16,520 --> 00:44:18,649 It's really, really easy to configure. 1255 00:44:18,650 --> 00:44:20,719 And as I said, there is no man 1256 00:44:20,720 --> 00:44:22,939 in the middle attacks possible anymore. 1257 00:44:25,880 --> 00:44:28,129 So from my point of view, 1258 00:44:28,130 --> 00:44:30,199 the only way to actually deploy this 1259 00:44:30,200 --> 00:44:32,419 in the wild to the billions of users 1260 00:44:32,420 --> 00:44:33,529 is to make 1261 00:44:33,530 --> 00:44:35,779 that opt out. 1262 00:44:35,780 --> 00:44:36,780 Um. 1263 00:44:37,200 --> 00:44:39,479 The only way so if you don't 1264 00:44:39,480 --> 00:44:41,729 like DNS over us, 1265 00:44:41,730 --> 00:44:43,469 you can just disable it. 1266 00:44:43,470 --> 00:44:45,599 But browser vendors, operating system 1267 00:44:45,600 --> 00:44:47,849 vendors, anybody out there that's working 1268 00:44:47,850 --> 00:44:49,979 on clients that use, 1269 00:44:49,980 --> 00:44:51,300 um, DNS 1270 00:44:53,130 --> 00:44:56,369 needs, in my opinion, need to deploy 1271 00:44:56,370 --> 00:44:57,089 a 1272 00:44:57,090 --> 00:44:59,189 DOHC default. 1273 00:44:59,190 --> 00:45:01,229 Otherwise, we will never get encrypted 1274 00:45:01,230 --> 00:45:02,339 DNS 1275 00:45:02,340 --> 00:45:04,439 out there because as 1276 00:45:04,440 --> 00:45:06,929 we as we've seen with DNS script, nobody 1277 00:45:06,930 --> 00:45:08,759 cares at all if they have to do it 1278 00:45:08,760 --> 00:45:09,929 themselves. 1279 00:45:09,930 --> 00:45:12,209 So companies have to do this for 1280 00:45:12,210 --> 00:45:13,210 their users. 1281 00:45:15,510 --> 00:45:17,069 Mozilla, as I said, 1282 00:45:17,070 --> 00:45:19,439 gets a lot of batshit 1283 00:45:19,440 --> 00:45:21,779 crazy arguments that they are cooperating 1284 00:45:21,780 --> 00:45:22,889 with Cloudflare. 1285 00:45:22,890 --> 00:45:23,890 They thought about this. 1286 00:45:24,910 --> 00:45:26,039 There's a public policy 1287 00:45:27,180 --> 00:45:30,629 on the contract with Cloudflare. 1288 00:45:30,630 --> 00:45:32,879 What is Cloudflare allowed to 1289 00:45:32,880 --> 00:45:35,099 do with the audience data? 1290 00:45:35,100 --> 00:45:36,809 They're not allowed to, um, 1291 00:45:37,920 --> 00:45:39,599 personalize any of their side of this 1292 00:45:39,600 --> 00:45:41,519 data. They're not allowed to sell this 1293 00:45:41,520 --> 00:45:43,709 data. They're not allowed to make 1294 00:45:43,710 --> 00:45:45,449 a shitload of stuff. 1295 00:45:45,450 --> 00:45:46,739 Um, and 1296 00:45:46,740 --> 00:45:48,869 they have to delete those 1297 00:45:48,870 --> 00:45:51,419 log files after 24 hours. 1298 00:45:51,420 --> 00:45:52,919 So even if a state actor like an 1299 00:45:52,920 --> 00:45:55,289 intelligence agency runs 1300 00:45:55,290 --> 00:45:58,259 into Cloudflare name servers, 1301 00:45:58,260 --> 00:45:59,729 their canary will die. 1302 00:45:59,730 --> 00:46:01,889 We will all know about this, and then you 1303 00:46:01,890 --> 00:46:03,779 can just switch to a different name 1304 00:46:03,780 --> 00:46:06,029 server and they 1305 00:46:06,030 --> 00:46:07,979 will end up with nothing. 1306 00:46:07,980 --> 00:46:09,419 So from my point of view, Mozilla is 1307 00:46:09,420 --> 00:46:11,879 making a really good, 1308 00:46:11,880 --> 00:46:13,979 um example on how a 1309 00:46:13,980 --> 00:46:16,139 company that's working on a client 1310 00:46:16,140 --> 00:46:18,719 is able to deploy encrypted traffic 1311 00:46:18,720 --> 00:46:19,720 for their users. 1312 00:46:20,670 --> 00:46:21,149 They call 1313 00:46:21,150 --> 00:46:23,219 this trusted, recursive resolver 1314 00:46:23,220 --> 00:46:26,099 program because it's a recursive 1315 00:46:26,100 --> 00:46:28,379 resolver built into the client 1316 00:46:28,380 --> 00:46:29,519 that Mozilla trusts, 1317 00:46:30,930 --> 00:46:32,999 and they started doing this 1318 00:46:33,000 --> 00:46:34,589 for 1319 00:46:34,590 --> 00:46:36,449 the US. As I said, they're going to 1320 00:46:36,450 --> 00:46:37,450 deploy this 1321 00:46:39,720 --> 00:46:41,639 worldwide. That's what they said they 1322 00:46:41,640 --> 00:46:42,640 want to do. 1323 00:46:43,650 --> 00:46:45,989 Um, and 1324 00:46:45,990 --> 00:46:47,369 from what I've got, they are not that 1325 00:46:47,370 --> 00:46:49,829 many ISP's that want to cooperate with 1326 00:46:49,830 --> 00:46:50,789 Mozilla on that. 1327 00:46:50,790 --> 00:46:53,039 And there's a lot of, well, 1328 00:46:53,040 --> 00:46:55,229 ISPs that say they specifically don't 1329 00:46:55,230 --> 00:46:56,230 want you. 1330 00:46:57,120 --> 00:46:59,549 From my point of view, whenever an ISP 1331 00:46:59,550 --> 00:47:01,409 says that they don't want you just 1332 00:47:01,410 --> 00:47:03,719 because they use DNS hijacking 1333 00:47:03,720 --> 00:47:05,429 as a feature. 1334 00:47:05,430 --> 00:47:07,559 So they were working against you as 1335 00:47:07,560 --> 00:47:09,749 a user. So please ask 1336 00:47:09,750 --> 00:47:12,149 your IP if they want to deploy 1337 00:47:12,150 --> 00:47:13,709 the O-H and if they want to take part in 1338 00:47:13,710 --> 00:47:15,959 the trusted root cause of resolver 1339 00:47:15,960 --> 00:47:16,960 program 1340 00:47:18,120 --> 00:47:19,379 of Firefox. 1341 00:47:20,580 --> 00:47:22,979 Apart from that, there are ISPs that, 1342 00:47:24,390 --> 00:47:26,729 well, use the UHI at least test 1343 00:47:26,730 --> 00:47:28,199 or deployed you h 1344 00:47:28,200 --> 00:47:30,839 now, um, 1345 00:47:30,840 --> 00:47:32,339 as British Telecom. So this is going to 1346 00:47:32,340 --> 00:47:34,469 be way more in the distant 1347 00:47:34,470 --> 00:47:36,599 future. We're going to have chrome 1348 00:47:36,600 --> 00:47:38,699 and windows on the edge as 1349 00:47:38,700 --> 00:47:40,439 default, I guess. 1350 00:47:40,440 --> 00:47:43,439 And finally, s will be able to resolve 1351 00:47:43,440 --> 00:47:45,030 a name by Duo H 1352 00:47:46,800 --> 00:47:48,989 and then we end up of encrypted DNS 1353 00:47:48,990 --> 00:47:50,759 for. Yeah. 1354 00:47:50,760 --> 00:47:52,259 Um, for all the technical problems they 1355 00:47:52,260 --> 00:47:54,059 have working groups now at IETF, so we 1356 00:47:54,060 --> 00:47:55,409 are going to solve this. 1357 00:47:55,410 --> 00:47:57,479 But split horizon problem, 1358 00:47:57,480 --> 00:47:58,649 you're going to solve the discovery 1359 00:47:58,650 --> 00:48:00,899 problem downdrafts to make 1360 00:48:00,900 --> 00:48:03,059 an announcement of Windows Server by 1361 00:48:03,060 --> 00:48:04,060 DHCP. 1362 00:48:04,920 --> 00:48:06,869 So the engineers are working on it. 1363 00:48:06,870 --> 00:48:07,870 And then. 1364 00:48:09,140 --> 00:48:11,359 There's still a and HP coming 1365 00:48:11,360 --> 00:48:13,579 up. So even if you don't want 1366 00:48:13,580 --> 00:48:16,199 to use HTP or HP, 1367 00:48:16,200 --> 00:48:18,289 as for the is 1368 00:48:18,290 --> 00:48:21,229 the thing that the IETF is standardizing 1369 00:48:21,230 --> 00:48:23,419 after HP three, 1370 00:48:23,420 --> 00:48:26,119 which runs of a crick is going to be DNS 1371 00:48:26,120 --> 00:48:27,169 over quick. 1372 00:48:27,170 --> 00:48:28,789 Quick is a new transport protocol. 1373 00:48:28,790 --> 00:48:30,349 It's completely encrypted 1374 00:48:30,350 --> 00:48:32,599 and well, it kind 1375 00:48:32,600 --> 00:48:33,600 of 1376 00:48:34,880 --> 00:48:37,519 is used as a mixture 1377 00:48:37,520 --> 00:48:39,739 in between TCP and UDP, 1378 00:48:39,740 --> 00:48:40,519 but 1379 00:48:40,520 --> 00:48:42,469 better, faster and encrypted. 1380 00:48:45,380 --> 00:48:47,569 Yeah, I wanted to 1381 00:48:47,570 --> 00:48:49,759 think about an outcome 1382 00:48:49,760 --> 00:48:50,899 for next year. 1383 00:48:50,900 --> 00:48:53,029 Somebody beat me on Twitter to 1384 00:48:53,030 --> 00:48:55,159 it, so next year will be the year of 1385 00:48:55,160 --> 00:48:56,160 the O-H. 1386 00:49:00,950 --> 00:49:02,849 Now it's time for questions. 1387 00:49:02,850 --> 00:49:04,670 Um, if you have any. 1388 00:49:12,720 --> 00:49:14,939 Well, actually, we'd have 1389 00:49:14,940 --> 00:49:17,189 to make that singular, 1390 00:49:17,190 --> 00:49:19,289 except you're fast, 1391 00:49:19,290 --> 00:49:21,299 you're very fast on the microphone over 1392 00:49:21,300 --> 00:49:23,489 there. There's another microphone there. 1393 00:49:23,490 --> 00:49:24,749 So go ahead. 1394 00:49:24,750 --> 00:49:25,709 Yeah, thank you. 1395 00:49:25,710 --> 00:49:27,839 You set encrypt all 1396 00:49:27,840 --> 00:49:30,159 DNS part DNS over 1397 00:49:30,160 --> 00:49:32,699 edge tidbits encrypts only 1398 00:49:32,700 --> 00:49:34,899 traffic from resolver to 1399 00:49:34,900 --> 00:49:37,649 to stop resolver 1400 00:49:37,650 --> 00:49:40,259 because from Cloudflare to the DNS 1401 00:49:40,260 --> 00:49:42,329 server, everything is unencrypted 1402 00:49:42,330 --> 00:49:43,619 like before. 1403 00:49:43,620 --> 00:49:46,049 Well, yeah, so that's what we care about 1404 00:49:46,050 --> 00:49:47,969 in the IETF careers of monitoring. 1405 00:49:47,970 --> 00:49:49,949 So we know the client traffic is actually 1406 00:49:49,950 --> 00:49:52,379 monitored at the 1407 00:49:52,380 --> 00:49:54,479 Day6, for example, and we want to stop 1408 00:49:54,480 --> 00:49:56,309 this. We want to stop men in the middle 1409 00:49:56,310 --> 00:49:57,209 attacks. 1410 00:49:57,210 --> 00:49:58,589 If you're running your own name server 1411 00:49:58,590 --> 00:50:00,649 and you want to run a resolver on your 1412 00:50:00,650 --> 00:50:02,429 own name server, just use D.O.T.. 1413 00:50:03,630 --> 00:50:05,249 They're not going to block this. 1414 00:50:05,250 --> 00:50:06,250 This is going to be 1415 00:50:07,380 --> 00:50:09,509 the you can't be blocked in a 1416 00:50:09,510 --> 00:50:10,709 client. 1417 00:50:10,710 --> 00:50:13,199 Uh, kind of sense 1418 00:50:13,200 --> 00:50:15,629 the the name server communication, 1419 00:50:15,630 --> 00:50:16,619 inbetween name servers. 1420 00:50:16,620 --> 00:50:18,269 It's not part of the idea. 1421 00:50:19,290 --> 00:50:20,290 OK. 1422 00:50:20,640 --> 00:50:22,679 Well, unfortunately, that's it. 1423 00:50:22,680 --> 00:50:24,819 We are out of time, even though 1424 00:50:24,820 --> 00:50:27,029 with the internet and the signal angels 1425 00:50:27,030 --> 00:50:28,859 still have questions and there are a lot 1426 00:50:28,860 --> 00:50:30,929 more questions in the room. 1427 00:50:30,930 --> 00:50:31,959 I'm going to be around. 1428 00:50:31,960 --> 00:50:33,659 Uh, have you still have questions? 1429 00:50:33,660 --> 00:50:35,819 Maybe you can take your 1430 00:50:35,820 --> 00:50:37,859 discussion someplace. 1431 00:50:37,860 --> 00:50:39,840 Thank you. And, um, 1432 00:50:40,890 --> 00:50:41,890 applause.