Internet-Draft Data for Filtered DNS April 2022
Wing, et al. Expires 29 October 2022 [Page]
Workgroup:
DNSOP WG
Internet-Draft:
Updates:
8914 (if approved)
Published:
Intended Status:
Standards Track
Expires:
Authors:
D. Wing
Citrix
T. Reddy
Akamai
N. Cook
Open-Xchange
M. Boucadair
Orange

Structured Data for Filtered DNS

Abstract

DNS filtering is widely deployed for network security, but filtered DNS responses lack information for the end user to understand the reason for the filtering. Existing mechanisms to provide detail to end users cause harm especially if the blocked DNS response is to an HTTPS website.

This document updates RFC8914's EXTRA-TEXT field to provide information on DNS filtering. This information can be parsed by the client and displayed, logged, or used for other purposes.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 29 October 2022.

Table of Contents

1. Introduction

DNS filters are deployed for a variety of reasons including endpoint security, parental filtering, and filtering required by law enforcement. Network-based security solutions such as firewalls and Intrusion Prevention Systems (IPS) rely upon network traffic inspection to implement perimeter-based security policies and operate by filtering DNS responses. In a home, DNS filtering is used for the same reasons as above and additionally for parental control. Internet Service Providers typically block access to some DNS domains due to a requirement imposed by an external entity (e.g., law enforcement agency) also performed using DNS-based content filtering.

Users of DNS services which perform filtering may wish to receive more information about such filtering to resolve problems with the filter -- for example to contact the administrator to allowlist a domain that was erroneously filtered or to understand the reason a particular domain was filtered. With that information, the user can choose another network, open a trouble ticket with the DNS administrator to resolve erroneous filtering, log the information, or other uses.

DNS responses can be filtered by sending a bogus (also called, "forged") A or AAAA response, NXDOMAIN error or empty answer, or an extended DNS error (EDE) code defined in [RFC8914]. Each of these methods have advantages and disadvantages that are discussed below:

  1. The DNS response is forged to provide a list of IP addresses that points to an HTTP(S) server alerting the end user about the reason for blocking access to the requested domain (e.g., malware). When an HTTP(S) enabled domain name is blocked, the network security device (e.g., CPE, firewall) presents a block page instead of the HTTP response from the content provider hosting that domain. If an HTTP enabled domain name is blocked, the network security device intercepts the HTTP request and returns a block page over HTTP. If an HTTPS enabled domain is blocked, the block page is also served over HTTPS. In order to return a block page over HTTPS, man in the middle (MITM) is enabled on endpoints by generating a local root certificate and an accompanying (local) public/private key pair. The local root certificate is installed on the endpoint while the network security device(s) stores a copy of the private key. During the TLS handshake, the network security device modifies the certificate provided by the server and (re)signs it using the private key from the local root certificate.

    • However, configuring the local root certificate on endpoints is not a viable option in several deployments like home networks, schools, Small Office/Home Office (SOHO), and Small/ Medium Enterprise (SME). In these cases, the typical behavior is that the filtered DNS response points to a server that will display the block page. If the client is using HTTPS (via web browser or another application) this results in a certificate validation error which gives no information to the end-user about the reason for the DNS filtering. Browsers will display errors such as "The security certificate presented by this website was not issued by a trusted certificate authority" (Internet Explorer/Edge"), "The site's security certificate is not trusted" (Chrome), "This Connection is Untrusted" (Firefox), "Safari can't verify the identity of the website..." (Safari on MacOS). Applications might display even more cryptic error messages.

    • Enterprise networks do not assume that all the connected devices are managed by the IT team or Mobile Device Management (MDM) devices, especially in the quite common Bring Your Own Device (BYOD) scenario. In addition, the local root certificate cannot be installed on IoT devices without a device management tool.
    • An end user does not know why the connection was prevented and, consequently, may repeatedly try to reach the domain but with no success. Frustrated, the end user may switch to an alternate network that offers no DNS filtering against malware and phishing, potentially compromising both security and privacy. Furthermore, certificate errors train users to click through certificate errors, which is a bad security practice. To eliminate the need for an end user to click through certificate errors, an end user may manually install a local root certificate on a host device. Doing so, however, is also a bad security practice as it creates a security vulnerability that may be exploited by a MITM attack. When a manually installed local root certificate expires, the user has to (again) manually install the new local root certificate.
  2. The DNS response is forged to provide a NXDOMAIN response to cause the DNS lookup to terminate in failure. In this case, an end user does not know why the domain cannot be reached and may repeatedly try to reach the domain but with no success. Frustrated, the end user may use insecure connections to reach the domain, potentially compromising both security and privacy.
  3. The extended error codes Blocked, Censored, and Filtered defined in Section 4 of [RFC8914] can be returned by a DNS server to provide additional information about the cause of an DNS error. If the extended error code "Forged Answer" defined in Section 4.5 of [RFC8914] is returned by the DNS server, the client can identify the DNS response is forged together with the reason for HTTPS certificate error.
  4. These extended error codes do not suffer from the limitations discussed in bullets (1) and (2), but the user still does not know the exact reason nor he/she is aware of the exact entity blocking the access to the domain. For example, a DNS server may block access to a domain based on the content category such as "Adult Content" to enforce parental control, "Violence & Terrorism" due to an external requirement imposed by an external entity (e.g., Law Enforcement Agency), etc. These content categories cannot be standardized because the classification of domains into content categories is vendor specific, typically ranges from 40 to 100 types of categories depending on the vendor and the categories keep evolving. Furthermore, the threat data used to categorize domains may sometimes misclassify domains (e.g., domains wrongly classified as Domain Generation Algorithm (DGA) by deep learning techniques, domain wrongly classified as phishing due to crowd sourcing, new domains not categorized by the threat data). A user needs to know the contact details of the IT/InfoSec team to raise a complaint.
  5. When a resolver or forwarder forwards the received EDE option, the EXTRA-TEXT field only conveys the source of the error (Section 3 of [RFC8914]) and does not provide additional textual information about the cause of the error.

For both DNS filtering mechanisms described above, the DNS server can return extended error codes Blocked, Censored, Filtered, or Forged Answer defined in Section 4 of [RFC8914]. However, these codes only explain that filtering occurred but lack detail for the user to diagnose erroneous filtering.

No matter which type of response is generated (forged IP address(es), NXDOMAIN or empty answer, even with an extended error code), the user who triggered the DNS query has little chance to understand which entity filtered the query, how to report a mistake in the filter, or why the entity filtered it at all. This document describes a mechanism to provide such detail.

One of the other benefits of this approach is to eliminate the need to "spoof" block pages for HTTPS resources. This is achieved since clients implementing this approach would be able to display a meaningful error message, and would not need to connect to such a block page. This approach thus avoids the need to install a local root certificate authority on those IT-managed devices.

This document describes a format for computer-parsable data in the EXTRA-TEXT field of Extended DNS Errors [RFC8914].

This document does not recommend DNS filtering but provides a mechanism for better transparency to explain to the users why some DNS queries are filtered.

2. Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119][RFC8174] when, and only when, they appear in all capitals, as shown here.

This document uses terms defined in DNS Terminology [RFC8499].

"Requestor" refers to the side that sends a request. "Responder" refers to an authoritative, recursive resolver or other DNS component that responds to questions. Other terminology is used here as defined in the RFCs cited by this document.

"Encrypted DNS" refers to any encrypted scheme to convey DNS messages, for example, DNS-over-HTTPS [RFC8484], DNS-over-TLS [RFC7858], or DNS-over-QUIC [I-D.ietf-dprive-dnsoquic].

3. I-JSON in EXTRA-TEXT field

Servers compliant with this specification send I-JSON data in the EXTRA-TEXT field [RFC8914] using the Internet JSON (I-JSON) message format [RFC7493].

This document defines the following JSON names:

c: (contact)
The contact details of the IT/InfoSec team to report mis-classified DNS filtering. This field is structured as an array of contact URIs (e.g., tel, sips, https). At least one contact URI MUST be included. This field is mandatory.
j: (justification)
the textual justification for this particular DNS filtering. This field is mandatory.
o: (organization)
human-friendly name of the organization that filtered this particular DNS query. This field is optional.

New JSON names MUST be defined in the IANA registry (Section 7), consist only of lower-case ASCII characters, digits, and hyphens (that is, Unicode characters U+0061 through 007A, U+0030 through U+0039, and U+002D). These names MUST be 63 characters or shorter and it is RECOMMENDED they be as short as possible.

To reduce packet overhead the generated JSON SHOULD be as short as possible: short domain names, concise text in the values for the "j" and "o" names, and minified JSON (that is, without spaces or line breaks between JSON elements).

The JSON data can be parsed to display to the user, logged, or otherwise used to assist the end-user or IT staff with troubleshooting and diagnosing the cause of the DNS filtering.

4. Protocol Operation

4.1. Client Generating Request

When generating a DNS query, the client MUST include the OPT pseudo-RR [RFC6891] to elicit the Extended DNS Error option [RFC8914] in the DNS response.

4.2. Server Generating Response

When the DNS server filters its DNS response to an A or AAAA record query, the DNS response MAY contain an empty answer, NXDOMAIN, or a forged A or AAAA response, as desired by the DNS server. In addition, if the query contained the OPT pseudo-RR the DNS server MAY return more detail in the EXTRA-TEXT field as described in Section 4.3.

Servers may decide to return small TTL values in filtered DNS responses (e.g., 2 seconds) to handle domain category and reputation updates.

4.3. Client Processing Response

On receipt of a DNS response with an Extended DNS Error option, the following actions are performed if the EXTRA-TEXT field contains valid JSON:

  • The response MUST be received over an encrypted DNS channel. If not, the requestor MUST discard data in the EXTRA-TEXT field.
  • The response MUST be received from a DNS server which advertised EDE support via RESINFO [I-D.reddy-add-resolver-info].
  • Servers which don't support this specification might use plain text in the EXTRA-TEXT field so that requestors SHOULD properly handle both plaintext and JSON text in the EXTRA-TEXT field.
  • The DNS response MUST also contain an extended error code of "Censored", "Blocked", "Filtered" or "Forged" [RFC8914], otherwise the EXTRA-TEXT field is discarded.
  • If either of the mandatory JSON names "c" and "j" are missing or have empty values in the EXTRA-TEXT field, the entire JSON is discarded.
  • If a DNS client has enabled opportunistic privacy profile (Section 5 of [RFC8310]) for DoT, the DNS client will either fallback to an encrypted connection without authenticating the DNS server provided by the local network or fallback to clear text DNS, and cannot exchange encrypted DNS messages. Both of these fallback mechanisms adversely impacts security and privacy. If the DNS client has enabled opportunistic privacy profile for DoT, the DNS client MUST ignore the EXTRA-TEXT field of the EDE responses, but SHOULD process other parts of the response.
  • If a DNS client has enabled strict privacy profile (Section 5 of [RFC8310]) for DoT, the DNS client requires an encrypted connection and successful authentication of the DNS server; this mitigates both passive eavesdropping and client redirection (at the expense of providing no DNS service if an encrypted, authenticated connection is not available). If the DNS client has enabled strict privacy profile for DoT, the client MAY process the EXTRA-TEXT field of the DNS response. Note that the strict and opportunistic privacy profiles as defined in [RFC8310] only apply to DoT; there has been no such distinction made for DoH.
  • If the DNS client determines that the encrypted DNS server does not offer DNS filtering service, it MUST discard the EXTRA-TEXT field of the EDE response. For example, the DNS client can learn whether the encrypted DNS resolver performs DNS-based content filtering or not by retrieving resolver information using the method defined in [I-D.reddy-add-resolver-info].
  • When a forwarder receives an EDE option, whether or not (and how) to pass along JSON information in the EXTRA-TEXT on to their client is implementation dependent [RFC5625]. Implementations MAY choose to not forward the JSON information, or they MAY choose to create a new EDE option that conveys the information in the "c" and "j" fields encoded in the JSON object.

5. Examples

An example showing the nameserver at 'ns.example.net' that filtered a DNS "A" record query for 'example.org' is shown in Figure 1.

  {
  "c": ["tel:+358-555-1234567", "sips:bob@bobphone.example.com",
        "https://ticket.example.com?d=example.org&t=1650560748"],
    "j": "malware present for 23 days",
    "o": "example.net Filtering Service"
  }
Figure 1: JSON returned in EXTRA-TEXT field of Extended DNS Error response

In Figure 2 the same content is shown with minified JSON (no whitespace, no blank lines) with '\' line wrapping per [RFC8792].

  ============== NOTE: '\' line wrapping per RFC 8792 ===============

  {"c":["tel:+358-555-1234567","sips:bob@bobphone.example.com", \
  "https://ticket.example.com?d=example.org&t=1650560748"], \
  "j":"malware present for 23 days","o":"example.net Filtering \
  Service"}
Figure 2: Minified response

6. Security Considerations

Security considerations in Section 6 of [RFC8914] apply to this document.

To minimize impact of active on-path attacks on the DNS channel, the client validates the response as described in Section 4.3.

A client might choose to display the information in the EXTRA-TEXT field if and only if the encrypted resolver has sufficient reputation, according to some local policy (e.g. user configuration, administrative configuration, or a built-in list of respectable resolvers). This limits the ability of a malicious encrypted resolver to cause harm. If the client decides not to display the all of the information in the EXTRA-TEXT field, it can be logged for diagnostics purpose and the client can only display the resolver hostname that blocked the domain and error description for the EDE code to the end-user.

When displaying the free-form text of "c" and "j", the browser SHOULD NOT make any of those elements into actionable (clickable) links.

An attacker might inject (or modify) the EDE EXTRA-TEXT field with an DNS proxy or DNS forwarder that is unaware of EDE. Such a DNS proxy or DNS forwarder will forward that attacker-controlled EDE option. To prevent such an attack, clients supporting this document MUST discard the EDE option if their DNS server does not signal EDE support via RESINFO [I-D.reddy-add-resolver-info]. As recommended in [I-D.reddy-add-resolver-info], RESINFO should be retrieved over an encrypted DNS channel or integrity protected with DNSSEC.

7. IANA Considerations

This document requests IANA to register the "application/json+structured-dns-error" media type in the "Media Types" registry [IANA-MediaTypes]. This registration follows the procedures specified in [RFC6838]:

   Type name: application

   Subtype name: json+structured-dns-error

   Required parameters: N/A

   Optional parameters: N/A

   Encoding considerations: as defined in Section NN of [RFCXXXX].

   Security considerations: See Section NNN of [RFCXXXX].

   Interoperability considerations: N/A

   Published specification: [RFCXXXX]

   Applications that use this media type: Section NNNN of [RFCXXXX].

   Fragment identifier considerations: N/A

   Additional information: N/A

   Person & email address to contact for further information: IETF,
      iesg@ietf.org

   Intended usage: COMMON

   Restrictions on usage: none

   Author: See Authors' Addresses section.

   Change controller: IESG

   Provisional registration?  No

8. Changes

This section is to be removed before publishing as an RFC.

8.1. Changes from 02 to 03

8.2. Changes from 01 to 02

8.3. Changes from 00 to 01

9. References

9.1. Normative References

[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC6838]
Freed, N., Klensin, J., and T. Hansen, "Media Type Specifications and Registration Procedures", BCP 13, RFC 6838, DOI 10.17487/RFC6838, , <https://www.rfc-editor.org/info/rfc6838>.
[RFC6891]
Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms for DNS (EDNS(0))", STD 75, RFC 6891, DOI 10.17487/RFC6891, , <https://www.rfc-editor.org/info/rfc6891>.
[RFC7159]
Bray, T., Ed., "The JavaScript Object Notation (JSON) Data Interchange Format", RFC 7159, DOI 10.17487/RFC7159, , <https://www.rfc-editor.org/info/rfc7159>.
[RFC7493]
Bray, T., Ed., "The I-JSON Message Format", RFC 7493, DOI 10.17487/RFC7493, , <https://www.rfc-editor.org/info/rfc7493>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/info/rfc8174>.
[RFC8310]
Dickinson, S., Gillmor, D., and T. Reddy, "Usage Profiles for DNS over TLS and DNS over DTLS", RFC 8310, DOI 10.17487/RFC8310, , <https://www.rfc-editor.org/info/rfc8310>.

9.2. Informative References

[I-D.ietf-dprive-dnsoquic]
Huitema, C., Dickinson, S., and A. Mankin, "DNS over Dedicated QUIC Connections", Work in Progress, Internet-Draft, draft-ietf-dprive-dnsoquic-12, , <https://datatracker.ietf.org/doc/html/draft-ietf-dprive-dnsoquic-12>.
[I-D.reddy-add-resolver-info]
Reddy, T. and M. Boucadair, "DNS Resolver Information", Work in Progress, Internet-Draft, draft-reddy-add-resolver-info-05, , <https://datatracker.ietf.org/doc/html/draft-reddy-add-resolver-info-05>.
[I-D.reddy-dnsop-error-page]
Reddy, T., Cook, N., Wing, D., and M. Boucadair, "DNS Access Denied Error Page", Work in Progress, Internet-Draft, draft-reddy-dnsop-error-page-08, , <https://datatracker.ietf.org/doc/html/draft-reddy-dnsop-error-page-08>.
[IANA-MediaTypes]
IANA, "Media Types", <https://www.iana.org/assignments/media-types>.
[RFC5625]
Bellis, R., "DNS Proxy Implementation Guidelines", BCP 152, RFC 5625, DOI 10.17487/RFC5625, , <https://www.rfc-editor.org/info/rfc5625>.
[RFC7858]
Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., and P. Hoffman, "Specification for DNS over Transport Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, , <https://www.rfc-editor.org/info/rfc7858>.
[RFC8259]
Bray, T., Ed., "The JavaScript Object Notation (JSON) Data Interchange Format", STD 90, RFC 8259, DOI 10.17487/RFC8259, , <https://www.rfc-editor.org/info/rfc8259>.
[RFC8484]
Hoffman, P. and P. McManus, "DNS Queries over HTTPS (DoH)", RFC 8484, DOI 10.17487/RFC8484, , <https://www.rfc-editor.org/info/rfc8484>.
[RFC8499]
Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, , <https://www.rfc-editor.org/info/rfc8499>.
[RFC8792]
Watsen, K., Auerswald, E., Farrel, A., and Q. Wu, "Handling Long Lines in Content of Internet-Drafts and RFCs", RFC 8792, DOI 10.17487/RFC8792, , <https://www.rfc-editor.org/info/rfc8792>.
[RFC8914]
Kumari, W., Hunt, E., Arends, R., Hardaker, W., and D. Lawrence, "Extended DNS Errors", RFC 8914, DOI 10.17487/RFC8914, , <https://www.rfc-editor.org/info/rfc8914>.

Authors' Addresses

Dan Wing
Citrix Systems, Inc.
United States of America
Tirumaleswar Reddy
Akamai
Bangalore
Karnataka
India
Neil Cook
Open-Xchange
United Kingdom
Mohamed Boucadair
Orange
35000 Rennes
France

mirror server hosted at Truenetwork, Russian Federation.