sécurité web

A new step towards privacy when using DNS

Home > Observatory and resources > Expert papers > A new step towards privacy when using DNS
11/22/2021

Introduction

RFC 9156, “DNS Query Name Minimisation to Improve Privacy” was recently published, standardising a method of reducing the quantity of data sent by a DNS request and thus making an important contribution to reducing invasions of privacy when using this protocol.

The problem

As explained in RFC 7626, “DNS Privacy Considerations”, DNS users, which is to say all Internet users, give information indirectly on their online activities via the DNS queries made by their device. So, for example, if they visit the French website of Alcoholics Anonymous, a certain number of DNS server managers or network operators giving access to it, will see a DNS query on the name www.alcooliques-anonymes.fr, information that visitors would probably have preferred to keep to themselves.
For some years now, the IETF, the body that standardises the DNS protocol, has been working to reduce this information leakage. When talking about protecting privacy, people often only think of encryption of communications. Encryption is certainly a useful tool for protecting against the indiscretion of a third party listening in. But it does not resolve all the problems. For example, it does not protect against the recipient of the communication. If I use social media accessible via the Internet, the communication will no doubt be in HTTPS and as such encrypted, but this only protects against possible eavesdroppers on network traffic, not against the managers of the social network, who will still see everything. So encryption alone is not enough, it is also necessary to minimise the data sent.
The GDPR (General Data Protection Regulation), for example, stresses the importance of this minimisation, and repeatedly mentions the “principle of data minimisation”. In its Article 5, the GDPR states that the data collected must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).” For example, to compile statistics on the age of users of a particular service, asking them for their full date of birth is entirely unnecessary: the year would be enough.
Before this minimisation technique described in this RFC, DNS sent more information than “what is necessary in relation to the purposes.” The authoritative name servers received the full name requested, even when, not having complete knowledge of all domain names, the last component(s) of the name would have sufficed. (You can see how DNS resolution works in this Afnic video).

The solution

The technique standardised in RFC 9156 is simple: a DNS resolver does not have to send the authoritative name servers the full domain name sent to it, but only the part that is strictly necessary. To return to the example of www.alcooliques-anonymes.fr referred to above, the resolver will send the root name servers only fr (root name servers know only TLDs) and will send Afnic’s servers only alcooliques-anonymes.fr, not the full name. (If you are familiar with DNS, you will realise that things are of course a little more complicated than this: see the RFC for full details).
It is amusing to note that many videos you can find randomly on the Web claiming to explain “how DNS works in three minutes” were previously incorrect, as they showed a resolver minimising data well before the original RFC was published!
This minimisation technique had originally been described in RFC 7816, which had “experimental” status for the IETF. In the years since this “experiment” was first rolled out, the advantages of minimising queries and its lack of any serious drawbacks have allowed progress to be made, and the new RFC 9156, which replaces RFC 7816, now has the status of a technical standard.
This new standard has been drawn up by Paul Hoffman (ICANN), Ralph Dolmans (NLnet Labs) and yours truly at Afnic. NLnet Labs develops many of the free software applications on which today’s DNS relies, such as the Unbound resolver. Ralph is the programmer who modified Unbound, introducing name query minimisation. The IETF is always concerned with practicality, and with making sure that technical standards are realistic and can be programmed without causing major problems. So Ralph’s expertise has been very useful.

Deployment

Various tests carried out on resolvers, or through measurement systems such as RIPE Atlas probes, indicate that between one-third and half of Internet users currently use a DNS resolver that minimises name queries. If yours doesn’t, ask your ISP to activate this protection! Publication of this RFC and the new status of this technique as a standard should ensure its broad dissemination.

Technical aspects

The technically minded can test their DNS resolver at https://tcmdns.dev.dns-oarc.net/. One of the tests is data minimisation, but the way the results are shown is rather complex.