DNSOP WG | T. Reddy |
Internet-Draft | McAfee |
Intended status: Standards Track | N. Cook |
Expires: January 28, 2021 | Open-Xchange |
D. Wing | |
Citrix | |
M. Boucadair | |
Orange | |
July 27, 2020 |
DNS Access Denied Error page
draft-reddy-dnsop-error-page-02
When a DNS server filters a query the response conveys no detailed explanation of why the query was blocked, leading to end-user confusion. This document defines a method to return an URL that explains the reason the DNS query was filtered.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 28, 2021.
Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
DNS filters are deployed for a variety of reasons including endpoint security, parental filtering, and filtering required by law enforcement. These are discussed in more detail below:
DNS responses can be filtered by sending a bogus ("forged") A or AAAA response, NXDOMAIN error or empty answer, or an extended error code defined in [I-D.ietf-dnsop-extended-error]. Each of these have advantages and disadvantages, discussed below:
No matter which type of response is generated (forged IP address, NXDOMAIN or empty answer, or an extended error code), the user who generated the query has little chance to understand which entity filtered the query, how to report a mistake in the filter, or why the entity filtered it at all. This document describes a mechanism to provide a URL which, when accessed, provides such information to the user.
One of the other benefits of this document is eliminating the need to "spoof" block pages for HTTPS resources, as the block page no longer needs to create a signed certificate when blocking a destination. This avoids the need to install an local root certificate authority on those IT-managed devices.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119][RFC8174] when, and only when, they appear in all capitals, as shown here.
This document makes use of the terms defined in [RFC8499] and [I-D.ietf-dnsop-terminology-ter].
'DoH/DoT' refers to DNS-over-HTTPS and/or DNS-over-TLS.
The mechanism for providing additional information about the cause of blocking access to a domain is from the HTTPS DNS record [I-D.ietf-dnsop-svcb-https]. The "HTTPS" DNS resource record type provides more information to the client before it attempts to establish a HTTPS connection. This HTTPS record in the "ServiceMode" (Section 2.4.2 of [I-D.ietf-dnsop-svcb-https]) provides the URL that gives additional information about the cause of blocking access to a domain. In order to convey an error page URL, this HTTPS record SHOULD be returned along with the "Forged Answer" extended error code in Extended DNS Error (EDE) EDNS option and MUST contain the "eut" (Section 7) parameter. The value stored in the parameter is a URL.
The SvcParamKey "eut" MUST only be processed by the DNS client for a "Forged Answer" extended error code and MUST be ignored for any other type of DNS response. The HTTPS record MUST be placed as an additional record in the additional data section of the DNS response. The name of the record MUST match the original QNAME in the DNS request. When the "forged answer” extended error code is returned in conjunction with an HTTPS record containing the "eut" SvcParamKey, any other resource records in the answer MUST be ignored by clients supporting this specification. The "eut" is a single-valued SvcParamKey and the value MUST NOT be empty.
The following example shows a record containing an error page URL:
foo.example.com. 7200 IN HTTPS 1 . ( eut=https://block.example.net/block-page=ZXhhbXBsZS5jb20 )
Figure 1: Example 1
In the above example, if the URI template is "https://block.example.net/block-page={target-domain}" for the server returning the error page and access to the target domain "example.com" is blocked, the DNS server replaces the string "{target-domain}" in the template with the base64url-encoded target domain [RFC4648].
The agent acting as HTTPS client on the endpoint uses the URL as given by the DNS server in a HTTP GET request to retrieve the error page. HTTP/2 [RFC7540] is the minimum RECOMMENDED version of HTTP to use to retrieve the error page.
The following text outlines the RECOMMENDED contents of an error page to assist the operator developing the error page.
The content of the error page discussed above is non-normative, the above text only provides the guidelines and template for the error page and.
The error page SHOULD be returned in the user's preferred language as expressed by the Accept-Language header. If the error page is displayed in a language not known to the end user and assuming Internationalization features failed, browser extensions to translate to user's native language can be used. For example, "Google Translate" extension [Chrome-Translate] provided by Google on Chrome can be used by the user to translate the error page. The "Google Translate" extension automatically detects whether the language of a page is different from the language the user has selected. If it is in a different language, a banner appears at the top of the page. The user can click on the Translate button in the banner to have all the text on the page appear in the language selected by the user.
Security considerations in [I-D.ietf-dnsop-extended-error] need to be taken into consideration. Unless the DNS response that conveys the URL that provides additional information about the cause of blocking access to a domain is sent over DNS-over-HTTPS (DoH) [RFC8484] or DNS-over-TLS (DoT) [RFC7858], the DNS response is susceptible to forgery.
The agent acting as the HTTPS client on the endpoint MUST NOT fetch the URL unless DNS messages exchanged are cryptographically protected using DoH/DoT. Bad actors can host DoH/DoT servers, and claim the servers offer privacy and filtering capability to block malware domains but exactly do the opposite to invade the security and privacy of the end user. For example, this attack can be mitigated if the endpoint selects DoH/DoT servers hosted by well-known organizations (e.g., ISPs, organization for which a user works, etc.) or the user selects DoH/DoT server with filtering capability pre-configured in the OS/Browser. The DNS client can learn the filtering capability of a DoH/DoT server using [I-D.reddy-add-server-policy-selection]. [I-D.reddy-add-server-policy-selection] also discusses how a DNS client can authenticate it is connecting to a DoH/DoT server hosted by a specific organization (e.g., ISP). This information is cryptographically signed to attest its authenticity. It is particularly useful when the DoH/DoT server is insecurely discovered and prevents the client from connecting to an attackers DoH/DoT server.
In order to deal with malicious servers, because the client knows that it is accessing a error page URL, it can know not to send cookies, not to send credentials, disable JavaScript, auto-enable private browsing mode for the error page or load the error page in a container isolated from other web activity, etc. The client MUST reject the URL if the scheme is not "https".
The DoH/DoT session provides transport security for the interaction between the DNS client and server, but DNSSEC signing and validation is not possible for the HTTPS record returning the error page URL along with the "Forged Answer" extended error. The DNS resolver MUST NOT forward the "Forged Answer" extended error and the HTTPS record from an upstream resolver as an attacker (e.g., MiTM) could insert a fake extended error response and HTTPS record into the DNS response. As such, the HTTPS record returning the error page URL should be treated only as diagnostic information and MUST NOT alter DNS protocol processing.
By design, the object referenced by the error page URL potentially exposes additional information about the DNS resolution process that may leak information. An example of this is the reason for blocking the access to the domain name and the entity blocking access to the domain.
This document adds a parameter to the "Service Binding (SVCB) Parameter" registry. If present, this parameter indicates the URL that provides additional information about the cause of blocking access to a domain is designated for use with the "Forged answer" extended error code. This is a string encoded as UTF-8 characters.
Thanks to Vittorio Bertola, Wes Hardaker and Bob Harold for the comments.
[I-D.ietf-dnsop-extended-error] | Kumari, W., Hunt, E., Arends, R., Hardaker, W. and D. Lawrence, "Extended DNS Errors", Internet-Draft draft-ietf-dnsop-extended-error-16, May 2020. |
[I-D.ietf-dnsop-svcb-https] | Schwartz, B., Bishop, M. and E. Nygren, "Service binding and parameter specification via the DNS (DNS SVCB and HTTPS RRs)", Internet-Draft draft-ietf-dnsop-svcb-https-01, July 2020. |
[RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997. |
[RFC4648] | Josefsson, S., "The Base16, Base32, and Base64 Data Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006. |
[RFC7540] | Belshe, M., Peon, R. and M. Thomson, "Hypertext Transfer Protocol Version 2 (HTTP/2)", RFC 7540, DOI 10.17487/RFC7540, May 2015. |
[RFC8174] | Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017. |
[Chrome-Install-Cert] | "How to manually install the Securly SSL certificate in Chrome" |
[Chrome-Translate] | "Google Translate" |
[I-D.ietf-dnsop-terminology-ter] | Hoffman, P., "Terminology for DNS Transports and Location", Internet-Draft draft-ietf-dnsop-terminology-ter-01, February 2020. |
[I-D.reddy-add-server-policy-selection] | Reddy.K, T., Wing, D., Richardson, M. and M. Boucadair, "DNS Server Selection: DNS Server Information with Assertion Token", Internet-Draft draft-reddy-add-server-policy-selection-04, July 2020. |
[RFC7858] | Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D. and P. Hoffman, "Specification for DNS over Transport Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 2016. |
[RFC8484] | Hoffman, P. and P. McManus, "DNS Queries over HTTPS (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018. |
[RFC8499] | Hoffman, P., Sullivan, A. and K. Fujiwara, "DNS Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, January 2019. |