[dns-resolver-tf] Final final draft of RIPE DNS Resolver Best Common Practices
- Previous message (by thread): [dns-resolver-tf] Final final draft of RIPE DNS Resolver Best Common Practices
- Next message (by thread): [dns-resolver-tf] Default max-ttl (was: Final final draft of RIPE DNS Resolver Best Common Practices)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Tim Wicinski
tjw.ietf at gmail.com
Sun Mar 24 20:00:09 CET 2024
Some more and apologies as I was thinking the updates were in the git repo which was what confused me. ### TTL Recommendations Software typically defaults to a maximum stored TTL of 1 or 2 days. A lower TTL will mean removing rarely-used records that have long TTL, and should not have much operational impact from a CPU or network point of view Where did this 1 or 2 days come from? From most s/w I've seen the default max-cache-ttl is a few hours. **Discovery of DNS Designated Resolvers** QUESTION: Do we need to publish certificate in other ways that via the DDR mechanisms? three things 1) s/ways that via/ways than via/ 2) s/certificate/certificates/ 3) yes we do but it's still very hand wavey in how this all goes down. ### DNSSEC validation owner of domain name being queried are returned. s/owner of domain name/owner of the domain name/ On Sun, Mar 24, 2024 at 2:42 PM Tim Wicinski <tjw.ietf at gmail.com> wrote: > > I want to agree we should reference RFC8932 but perhaps it is cleaner to > include their text in this document, to save folks from bouncing through > documents. > I've felt one of our big goals would be a document where reading the RFCs > or other documents would be for historical or extra details. > Willing to be told I'm wrong. > > > > On Sun, Mar 24, 2024 at 2:32 PM Tim Wicinski <tjw.ietf at gmail.com> wrote: > >> >> Sorry I have found it a bit hard to track the document so some of these >> may be duplicates >> >> ### About Recomendation Text >> >> >> s/Recomendation/Recommendation >> >> may have significant >> >> s/may have significant /may have a significant/ >> >> NSEC3 values, can reduce >> >> s/NSEC3 values, can reduce/NSEC3 values can reduce/ >> >> NSEC3 redords >> >> s/NSEC3 redords/NSEC3 records/ >> >> which return all all >> >> s/ which return all all / which return all / >> >> s/liase/liaise/ >> >> On Sun, Mar 24, 2024 at 12:25 PM Shane Kerr <shane at time-travellers.org> >> wrote: >> >>> Maarten, >>> >>> Thank you for your suggestions, edits, and discussion. I've updated the >>> final draft to give us a final, final draft. 😉 >>> >>> I've included the last (?) version at the bottom of this e-mail, and >>> responded to your suggestions inline below. >>> >>> On 19/03/2024 10.24, Maarten Aertsen wrote: >>> >>> >> >>> >> * Those running public DNS resolver services, and >>> > >>> > Should we remove "public" here? >>> >>> Hm, good point! >>> >>> >> - Data Security: Since you are in control of the physical servers, >>> >> there is no risk of data leakage that can occur due to >>> >> vulnerabilities in multi-tenant virtualization platforms, >>> >> including CPU cache-based side-channel vulnerabilities. It could >>> >> be argued that attacks targeting such issues are rare, and their >>> >> impact on a DNS resolver service is low, but potential breaches >>> >> may have significant privacy impact. It is advised to evaluate >>> >> this against your organisation's risk model, or to discuss this >>> >> with your information security compliance experts. >>> > >>> > The ", or [..]" This feels a bit wordy; we don't suggest who to talk >>> to >>> > for all the other recommendations either. >>> >>> Makes sense. Discussing with experts is basically an option for >>> everything. 😄 >>> >>> >> #### Server capacity >>> >> >>> >> If using a model that is easy to scale (cloud based, or Kubernetes >>> >> based, or similar), then getting server capacity correct is largely a >>> > >>> > Given the earlier text about Kubernetes being 'similar' to cloud, "or >>> > Kubernetes based, " can probably be removed. >>> >>> I'm inclined to leave this in. I'd rather be explicit than implicit. >>> >>> >> >>> >> Since DNS is mostly UDP-based, it is often easy to generate large >>> >> amounts of spoofed traffic to and from DNS servers. DNS traffic is >>> >> small compared to application traffic (videos and other content), but >>> >> still significant. Authoritative server operators often build their >>> >> networks and servers to handle 10 times their normal load. Recursive >>> >> server operators may need to do the same, although the service only >>> > >>> > I would split this sentence, to read: >>> > >>> > server operators may need to do the same. When the service only >>> >>> Fair. >>> >>> >> accepts traffic from IP addresses that cannot be spoofed (for example >>> >> users within a network that operated by the same company) then this >>> > >>> > remove "then" >>> >>> Done. >>> >>> >> ### Resilience >>> >> >>> >> #### System Diversity >>> >> >>> >> In addition to the software considerations above, operators should >>> > >>> > Either change to "software **licensing** considerations", or start the >>> > sentence with Operators. After all, the previous part of the text is >>> not >>> > about software considerations, so current wording may be a bit >>> confusing >>> > to linear readers. >>> >>> Makes sense. I've started with Operators, no need to remind people of >>> the other considerations here. >>> >>> >> consider whether to use different server implementations to provide >>> > >>> > s/server/software/ ? >>> >>> Makes sense. >>> >>> >> In addition to the DNS-specific security considerations, normal >>> >> security best practices for any Internet service should be followed, >>> >> including updating software updated regularly, patching software as >>> >> soon as possible for any known security vulnerabilities, following >>> >> CERT announcements and so on. >>> > >>> > Perhaps CERT/CSIRT. Not super important. >>> >>> You led me down a short trip to the Wikipedia: >>> >>> https://en.wikipedia.org/wiki/Computer_emergency_response_team >>> >>> In spite of CMU's trademark on the term CERT (?!?!), I see way more CERT >>> in the national lists than CSIRT, so I'll stick with it. >>> >>> In a random note, the RIPE Database has an IRT object type rather than a >>> CERT or CSIRT object type, through some artifact of history. 😆 >>> >>> >> #### Certification >>> >> >>> >> It may be useful or required for an organization to follow specific >>> > >>> > s/follow/obtain/ ? >>> >>> In this case "follow" instead of "obtain" was deliberate. It might not >>> be necessary to actually go through the cost of getting certification in >>> order to get the benefits. But, since this section concludes mentioning >>> that business customers will look for them, "obtain" probably makes more >>> sense. >>> >>> >> certifications, such as ISO or ITIL. These can be government-defined >>> > >>> > Not sure if (unspecified) "ISO or ITIL" are the most relevant >>> examples. >>> > I would either remove or replace by say "ISO-IEC 27017, 27018 or SOC 2 >>> > Type 2", which all relate to services provided by an organisation, to >>> be >>> > relied on by users of that service. >>> >>> Replaced with "ISO or SOC 2 Type 2". >>> >>> >> QUESTION: Do we need to publish certificate in other ways that via the >>> >> DDR mechanisms? >>> > >>> > Should this remain in? >>> >>> Good point, removed! >>> >>> >> ### TTL-based Record Pre-Fetch >>> >> >>> >> **TTL record pre-fetch should be enabled when available.** >>> > >>> > I would remove "when available", seeing that the last sentence of the >>> > next paragraph already covers this. >>> >>> I'm leaving it in, since we use that exact phraseology elsewhere. >>> >>> >> ### DNS Error Reporting >>> >> >>> >> **DNS error reporting may be enabled.** >>> >> >>> >> For: All DNS resolver operators. >>> >> >>> >> DNS error reporting is a way for resolver operators to let >>> >> authoritative operators know about problems in authoritative servers >>> >> or zones. It provides little direct value for the resolver operators, >>> >> but over time should improve the overall quality of the DNS ecosystem. >>> >> It is neither widely deployed nor standardized, but hopefully will be >>> >> both soon. Resolver operators are encouraged to enable DNS error >>> > >>> > To me, 'may be' does not sound like much encouragement. Should this be >>> > 'should be' instead? The paragraph already explains that availability >>> is >>> > limited for the moment. >>> >>> I'm not sure we have enough operational experience to know if this is >>> actually a good idea. It may end up being spammy, or unintentionally >>> result in privacy leaks, or any other kinds of unpleasant side-effects. >>> I don't expect it, but I also don't feel comfortable recommending it >>> strongly. >>> >>> >> ## Privacy, Filtering, Transparency >>> > >>> > Reviewing this next part was a bit painful, because I was involved in >>> > writing it and yet I see quite a few places where I feel we should >>> > improve. After re-reading RFC8932 for the second time, I noticed quite >>> > some overlap where RFC8932 is more exhaustive, specific and >>> practicable. >>> > By creating overlap, I think we may be watering down our own advise. >>> > Below I go over all the items one by one, reference specific sections >>> to >>> > advocate for removal of any such overlap. >>> >>> Okay, thanks for the detailed re-reading. >>> >>> >> ### Privacy & anonymity >>> >> >>> >> Operators are advised to apply >>> > >>> > DNS resolver operators >>> >>> Yes. >>> >>> >> [RFC8932](https://www.rfc-editor.org/rfc/rfc8932.html) >>> >> >>> >> "Recommendations for DNS Privacy Service Operators" as follows: >>> >> >>> >> 1. its operational and policy guidance related to DNS encrypted >>> >> transports and data handling, by applying all "Threat mitigations" >>> >> (thereby by meeting its level of "minimally compliant") and >>> >> additionally by applying the "Optimizations" on EDNS Client Subnet >>> >> listed in section 5.3.1. >>> >> >>> >> 2. its framework on a Recursive operator Privacy Statement, by >>> >> publishing a privacy statement on their website that is compliant >>> >> with Section 6. >>> > >>> > I suggest we strengthen this sentence a bit, then remove duplicates in >>> > the next section: >>> > >>> > s/that is compliant with/covers all topics in/ >>> >>> Makes sense. >>> >>> >> #### Logging considerations >>> >> >>> >> 1. Public privacy policy: DNS resolvers are recommended to publish >>> >> their privacy policies transparently on their website. It can be a >>> >> brief privacy commitment as well or be more elaborate on how the >>> >> privacy policy was made. (See for example >>> >> [Cloudflare's >>> >> statement]( >>> https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver) >>> >> or [Quad9's privacy page](https://www.quad9.net/service/privacy/).) >>> >> >>> >> Such policies should explicitly mention the sampling rate of DNS >>> >> queries/responses that are kept, and whether these are anonymized. >>> > >>> > This is fully covered by the reference to RFC8932, Section 6. I >>> suggest >>> > we remove this text. >>> >>> Okay, that makes some sense. I kept the examples from Cloudflare and >>> Quad9, but moved them at the end of the previous section. >>> >>> >> 2. Third party access to personal data: it seems that the only >>> >> critical personal data that DNS resolvers collect are IP addresses >>> >> and the queries that are resolved. The other meta data collected >>> >> can be used to have an understanding of for example which user >>> >> accessed which website which can reveal information about a >>> >> person’s health, lifestyle and other personal preferences (we call >>> >> this profiling). For example, resolving the website for alcoholics >>> >> anonymous may tell you something about the health of a person >>> >> behind an IP address. IP addresses are personally identifiable >>> >> information. Follow the applicable privacy laws or privacy >>> >> principles when receiving third party requests to access. >>> > >>> >> Resolvers >>> >> should only comply with such requests when balancing legitimate >>> >> third party interest with other fundamental rights. >>> > >>> > This goes beyond RFC8932, Section 5.3.3 and Section 6.1.1 item 2 and >>> may >>> > therefore be worth keeping. >>> > >>> > I suggest re-ordering this paragraph a bit to start with the advice. >>> The >>> > following is an attempt to reorder: >>> > >>> > Resolver operators may receive third party requests for information >>> they >>> > have logged that relates to users, including IP addresses, queries and >>> > meta data. Resolvers should only comply with such requests when >>> > balancing legitimate third party interest with the user's fundamental >>> > rights, including rights to privacy. Usage information can be personal >>> > data, PII or similarly regulated under the privacy laws applicable to >>> > the users, operator or third party, revealing a person's health, >>> > lifestyle or other personal preferences (profiling). For example, >>> > logging information that documents a user resolving a website for >>> > alcoholics anonymous may relate to the health of a person behind an IP >>> > address. >>> >>> Makes sense, I've included this text. >>> >>> >> 3. Access to data for researchers: how it is done, who has access and >>> >> who can request access, how the resolver makes a decision to give >>> >> access (validated and credible researchers, what they can access >>> >> and other issues) >>> > >>> > Covered in RFC8932, Section 5.3.3. Suggest removal. >>> >>> Removed. >>> >>> >> 4. Data minimization: do not collect personal information not needed >>> >> for critical operations. Only retain or use what is being asked >>> >> (the query). If collecting data to make the service more private >>> >> and secure, explain the rationale for each piece of data (data >>> >> collection purpose) >>> > >>> > Covered in RFC8932 section 5.2.1 and section 5.2.2. Suggest removal. >>> >>> Removed. >>> >>> >> 5. Encryption: If data is encrypted, explain how it has been encrypted >>> >> (DoH, DoT, or so on). >>> > >>> > Covered in RFC8932, Section 6.1.2, item 2. Suggest removal. >>> >>> Removed. >>> >>> >> 6. Data security and retention: when to delete the data and how it is >>> >> stored >>> > >>> > Data retention is covered in RFC8932 section 5.2.1 and section 5.2.2. >>> > Section 5.2.1, last bullit under mitigations sets a security goal >>> > relating to data access, though the word security is not used (it is >>> the >>> > scope of the entire document). >>> > >>> > Suggest removal. Alternatively, abstract to a level higher than >>> RFC8932 >>> > by stating something like the following (with limited operational >>> value): >>> > >>> > 2. Data security: DNS Resolver operators should take appropriate >>> > technical and organisational measures to protect logging information >>> > that relates to users. >>> >>> I've included this higher-level recommendation. >>> >>> >> **Legal requests and blocking and filtering laws:** DNS resolvers >>> > >>> > operators >>> >>> Updated. >>> >>> >> should not filter content and block access to web-services. When the >>> >> local law requires blocking, and the law applies to the resolver, the >>> >> resolver should transparently disclose a list of blocked websites and >>> >> services, when possible (disclosing such a list may not be allowed by >>> >> law or regulation). Similarly, the resolver should disclose the source >>> >> of such block lists, when possible. >>> >> >>> >> If it is not possible to disclose the source of blocklists, operators >>> >> should try to be as transparent as possible about how they receive >>> >> those blocklists, based on what criteria, and how they mitigate errors >>> >> and false positives. Disclosing which organizations operators interact >>> >> with, how they liase, and so on, can help users understand the impact >>> >> on the service provided. >>> >> >>> >> If possible, resolvers should provide information about blocked >>> >> responses via the Extended DNS Error with the Blocked, Censored, >>> >> Filtered, or Prohibited code - whichever applies best - along with a >>> >> text why the response was blocked, censored, filtered, or prohibited. >>> >> >>> >> [RFC 8914](https://www.rfc-editor.org/rfc/rfc8914.html#section-4.16) >>> >> provides information about the meanings of the different codes. >>> > >>> > I like these paragraphs, but they are also covered by RFC8932, section >>> > 6.1.1 item 6 (result filtering), which we already advise to apply. >>> > As an example of where that section is stronger, it does not feature >>> > 'when possible' escape hatches. >>> > >>> > I'm not sure what to do here. At a minimum, I believe we should make a >>> > reference to that content and substantiate why we feel it is worth >>> > repeating here (while not the other topics of RFC8932). >>> >>> Interesting. The "when possible" language was added in recognition that >>> there may be legal or other barriers preventing such transparency. >>> >>> Also, RFC 8932 6.1.1 just talks about documentation... our text here >>> actually recommends not filtering, which RFC 8932 does not do. >>> >>> RFC 8932 also doesn't reference RFC 8914, which makes sense since they >>> came out very near to each other. >>> >>> So... I understand the concern about re-specifying things, but I'm >>> actually happy to let this text stand. >>> >>> >> **Community governance of blocklists:** blocklists, if mandatory, have >>> >> to be audited and assessed by third parties and there should be a >>> >> right to appeal for those blocked. The Internet community can vet the >>> >> blocklists from time to time to avoid blocking access to websites that >>> >> are mistakenly blocked. During crisis - when mistakes can have drastic >>> >> effects on accessing a critical service - preferably filtering and >>> >> blocking should not be used. >>> > >>> > This is not covered by 8932, so relevant to keep. >>> >>> 👍 >>> >>> >> ### Transparency >>> > >>> > Suggest leading with the advice: >>> > >>> > Public DNS resolver operators should publish transparency reports to >>> > build user trust in their adherence to policies and practices. This >>> goes >>> > beyond our advise to apply RFC8932, section 6.2. >>> >>> Makes sense. Updated. >>> >>> >> DNS resolvers usually provide transparency reports once a year. The >>> > >>> > Suggest to replace with: >>> > >>> > A common frequency is once a year. The >>> >>> Done. >>> >>> >> #### Voluntary certificates and standards >>> >> >>> >> Some DNS resolvers opt for obtaining certificates in security and >>> >> privacy. Some also undertake audits on their privacy practices. See >>> >> for example: >>> https://www.cloudflare.com/trust-hub/compliance-resources/ >>> > >>> > Suggest removing this; certification is already covered under ### >>> > Resilience above. Should the group feel that this is the most >>> > appropriate place, I suggest moving that section to replace the one >>> here. >>> >>> Good point. I added a bit of text mentioning audits or reports, and >>> include the link as an example there. >>> >>> >> #### Human rights considerations >>> >> >>> >> DNS resolvers can opt for declaring their understanding of their >>> >> responsibilities regarding human rights from the Universal Declaration >>> >> of Human Rights. Specifically, Quad9 mentions rights to freedoms >>> > >>> > s/Specifically/As an example of a public DNS resolver operator/ >>> >>> Make sense, updated. >>> >>> -- >>> Shane >>> >>> # DNS Resolver Recommendations >>> >>> About the DNS Resolver Best Common Practice Task Force >>> >>> >>> https://www.ripe.net/participate/ripe/tf/dns-resolver-best-common-practice-task-force >>> >>> ## Terminology >>> >>> * Open Resolver: A DNS resolver that accepts queries from any client. >>> Often the result of misconfiguration. >>> >>> * Public Resolver: A resolver intentionally configured to be an open >>> resolver. >>> >>> ## Introduction >>> >>> ### What Is This Document? Who Is It For? >>> >>> This document presents recommendations and best current practices for >>> operating DNS resolvers, both public and non-public ones. It covers >>> technical aspects of operations and provides best practice >>> recommendations for data management, with a particular focus on user >>> privacy, security, and resilience. >>> >>> The document serves as guidance for the wider Internet community, >>> offering input to: >>> >>> * Those running DNS resolver services, and >>> * Those who want to make informed choices between such services. >>> >>> Its purpose is to provide clear guidance and promote effective >>> practices in DNS resolver operation. >>> >>> The intended audience is not the entire DNS community. Advice here is >>> probably not useful for operators of authoritative servers, domain >>> registrars, and so on. It is also not meant to be an introductory or >>> educational document. There are many documents which cover the basics >>> of DNS and the roles of organizations in it; a good overview is: >>> >>> Addressing the challenges of modern DNS - a comprehensive tutorial >>> by van der Toorn et al. >>> >>> >>> https://ris.utwente.nl/ws/files/282427879/1_s2.0_S1574013722000132_main.pdf >>> >>> The document does not consider how to measure adherence to these >>> recommendations. So it is not intended to be used for certification, >>> although certification created based on the principles here is >>> possible. >>> >>> ### How Is This Document Organized? >>> >>> This document has a number of sections, and specific recommendations >>> in each section. The intent is for each recommendations to have clear >>> guidance at the top, and then background and discussion related to the >>> recommendation afterwards. Each recommendation indicates whether it is >>> mostly for operators of public resolvers or for operators of any >>> resolver. >>> >>> ### About Recomendation Text >>> >>> This is not a standards document, and does not propose any way to >>> measure compliance or interoperability. It does use words like >>> "should" or "may be" throughout. These are meant to be interpreted in >>> the usual English sense, and not as IETF-style RFC 2119 jargon. >>> >>> ## System and Network Hardening >>> >>> ### Infrastructure considerations >>> >>> Running any Internet service requires attention to the infrastructure >>> used to operate it. This section discusses various approaches that can >>> be used to run a DNS resolver. Everything applies to both public and >>> non-public DNS resolvers. >>> >>> #### Bare metal or public cloud >>> >>> All DNS resolver software can run either on dedicated servers (rented >>> or colocated), or in virtualized clouds, or in a combination of those. >>> Every approach has pros and cons. Most of these are not specific to >>> running DNS resolvers, however, some of them are. >>> >>> **Running DNS resolver instances as OS level daemons on bare metal >>> hosts:** >>> >>> Pros: >>> >>> - Performance: Bare metal servers have direct access to the >>> underlying hardware, and can offer superior performance/cost >>> balance by avoiding the overhead associated with virtualization. >>> Moreover, you have full control over the server's configurations, >>> down to the hardware level, which can be beneficial for >>> performance and cost optimization once you get the understanding >>> of your typical work load during peak hours. >>> >>> - Data Security: Since you are in control of the physical servers, >>> there is no risk of data leakage that can occur due to >>> vulnerabilities in multi-tenant virtualization platforms, >>> including CPU cache-based side-channel vulnerabilities. It could >>> be argued that attacks targeting such issues are rare, and their >>> impact on a DNS resolver service is low, but potential breaches >>> may have significant privacy impact. It is advised to evaluate >>> this against your organisation's risk model. >>> >>> - Predictability: Because there is no virtualization layer and no >>> "noisy neighbours" on the host, the performance of your servers is >>> more predictable. >>> >>> Cons: >>> >>> - Cost of failure: If you pick hardware configuration that is not >>> optimal for the workload of your DNS resolver, you may need to >>> upgrade and replace hardware components afterwards. Ways to reduce >>> this risk include renting servers instead of buying them, carrying >>> load testing with data similar to production workloads, and >>> providing limited beta access to the service before it fully >>> enters the production phase. >>> >>> - Scalability: Scaling up with physical servers means acquiring or >>> renting, installing, and configuring new hardware, which will take >>> more time than provisioning new virtual servers in a cloud >>> environment. Moreover, most cloud environments will provide you >>> with cluster autoscaling features, which could barely be achieved >>> in bare metal. >>> >>> - Maintenance: You will be responsible for all server maintenance >>> tasks, including hardware issues, which can require significant >>> effort and specific expertise. >>> >>> - Redundancy: Setting up high availability and disaster recovery >>> strategies can be more complex and time consuming compared to the >>> cloud, where these features are often provided as value added >>> products. See the Redundancy section for more details. >>> >>> **Running DNS resolver instances in containers in a public cloud:** >>> >>> Pros: >>> >>> - Scalability: Clouds excel at scaling applications. You can scale >>> up and down rapidly based on load, which is important for a DNS >>> resolver that needs to handle variable query loads. In case of >>> regional or geographically distributed resolvers, in every region >>> where the resolver would be deployed, daily periodicity is likely >>> to be observed, for example peak hour is likely to occur around >>> 19:00 local time, and off-peak hours may begin at around >>> 01:00-03:00. In a situation like that, using cluster autoscaling >>> features and tools, you can run less instances in the night and >>> more instances throughout the day, which may help to optimize your >>> cloud hosting costs. >>> >>> - Fault Tolerance and High Availability: Most clouds have built-in >>> strategies, features, and products for handling node failures, >>> which can increase your service's availability. >>> >>> - Deployment and Management: Cloud providers offer built-in methods >>> to deploy and manage applications, which can simplify operations >>> and reduce the likelihood of human errors if your infrastructure >>> management department is already familiar with these tools. >>> >>> - Cost: While this largely depends on your specific usage, cloud >>> services can sometimes be more cost-effective than managing your >>> own physical servers, especially when you consider the total cost >>> of ownership, including power, cooling, and maintenance. >>> >>> Cons: >>> >>> - Performance: The virtualization layer of public clouds can impact >>> performance. While this certainly could be mitigated through >>> scaling the number of virtual hosts, the cost would also increase >>> accordingly. >>> >>> - Complexity: Advanced cloud technologies are complex systems which >>> come with a steep learning curve. Without prior experience, >>> properly configuring and managing a cloud-based compute cluster >>> can be challenging. >>> >>> - Cost Variability: While the cloud can be cheaper, it can also be >>> more expensive if not properly managed. Costs can rise >>> unexpectedly based on traffic. Make sure to always set some limits >>> on how much may be spent on hosting in the cloud control panel, >>> and to set up notifications to be sent to you when these >>> thresholds are about to be triggered. >>> >>> - Multi-tenancy Risks: In a public cloud environment, the "noisy >>> neighbour" problem could potentially affect your service's >>> performance. Additionally, even though cloud providers take steps >>> to isolate tenant environments, vulnerabilities could potentially >>> expose sensitive data (see the previous section for a detailed >>> explanation). >>> >>> **Additional considerations** >>> >>> - In today's environments, Kubernetes and Terraform are sometimes >>> used as a substitute for cloud APIs when it comes to production >>> services' management. When running a DNS resolver in a Kubernetes >>> cluster on top of a public cloud environment, all the pros and >>> cons of the public cloud apply; basically, Kubernetes becomes your >>> public cloud provider. If you have significant prior experience >>> running services in Kubernetes in production, you may successfully >>> replicate your experience with the DNS resolver software. >>> Otherwise, we would advise against Kubernetes in this case. >>> >>> - The only reason we may find to run a DNS resolver in a Kubernetes >>> cluster on top of self-hosted dedicated servers is when you have >>> significant hands-on experience with Kubernetes and it is natural >>> for you to manage applications this way. Otherwise, running DNS >>> resolver daemons in containers brings little, if any, benefit. >>> Autoscaling features are not available to you in this case, and >>> neither horizontal nor vertical pod autoscaling is of any use, >>> because DNS resolver software typically scales in-host by itself >>> just fine. >>> >>> - When designing a cluster of resolvers for autoscaling, keep in >>> mind that newly spawned resolver machines would need to populate >>> resolver cache first before they are fully useful. Your DNS >>> resolver software may provide cache replication mechanisms. >>> Otherwise, it is safe to overprovision clusters somewhat under >>> heavy load, and discarding excessive instances once all the caches >>> are populated and the average load of a compute instance >>> decreases. In addition, it may be worthwhile to consider sharing >>> cache data between instances. >>> >>> - It is always advised to prefer environments your infrastructure >>> management team is familiar with. >>> >>> ### Software considerations >>> >>> #### Open Source >>> >>> **Recommendation**: Choose any well-maintained DNS software you are >>> comfortable using. Regardless of which software you choose, ensure you >>> have somewhere to go for support. In the case of open source software, >>> consider providing financial support to ensure continued development. >>> Some open source maintainers take donations, while others offer >>> support contracts. >>> >>> There are both open source and proprietary implementations of DNS >>> resolver software. Mixing these is also possible, for example, by >>> using proprietary extensions with open source software or deploying >>> open source software modified in-house. >>> >>> General observations: >>> - Software licensing is orthogonal to software security. Neither is >>> proprietary software less secure on principle nor are >>> contributions by "unknown" developers more of a risk in open >>> source. >>> >>> Benefits of open source: >>> - Open source allows for inspection, independent auditing, and >>> troubleshooting. >>> - Open source can avoid vendor lock-in. >>> - Open source can aid internet standards development. >>> Widely-deployed open source implementations allow proponents of >>> standards drafts to contribute proof of concept implementations >>> without permission or cooperation of vendors. >>> >>> Drawbacks of open source >>> - Both open source and proprietary software require skilled >>> maintenance, which has costs. Proprietary licensed software or >>> appliances typically come with license fees to cover these. In >>> contrast, open source licenses decouple usage by operators from >>> monetary compensation to developers. It is up to operators to >>> consider the financial sustainability of continued maintenance of >>> the open source DNS software they depend upon. >>> >>> Please also consider deploying different software implementations to >>> ensure diversity, as discussed in the diversity section below. >>> >>> ### Networking considerations >>> >>> #### IPv4 and IPv6 >>> >>> **If available, both IPv4 and IPv6 must be deployed.** >>> >>> Large parts of the authoritative DNS are only accessible via IPv4, so >>> the resolver must be able to originate IPv4 queries. Authoritative DNS >>> that is only accessible via IPv6 is very rare. >>> >>> Depending on the connectivity of clients, a resolver may be IPv4-only, >>> IPv6-only, or support IPv4 and IPv6. >>> >>> #### Addressing >>> >>> **Using multiple IP addresses for the service address should be >>> considered.** >>> >>> Using 2 or more IPv4 addresses and 2 or more IPv6 addresses from >>> different RIR will allow resilience in failure at an RIR, either >>> governance, security, or technical. Note that support for multiple >>> addresses for recursive resolvers varies and some clients perform >>> poorly if any address does not respond normally. >>> >>> There is no need to pick an IPv4 address with all octets the same, >>> like 2.2.2.2 or 11.11.11.11. >>> >>> **Publishing a list of back-end addresses used for resolving should be >>> considered.** >>> >>> Publishing a list of back-end addresses used for resolving can be >>> useful for other network & DNS operators (for example, geo-IP >>> location, making sure data is getting to correct places, and so on). >>> >>> #### High Availability >>> >>> This can be considered in terms of local and global scope. >>> >>> ##### Local scope >>> >>> Inside a single location/region, such as an office, campus, or small >>> ISP network, the main availability concern is that a resolver is >>> always reachable. Client systems can be configured with multiple >>> resolver addresses, but the failover behaviour of stub resolvers to a >>> second address can be painful. Ideally the primary address is highly >>> available and such fallback rarely required. How much effort is put >>> into ensuring this is true should probably scale in line with the >>> number of users, or sensitivity of the clients using that resolver to >>> delayed resolution. >>> >>> There are several ways to promote high availability of an individual >>> resolver address, such as dedicated load balancing equipment, or >>> network techniques like VRRP, or IP anycast. These generally have in >>> common a pool of recursive servers and the means to direct queries to >>> them when a health check has determined them to be capable of >>> answering those queries. >>> >>> Dedicated free or commercially produced, hardware or software load >>> balancing solutions are available. These typically own the resolver IP >>> address and forward queries to the currently available instances of a >>> pool of recursive servers. >>> >>> VRRP enables a technique to make the resolver IP address available on >>> multiple servers, often used to provide automatic failover between >>> two. A pool of recursive servers using this technique must reside in >>> the same broadcast domain. >>> >>> IP anycast in the local scope typically involves a pool of recursive >>> servers advertising a route to a shared resolver IP address into a >>> routing protocol. This can be configured in failover or load-sharing >>> configurations. A load sharing configuration typically requires >>> network equipment able to balance traffic to a destination over equal >>> cost paths (ECMP). A pool of recursive servers using this technique >>> can be distributed in different parts of the network. >>> >>> ##### Global scope >>> >>> The same concerns as for local service availability are present in the >>> global scope, with the added issue that DNS resolution over long >>> distances may be slow. Practically speaking, only multiple resolver >>> addresses, or IP anycast are useful strategies here. The motivations >>> for finding better failover solutions than multiple resolver addresses >>> have been covered above. >>> >>> IP anycast in the global scope means routing the same IP prefix to >>> more than one location. This can provide effective solutions for >>> failover and, when optimally configured for routing client queries to >>> the topologically least distant recursive server location. IP anycast >>> in the global scope requires the use of globally routable prefixes. If >>> a separate prefix is to be used for anycasting, usually this means a >>> /24 in IPv4 and a /48 in IPv6, as those are the smallest sizes that >>> will be widely propagated in BGP. A common practice is to use a >>> covering prefix (/23 in IPv4 or /47 in IPv6) for fallback, and a >>> more-specific prefix (/24 or /48) for the traffic. The more-specific >>> prefix can then be withdrawn to send traffic to a backup site; this >>> will happen automatically if the site is disconnected from routing. >>> >>> [RFC7094](https://www.rfc-editor.org/rfc/rfc7094.html) discusses >>> anycast architecture in detail, including references to various other >>> RFC which discuss anycast in general and to DNS in particular. >>> >>> [RFC4786](https://datatracker.ietf.org/doc/html/rfc4786) discuses >>> operation of anycast services. >>> >>> ##### Generally >>> >>> Operators of a globally scoped recursive service are encouraged to >>> also adopt the local scope recommendations in each of the locations >>> where the service is provisioned. >>> >>> Though the above deals with the shortcomings of reliance on stub >>> resolver failover between a list of addresses those recommendations >>> shouldn’t be seen as an exclusive alternative. Multiple resolver >>> addresses, where each is provisioned using differing failover >>> strategies, can provide a resolver of last resort and further improved >>> resilience. >>> >>> #### Ingress Filtering >>> >>> **Ingress Filtering to follow BCP 38 should be deployed.** >>> >>> DNS normally uses UDP traffic, which makes it a common vector of both >>> [reflection](https://en.wikipedia.org/wiki/Reflection_attack) and >>> [amplification]( >>> https://www.cisa.gov/news-events/alerts/2014/01/17/udp-based-amplification-attacks >>> ) >>> attacks. To minimize the amount of spoofed traffic that a resolver >>> responds to, the network should be configured as recommended in >>> [BCP 38](https://www.rfc-editor.org/rfc/rfc2827.html). >>> >>> #### RPKI Sign Advertised Routes >>> >>> **Route Advertisements should be signed using RPKI** >>> >>> Using RPKI to sign any route advertisements - either toward >>> authoritative servers or toward DNS clients - is straightforward to do >>> and will reduce the impact of BGP misconfigurations and some BGP >>> hijacking attempts. >>> >>> RPKI validation is also possible, although the effort is greater. It >>> is possible that the hosting provider or the transit provider for your >>> service validates BGP; asking and making this part of your selection >>> criteria is reasonable. >>> >>> #### (D)DoS measures >>> >>> Denial-of-Service (DoS) attacks, both distributed (DDoS) and not are a >>> threat to any Internet service. Network operators for a service >>> providing any DNS service must be prepared for large amounts of attack >>> traffic. >>> >>> In addition to attacks on the service itself, a resolver may be used >>> both as an attack reflector and as an attack amplifier. >>> >>> Active monitoring of network and service usage, careful logging, and a >>> security team that is able to respond to problem reports is necessary. >>> Mitigation techniques will include filtering or rate-limiting traffic, >>> both on the authoritative and client side of the resolver. >>> >>> ### Capacity planning >>> >>> #### Server capacity >>> >>> If using a model that is easy to scale (cloud based, or Kubernetes >>> based, or similar), then getting server capacity correct is largely a >>> question of budgeting. If using a less-flexible model (bare metal for >>> example), then under-estimating will mean problems delivering service. >>> >>> Hardware performance varies widely, as does operating system and >>> resolver performance. Some lab testing will be necessary to estimate >>> the number of systems needed. >>> >>> #### Network capacity >>> >>> Since DNS is mostly UDP-based, it is often easy to generate large >>> amounts of spoofed traffic to and from DNS servers. DNS traffic is >>> small compared to application traffic (videos and other content), but >>> still significant. Authoritative server operators often build their >>> networks and servers to handle 10 times their normal load. Recursive >>> server operators may need to do the same. When the service only >>> accepts traffic from IP addresses that cannot be spoofed (for example >>> users within a network that operated by the same company) this can be >>> reduced, for example to 3 times normal load. To estimate expected >>> load, the best approach is to examine historical usage for the actual >>> expected users of the system. >>> >>> ### Resilience >>> >>> #### System Diversity >>> >>> Operators should consider whether to use different software >>> implementations to provide service. This allows continued operation if >>> a critical vulnerability is found in one implementation, by shifting >>> traffic to other implementations. >>> >>> Placing resolvers and control systems in different physical locations >>> will allow continued operation in the event of a disaster or other >>> problem that impacts a single location. In addition, ensuring diverse >>> connectivity to other networks will prevent single points of failure >>> on the network side. Ensuring network diversity may take some care, as >>> it is not always obvious what fate is shared between any given path; >>> this may be physical, virtual, or organizational, and my sometimes be >>> hidden. >>> >>> #### Security >>> >>> In addition to the DNS-specific security considerations, normal >>> security best practices for any Internet service should be followed, >>> including updating software updated regularly, patching software as >>> soon as possible for any known security vulnerabilities, following >>> CERT announcements and so on. >>> >>> #### Certification >>> >>> It may be useful or required for an organization to obtain specific >>> certifications, such as ISO or SOC 2 Type 2. These can be >>> government-defined or industry-defined. For end users there is >>> typically not much direct value, but business customers will often >>> look for services that are operated by organizations meeting such >>> standards. Audits or other reports about this may be published, see >>> for example: >>> https://www.cloudflare.com/trust-hub/compliance-resources/ >>> >>> ## DNS configuration knobs >>> >>> The DNS is an old protocol that has a lot of settings that can be >>> tweaked. This section reviews these and provides recommendations on >>> which should be used for a resolver. >>> >>> ### DNSSEC validation >>> >>> **DNSSEC validation should be enabled.** >>> >>> For: All DNS resolver operators. >>> >>> DNSSEC validation is the best way to ensure that the answers from the >>> owner of domain name being queried are returned. >>> >>> The root KSK must be updated when it changes. While >>> [RFC5011](https://www.rfc-editor.org/rfc/rfc5011.html) defines an >>> automated way to do this, a resolver operator will probably either >>> manage this trust anchor directly or have it updated via OS updates. >>> >>> [RFC9364](https://www.rfc-editor.org/rfc/rfc9364.html) provides a lot >>> of useful information, and links to further documents about DNSSEC. >>> However, operators usually do not need to know the details, and can >>> simply ensure that DNSSEC validation is enabled in their software. >>> >>> Resolver software that does not support DNSSEC validation should be >>> avoided. >>> >>> ### DNS Transport Protocols >>> >>> **UDP and TCP must be supported.** >>> >>> For: All DNS resolver operators. >>> >>> UDP is what most clients use, and TCP is necessary for DNS answers >>> that are too large for a single UDP packet. >>> >>> [RFC7766](https://www.rfc-editor.org/rfc/rfc7766.html) explains why >>> TCP is necessary in more detail. >>> >>> ### Packet Fragmentation Avoidance >>> >>> **Servers should be configured to avoid fragmentation.** >>> >>> For: ALL DNS resolver operators. >>> >>> Packet fragmentation can cause issues with DNS over UDP, especially >>> over IPv6. These issues can be minimized by choosing implementations >>> that set IP options to avoid this, and by taking care with EDNS0 >>> message sizes. >>> >>> Recommendations are available in >>> [draft-ietf-dnsop-avoid-fragmentation]( >>> https://datatracker.ietf.org/doc/draft-ietf-dnsop-avoid-fragmentation/). >>> >>> ### Encrypted DNS >>> >>> **At least one of DNS-over-TLS (DoT), DNS-over-HTTPS (DoH), and >>> DNS-over-QUIC (DoQ) should be supported.** >>> >>> For: All DNS resolver operators. >>> >>> DoT, DoH, and DoQ are different technologies that all provide an >>> encrypted channel between the resolver and the authoritative server. >>> DoT is the oldest, and provides encrypted DNS using TLS. DoH uses HTTP >>> over TLS as a way to transmit queries and answers, and is widely >>> supported by web browsers. DoQ is the newest, and provides advanced >>> features such as separate streams for each query, avoiding the "head >>> of line" blocking problem common with all protocols layered on top of >>> TCP (such as DoT and DoH). >>> >>> - DoT >>> - [RFC7858](https://www.rfc-editor.org/rfc/rfc7858.html) >>> - DoH >>> - [RFC8484](https://www.rfc-editor.org/rfc/rfc8484.html) >>> - DoQ >>> - [RFC9250](https://www.rfc-editor.org/rfc/rfc9250.html) >>> >>> **Discovery of DNS Designated Resolvers** >>> >>> There are new mechanisms that allow DNS clients to use DNS records to >>> discover encrypted DNS configurations. Resolvers should publish DNS >>> records to assist clients finding encrypted resolvers. >>> >>> - Discovery of Designated Resolvers >>> - [RFC9462](https://www.rfc-editor.org/rfc/rfc9462.html) >>> >>> ### QNAME Minimization >>> >>> **QNAME minimization should be enabled.** >>> >>> For: All DNS resolver operators. >>> >>> Using QNAME minimization, a resolver does not send the full name that >>> it is trying to resolver to authoritative servers higher in the DNS >>> hierarchy. So, for example, when querying "atlas.ripe.net" the servers >>> for ".net" would only be asked for "ripe.net". This improves privacy >>> for the end user querying the name. >>> >>> [RFC7816](https://www.rfc-editor.org/rfc/rfc7816.html) covers QNAME >>> minimization. >>> >>> ### Aggressive NSEC caching >>> >>> **Aggressive NSEC caching may be enabled.** >>> >>> For: Public resolver operators. >>> >>> "Aggressive NSEC caching", meaning negative caching based on NSEC and >>> NSEC3 values, can reduce traffic greatly. It is important to protect >>> against random subdomain attacks. >>> >>> This style of caching takes advantage of the way that NSEC and NSEC3 >>> records cover a range of names in a zone. A resolver can know that a >>> query falls within such a range without sending any further queries, >>> by remembering the NSEC or NSEC3 redords that is has seen as answers >>> to earlier queries. >>> >>> Aggressive NSEC caching is almost always a good idea. However enabling >>> this is less important for DNS resolver operators who have a close >>> relationship with users, since they can stop attacks by blocking users >>> or otherwise directly dealing with the source of abusive queries. >>> >>> [RFC8189](https://www.rfc-editor.org/rfc/rfc8189.html) describes >>> negative caching in detail. >>> >>> ### ANY Queries >>> >>> **ANY queries responses should be limited.*** >>> >>> For: All resolver operators. >>> >>> Public or large-scale resolvers should be exceptionally careful with >>> queries of type ANY, which return all all records at a given name. If >>> a resolver replies with all of the records cached for a given type, >>> the response can be much larger than for a single record type. Strict >>> limits should be enforced on volumes of such queries to prevent >>> amplification abuse, or truncation should be applied to prevent >>> spoofed redirections. >>> >>> [RFC8482](https://www.rfc-editor.org/rfc/rfc8482.html) describes >>> several approaches to limiting ANY responses. >>> >>> ### Local Root >>> >>> **Local root should be used.** >>> >>> For: Public resolver operators. >>> >>> Running a local root has several benefits, but it is an additional >>> component to maintain. For public resolver operators this is >>> definitely worth the cost, but other resolver operators may choose to >>> simply send all queries to the well-distributed root name servers. >>> >>> [RFC8806](https://www.rfc-editor.org/rfc/rfc8806.html) describes local >>> root, including several example configurations. >>> >>> In the future it will be possible to use ZONEMD to validate the copy >>> of the root zone obtained before using it. This is currently available >>> for the root zone. >>> >>> [RFC8976](https://www.rfc-editor.org/rfc/rfc8976.html) describes ZONEMD. >>> >>> ### DNS Cookies >>> >>> **Interoperable DNS Cookies may be supported.** >>> >>> For: Public resolver operators. >>> >>> DNS cookies provide some improved security over plain UDP, and are >>> designed to be more lightweight than TCP. If more than one server is >>> responding for a given IP address, then the Server Secret must be >>> shared by all servers, and the answer must be constructed in a >>> consistent manner by all server implementations. >>> >>> Since client-side support for DNS cookies is not very widespread, and >>> since managing server-side secrets involves some work, the costs may >>> outweigh the benefits for some non-public resolver operators. >>> >>> [RFC7873](https://www.rfc-editor.org/rfc/rfc7873.html) describes DNS >>> cookies, and [RFC9018](https://www.rfc-editor.org/rfc/rfc9018.html) >>> standardizes shared DNS cookies. >>> >>> ### TTL Recommendations >>> >>> **TTL limits may be adjusted.** >>> >>> For: All DNS resolver operators. >>> >>> Software typically defaults to a maximum stored TTL of 1 or 2 days. >>> A lower TTL will mean removing rarely-used records that have long TTL, >>> and should not have much operational impact from a CPU or network >>> point of view. >>> >>> It is possible to set a minimum TTL in many implementations. This is a >>> violation of the DNS protocol, although may be useful to reduce load >>> from records with very low TTL (less than 5 seconds). >>> >>> Note that software may set different maximum and minimum TTL >>> independent of the results that the resolver returns. That may have a >>> significant impact on queries as well, but resolver operators cannot >>> influence that. >>> >>> ### TTL-based Record Pre-Fetch >>> >>> **TTL record pre-fetch should be enabled when available.** >>> >>> For: All DNS resolver operators. >>> >>> Some resolvers have the ability to look up a record before it has >>> expired from cache, in order to refresh the value and extend the TTL. >>> This way there is never a time when the records are missing from the >>> cache. This is not currently standardized, but a form of this was >>> proposed in the IETF as >>> [DNS >>> Hammer]( >>> https://datatracker.ietf.org/doc/html/draft-wkumari-dnsop-hammer-03). >>> We recommend turning this feature on if available. >>> >>> ### EDNS Client Subnet (ECS) >>> >>> **ECS may be enabled.** >>> >>> For: All DNS resolver operators. >>> >>> EDNS Client Subnet (ECS) allows the resolver to include information >>> about the IP address of the client querying it when sending messages >>> to authoritative servers. This may allow authoritative servers to >>> provide different answers which are more appropriate for the client. >>> However, ECS will increase the amount of cache space required by >>> resolvers, may reduce DNS performance, and may have privacy >>> implications. >>> >>> A resolver operator that has clients that are limited to a specific >>> region may see no benefit. A resolver operator that has a widely >>> distributed anycast network may not have much benefit from ECS, since >>> the locations that initiate the query will be close to the client. But >>> a resolver operator that answers client queries only from a few >>> locations, and expects clients to come from a wide area, may provide >>> better service for end-users by supporting ECS. >>> >>> EDNS client subnet is described in >>> [RFC7871](https://www.rfc-editor.org/rfc/rfc7871.html), an >>> informational RFC. >>> >>> ### Extended DNS Errors >>> >>> **Extended DNS errors should be enabled.** >>> >>> For: All DNS resolver operators. >>> >>> DNS traditionally provides very broad error reporting, SERVFAIL being >>> the most common. This makes diagnosing and fixing problems difficult. >>> Extended DNS errors provide extra information about failures, for >>> example expired DNSSEC signatures. They also allow resolver operators >>> to report administrative reasons for DNS failures, such as blocks due >>> to legal requirements. >>> >>> [RFC8914](https://www.rfc-editor.org/rfc/rfc8914.html) defines >>> extended DNS errors. >>> >>> ### Negative Trust Anchors >>> >>> **Negative trust anchors may be deployed.** >>> >>> For: All DNS resolver operators. >>> >>> Negative trust anchors (NTA) allow a resolver operator to handle a >>> case where an authoritative server has a DNSSEC problem and becomes >>> inaccessible. They basically disable DNSSEC checking for a domain. >>> When this is warranted is difficult to know with certainty, and will >>> usually requires some manual checking. Since DNSSEC validation is now >>> widespread, DNSSEC failures on the authoritative side will impact many >>> resolvers. >>> >>> Because of these reasons this document does not recommend NTA, but >>> also does not recommend that a deployment avoid NTA if it makes sense >>> for that environment. >>> >>> Negative trust anchors are documented in >>> [RFC7646](https://www.rfc-editor.org/rfc/rfc7646.html). >>> >>> ### DNS Error Reporting >>> >>> **DNS error reporting may be enabled.** >>> >>> For: All DNS resolver operators. >>> >>> DNS error reporting is a way for resolver operators to let >>> authoritative operators know about problems in authoritative servers >>> or zones. It provides little direct value for the resolver operators, >>> but over time should improve the overall quality of the DNS ecosystem. >>> It is neither widely deployed nor standardized, but hopefully will be >>> both soon. Resolver operators are encouraged to enable DNS error >>> reporting when it is available. >>> >>> DNS error reporting is proposed in >>> [draft-ietf-dnsop-dns-error-reporting]( >>> https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-error-reporting). >>> >>> ### Trust Anchor Reporting >>> >>> **Trust anchor reporting should be enabled.** >>> >>> For: All DNS resolver operators. >>> >>> Trust anchor reporting is a way for resolver operators to convey their >>> DNSSEC trust anchor configuration to the operator of the zone that it >>> is for. For most resolvers this is only the root zone. This >>> information is intended to be used during a root KSK rollover to >>> ensure that it is safe to proceed. In the future ICANN is planning an >>> algorithm roll for the root KSK, and this information could be >>> helpful. Resolver operators are encouraged to enable trust anchor >>> reporting. >>> >>> [RFC8145](https://www.rfc-editor.org/rfc/rfc8145.html) covers trust >>> anchor reporting, in both possibilities available. >>> >>> ### Name Server Identification >>> >>> **Servers should be configured to identify themselves.** >>> >>> For: All DNS resolver operators. >>> >>> Large resolver operations, especially publicly available resolvers, >>> should support an in-band method of discovery that is obvious to >>> permit users to discover what node has answered their query. This >>> improves troubleshooting significantly, and may be useful for research >>> and testing purposes. NSID (Name Server Identifier) is ideal for this, >>> though also “CH TXT id.server” support is also reasonable. Geographic >>> hints should be provided in this data, though specific host data is >>> optional for arrays of servers in clusters. IATA codes have >>> traditionally been used for naming points-of-presence, though this is >>> at the discretion of the operator. >>> >>> [RFC5001](https://www.rfc-editor.org/rfc/rfc5001.html) describes NSID. >>> >>> [RFC4892](https://www.rfc-editor.org/rfc/rfc4892.html) describes name >>> server identification in general, and documents the pre-NSID >>> approaches. >>> >>> ## Privacy, Filtering, Transparency >>> >>> ### Privacy & anonymity >>> >>> DNS Resolver operators are advised to apply >>> [RFC8932](https://www.rfc-editor.org/rfc/rfc8932.html) >>> >>> "Recommendations for DNS Privacy Service Operators" as follows: >>> >>> 1. its operational and policy guidance related to DNS encrypted >>> transports and data handling, by applying all "Threat mitigations" >>> (thereby by meeting its level of "minimally compliant") and >>> additionally by applying the "Optimizations" on EDNS Client Subnet >>> listed in section 5.3.1. >>> >>> 2. its framework on a Recursive operator Privacy Statement, by >>> publishing a privacy statement on their website covers all topics in >>> Section 6. (See for example >>> [Cloudflare's >>> statement]( >>> https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver) >>> or [Quad9's privacy page](https://www.quad9.net/service/privacy/).) >>> >>> #### Logging considerations >>> >>> In addition to the logging recommendations from RFC8932, operators >>> should consider the following: >>> >>> 1. Third party access to personal data: Resolver operators may receive >>> third party requests for information they have logged that relates >>> to users, including IP addresses, queries and meta data. Resolvers >>> should only comply with such requests when balancing legitimate >>> third party interest with the user's fundamental rights, including >>> rights to privacy. Usage information can be personal data, >>> Personally Identifable Infomation (PII) or similarly regulated >>> under the privacy laws applicable to the users, operator or third >>> party, revealing a person's health, lifestyle or other personal >>> preferences (profiling). For example, logging information that >>> documents a user resolving a website for alcoholics anonymous may >>> relate to the health of a person behind an IP address. >>> >>> 2. Data security: DNS Resolver operators should take appropriate >>> technical and organisational measures to protect logging >>> information that relates to users. >>> >>> #### Advertisement Policy >>> >>> If there is any advertising from the service, the policy should be >>> published as well as how it can potentially affect the users' privacy. >>> >>> ### Filtering and blocking >>> >>> #### Block Lists >>> >>> Resolvers can be directed to block or modify answers in various ways. >>> Blocklists may be provided by governments, communities, or other >>> parties (for example security firms). >>> >>> Response Policy Zone (RPZ) allows a way to both document specific >>> modifications that resolvers will make to DNS answers, and send the >>> rules to resolvers. This allows updates to occur very quickly. If RPZ >>> or some other high-speed blocking technology is used, the parties >>> supplying these sources must be highly trusted, as changes to >>> blocklists will usually immediately impact user queries. >>> >>> RPZ is not standardized, but there is an IETF draft, >>> [draft-vixie-dnsop-dns-rpz]( >>> https://datatracker.ietf.org/doc/draft-vixie-dnsop-dns-rpz/00/). >>> >>> #### Legal blocking >>> >>> **Legal requests and blocking and filtering laws:** DNS resolver >>> operators should not filter content and block access to web-services. >>> When the local law requires blocking, and the law applies to the >>> resolver, the resolver should transparently disclose a list of blocked >>> websites and services, when possible (disclosing such a list may not >>> be allowed by law or regulation). Similarly, the resolver should >>> disclose the source of such block lists, when possible. >>> >>> If it is not possible to disclose the source of blocklists, operators >>> should try to be as transparent as possible about how they receive >>> those blocklists, based on what criteria, and how they mitigate errors >>> and false positives. Disclosing which organizations operators interact >>> with, how they liase, and so on, can help users understand the impact >>> on the service provided. >>> >>> If possible, resolvers should provide information about blocked >>> responses via the Extended DNS Error with the Blocked, Censored, >>> Filtered, or Prohibited code - whichever applies best - along with a >>> text why the response was blocked, censored, filtered, or prohibited. >>> >>> [RFC 8914](https://www.rfc-editor.org/rfc/rfc8914.html#section-4.16) >>> provides information about the meanings of the different codes. >>> >>> **Community governance of blocklists:** blocklists, if mandatory, have >>> to be audited and assessed by third parties and there should be a >>> right to appeal for those blocked. The Internet community can vet the >>> blocklists from time to time to avoid blocking access to websites that >>> are mistakenly blocked. During crisis - when mistakes can have drastic >>> effects on accessing a critical service - preferably filtering and >>> blocking should not be used. >>> >>> #### Opt-in/Opt-out Mechanisms >>> >>> End users may choose to use a DNS resolver that filters specific kinds >>> of traffic. For example, they may wish to avoid potential malware web >>> sites. Or resolver operators may be required to default to filtering >>> but allowed for to provide an unfiltered DNS resolver service. >>> >>> Depending on the specific requirements, a resolver service may publish >>> different IP addresses and what type of filtering applies to each >>> address. It is also possible to perform client authentication and >>> authorization, using IP-based authentication, TSIG keys, or >>> client-side TLS certificates. >>> >>> ### Transparency >>> >>> Public DNS resolver operators should publish transparency reports to >>> build user trust in their adherence to policies and practices. This >>> goes beyond our advise to apply RFC8932, section 6.2. >>> >>> A common frequency is once a year. The reports inform the public about >>> disclosure of user information and removal of content required by law >>> enforcement and other government agencies. >>> >>> Transparency reports should (to the extent that the law allows) >>> indicate which government agencies and law enforcement agencies >>> request access on what basis. >>> >>> It should also be clear from the transparency reports what kind of >>> data has been requested and if content removal and content blocking >>> have been requested. Categories of data include: Content Data, Basic >>> Subscriber Data, Other Non-Content Data and Content Blocking. >>> >>> #### Negative Trust Anchor reporting >>> >>> Negative Trust Anchors (NTA) are discussed in the previous section on >>> DNS configurations. If NTAs are present in the resolver, they should >>> be published with as much detail as possible about them. This includes >>> reasons for insertion, dates of activation and expected removal dates, >>> or a published review date or cycle for when NTAs should be actively >>> examined for deletion if such fine-grained information cannot be >>> shared. >>> >>> NTAs are equivalent to a security fault, and may even be more >>> significant than a block event as they remove expected trust behavior >>> with limited signal of that trust downgrade ("limited" because few if >>> any clients care about those response bits changing.). >>> >>> #### Human rights considerations >>> >>> DNS resolvers can opt for declaring their understanding of their >>> responsibilities regarding human rights from the Universal Declaration >>> of Human Rights. As an example of a public DNS resolver operator, >>> Quad9 mentions rights to freedoms without distinction made on the >>> basis of country, no interference with privacy, the right to freedom >>> of opinion and expression, the right to peaceful assembly, and the >>> right to freely participate in the cultural life of the community. >>> >>> See >>> [Quad9's Human Rights >>> Considerations]( >>> https://www.quad9.net/privacy/human-rights-considerations/) >>> for the full statement. >>> >>> It also invokes other human rights related solutions other than >>> [UDHR](https://www.un.org/en/universal-declaration-human-rights/) such >>> as Articles 8 and 9 of Resolution 42/15 of the United Nations Human >>> Rights Council on the right to privacy in the digital age of 26 >>> September 2019 more directly define the responsibilities of the >>> private sector toward the furtherance of human rights in modern terms. >>> They also follow the Guidelines for Human Rights Protocol and >>> Architecture Consideration of the Human Rights Protocol Considerations >>> Research Group at Internet Research Task Force. >>> >>> The latest version of the IRTF >>> [Guidelines for >>> HRPC](https://tools.ietf.org/html/draft-irtf-hrpc-guidelines) may be >>> considered for all network operators. >>> >>> ## Appendix A: Why Did RIPE Write This Document? >>> >>> There is increasing concern that large open DNS resolvers will become >>> centralised points of DNS operations on the Internet. In order to >>> address this, the European Commission issued the >>> [DNS4EU]( >>> https://hadea.ec.europa.eu/calls-proposals/equipping-backbone-networks-high-performance-and-secure-dns-resolution-infrastructures-works_en >>> ) >>> proposal. However, such an initiative could lead to centralised >>> guidance or regulation which might interfere with the decentralised >>> way the Internet infrastructure works - including the DNS. See for >>> reference the >>> [RIPE NCC Open House >>> discussion]( >>> https://labs.ripe.net/author/chrisb/dns4eu-ripe-ncc-open-house-discussion/ >>> ) >>> on this topic. >>> >>> Rather than attempting to respond to the EC proposal or organize >>> specific DNS resolver deployments, the RIPE community has decided that >>> it is best able to provide advice and guidance. The RIPE Community is >>> well positioned to provide a set of Best Current Practices that >>> operators of Open DNS Resolvers will be encouraged to subscribe to. >>> >>> -- >>> dns-resolver-tf mailing list >>> dns-resolver-tf at ripe.net >>> https://lists.ripe.net/mailman/listinfo/dns-resolver-tf >>> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.ripe.net/ripe/mail/archives/dns-resolver-tf/attachments/20240324/236ac43c/attachment-0001.html>
- Previous message (by thread): [dns-resolver-tf] Final final draft of RIPE DNS Resolver Best Common Practices
- Next message (by thread): [dns-resolver-tf] Default max-ttl (was: Final final draft of RIPE DNS Resolver Best Common Practices)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]