Skip to main content

DNS Queries over HTTPS (DOH)
draft-ietf-doh-dns-over-https-08

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft that was ultimately published as RFC 8484.
Authors Paul E. Hoffman , Patrick McManus
Last updated 2018-05-16
Replaces draft-hoffman-dispatch-dns-over-https, draft-hoffman-dns-over-https
RFC stream Internet Engineering Task Force (IETF)
Formats
Reviews
Additional resources Mailing list discussion
Stream WG state WG Document
Document shepherd (None)
IESG IESG state Became RFC 8484 (Proposed Standard)
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD (None)
Send notices to (None)
draft-ietf-doh-dns-over-https-08
quot; request cache control directive ([RFC7234],
   Section 5.2.1.4) and similar controls.  Note that some caches might
   not honor these directives, either due to configuration or
   interaction with traditional DNS caches that do not have such a
   mechanism.

   HTTP conditional requests ([RFC7232]) may be of limited value to DOH,
   as revalidation provides only a bandwidth benefit and DNS
   transactions are normally latency bound.  Furthermore, the HTTP
   response headers that enable revalidation (such as "Last-Modified"
   and "Etag") are often fairly large when compared to the overall DNS
   response size, and have a variable nature that creates constant
   pressure on the HTTP/2 compression dictionary [RFC7541].  Other types
   of DNS data, such as zone transfers, may be larger and benefit more
   from revalidation.

Hoffman & McManus       Expires November 17, 2018               [Page 9]
Internet-Draft        DNS Queries over HTTPS (DOH)              May 2018

6.2.  HTTP/2

   HTTP/2 [RFC7540] is the minimum RECOMMENDED version of HTTP for use
   with DOH.

   The messages in classic UDP based DNS [RFC1035] are inherently
   unordered and have low overhead.  A competitive HTTP transport needs
   to support reordering, parallelism, priority, and header compression
   to achieve similar performance.  Those features were introduced to
   HTTP in HTTP/2 [RFC7540].  Earlier versions of HTTP are capable of
   conveying the semantic requirements of DOH but may result in very
   poor performance.

6.3.  Server Push

   Before using DOH response data for DNS resolution, the client MUST
   establish that the HTTP request URI may be used for the DOH query.
   For HTTP requests initiated by the DNS API client this is implicit in
   the selection of URI.  For HTTP server push ([RFC7540] Section 8.2)
   extra care must be taken to ensure that the pushed URI is one that
   the client would have directed the same query to if the client had
   initiated the request.

6.4.  Content Negotiation

   In order to maximize interoperability, DNS API clients and DNS API
   servers MUST support the "application/dns-message" media type.  Other
   media types MAY be used as defined by HTTP Content Negotiation
   ([RFC7231] Section 3.4).  Those media types MUST be flexible enough
   to express every DNS query that would normally be sent in DNS over
   UDP (including queries and responses that use DNS extensions, but not
   those that require multiple responses).

7.  DNS Wire Format

   The data payload is the DNS on-the-wire format defined in [RFC1035].
   The format is for DNS over UDP.  Note that this is different than the
   wire format used in [RFC7858].  Also note that while [RFC1035] says
   "Messages carried by UDP are restricted to 512 bytes", that was later
   updated by [RFC6891].  This protocol allows DNS on-the-wire format
   payloads of any size.

   When using the GET method, the data payload MUST be encoded with
   base64url [RFC4648] and then provided as a variable named "dns" to
   the URI Template expansion.  Padding characters for base64url MUST
   NOT be included.

Hoffman & McManus       Expires November 17, 2018              [Page 10]
Internet-Draft        DNS Queries over HTTPS (DOH)              May 2018

   When using the POST method, the data payload MUST NOT be encoded and
   is used directly as the HTTP message body.

   DNS API clients using the DNS wire format MAY have one or more EDNS
   options [RFC6891] in the request.

   The media type is "application/dns-message".

8.  IANA Considerations

8.1.  Registration of application/dns-message Media Type

Hoffman & McManus       Expires November 17, 2018              [Page 11]
Internet-Draft        DNS Queries over HTTPS (DOH)              May 2018

   To: ietf-types@iana.org
   Subject: Registration of MIME media type
            application/dns-message

   MIME media type name: application

   MIME subtype name: dns-message

   Required parameters: n/a

   Optional parameters: n/a

   Encoding considerations: This is a binary format. The contents are a
   DNS message as defined in RFC 1035. The format used here is for DNS
   over UDP, which is the format defined in the diagrams in RFC 1035.

   Security considerations:  The security considerations for carrying
   this data are the same for carrying DNS without encryption.

   Interoperability considerations:  None.

   Published specification:  This document.

   Applications that use this media type:
     Systems that want to exchange full DNS messages.

   Additional information:

   Magic number(s):  n/a

   File extension(s):  n/a

   Macintosh file type code(s):  n/a

   Person & email address to contact for further information:
      Paul Hoffman, paul.hoffman@icann.org

   Intended usage:  COMMON

   Restrictions on usage:  n/a

   Author:  Paul Hoffman, paul.hoffman@icann.org

   Change controller:  IESG

Hoffman & McManus       Expires November 17, 2018              [Page 12]
Internet-Draft        DNS Queries over HTTPS (DOH)              May 2018

9.  Security Considerations

   Running DNS over HTTPS relies on the security of the underlying HTTP
   transport.  This mitigates classic amplification attacks for UDP-
   based DNS.  Implementations utilizing HTTP/2 benefit from the TLS
   profile defined in [RFC7540] Section 9.2.

   Session level encryption has well known weaknesses with respect to
   traffic analysis which might be particularly acute when dealing with
   DNS queries.  HTTP/2 provides further advice about the use of
   compression ([RFC7540] Section 10.6) and padding ([RFC7540]
   Section 10.7 ).  DNS API Servers can also add DNS padding [RFC7830]
   if the DNS API requests it in the DNS query.

   The HTTPS connection provides transport security for the interaction
   between the DNS API server and client, but does not provide the
   response integrity of DNS data provided by DNSSEC.  DNSSEC and DOH
   are independent and fully compatible protocols, each solving
   different problems.  The use of one does not diminish the need nor
   the usefulness of the other.  It is the choice of a client to either
   perform full DNSSEC validation of answers or to trust the DNS API
   server to do DNSSEC validation and inspect the AD (Authentic Data)
   bit in the returned message to determine whether an answer was
   authentic or not.  As noted in Section 5.2, different response media
   types will provide more or less information from a DNS response so
   this choice may be affected by the response media type.

   Section 6.1 describes the interaction of this protocol with HTTP
   caching.  An adversary that can control the cache used by the client
   can affect that client's view of the DNS.  This is no different than
   the security implications of HTTP caching for other protocols that
   use HTTP.

   In the absence of DNSSEC information, a DNS API server can give a
   client invalid data in response to a DNS query.  A client MUST NOT
   use arbitrary DNS API servers.  Instead, a client MUST only use DNS
   API servers specified using mechanisms such as explicit
   configuration.  This does not guarantee protection against invalid
   data but reduces the risk.

   A client can use DNS over HTTPS as one of multiple mechanisms to
   obtain DNS data.  If a client of this protocol encounters an HTTP
   error after sending a DNS query, and then falls back to a different
   DNS retrieval mechanism, doing so can weaken the privacy and
   authenticity expected by the user of the client.

Hoffman & McManus       Expires November 17, 2018              [Page 13]
Internet-Draft        DNS Queries over HTTPS (DOH)              May 2018

10.  Operational Considerations

   Local policy considerations and similar factors mean different DNS
   servers may provide different results to the same query: for instance
   in split DNS configurations [RFC6950].  It logically follows that the
   server which is queried can influence the end result.  Therefore a
   client's choice of DNS server may affect the responses it gets to its
   queries.  For example, in the case of DNS64 [RFC6147], the choice
   could affect whether IPv6/IPv4 translation will work at all.

   The HTTPS channel used by this specification establishes secure two
   party communication between the DNS API client and the DNS API
   server.  Filtering or inspection systems that rely on unsecured
   transport of DNS will not function in a DNS over HTTPS environment.

   Some HTTPS client implementations perform real time third party
   checks of the revocation status of the certificates being used by
   TLS.  If this check is done as part of the DNS API server connection
   procedure and the check itself requires DNS resolution to connect to
   the third party a deadlock can occur.  The use of OCSP [RFC6960]
   servers or AIA for CRL fetching ([RFC5280] Section 4.2.2.1) are
   examples of how this deadlock can happen.  To mitigate the
   possibility of deadlock, DNS API servers SHOULD NOT rely on DNS based
   references to external resources in the TLS handshake.  For OCSP the
   server can bundle the certificate status as part of the handshake
   using a mechanism appropriate to the version of TLS, such as using
   [RFC6066] Section 8 for TLS version 1.2.  AIA deadlocks can be
   avoided by providing intermediate certificates that might otherwise
   be obtained through additional requests.  Note that these deadlocks
   also need to be considered for server that a DNS API server might
   redirect to.

   A DNS API client may face a similar bootstrapping problem when the
   HTTP request needs to resolve the hostname portion of the DNS URI.
   Just as the address of a traditional DNS nameserver cannot be
   originally determined from that same server, a DNS API client cannot
   use its DNS API server to initially resolve the server's host name
   into an address.  Alternative strategies a client might employ
   include making the initial resolution part of the configuration, IP
   based URIs and corresponding IP based certificates for HTTPS, or
   resolving the DNS API server's hostname via traditional DNS or
   another DNS API server while still authenticating the resulting
   connection via HTTPS.

   HTTP [RFC7230] is a stateless application level protocol and
   therefore DOH implementations do not provide stateful ordering
   guarantees between different requests.  DOH cannot be used as a
   transport for other protocols that require strict ordering.

Hoffman & McManus       Expires November 17, 2018              [Page 14]
Internet-Draft        DNS Queries over HTTPS (DOH)              May 2018

   A DNS API server is allowed to answer queries with any valid DNS
   response.  For example, a valid DNS response might have the TC
   (truncation) bit set in the DNS header to indicate that the server
   was not able to retrieve a full answer for the query but is providing
   the best answer it could get.  A DNS API server can reply to queries
   with an HTTP error for queries that it cannot fulfill.  In this same
   example, a DNS API server could use an HTTP error instead of a non-
   error response that has the TC bit set.

   Many extensions to DNS, using [RFC6891], have been defined over the
   years.  Extensions that are specific to the choice of transport, such
   as [RFC7828], are not applicable to DOH.

11.  References

11.1.  Normative References

   [RFC1035]  Mockapetris, P., "Domain names - implementation and
              specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
              November 1987, <https://www.rfc-editor.org/info/rfc1035>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC2308]  Andrews, M., "Negative Caching of DNS Queries (DNS
              NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998,
              <https://www.rfc-editor.org/info/rfc2308>.

   [RFC4648]  Josefsson, S., "The Base16, Base32, and Base64 Data
              Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
              <https://www.rfc-editor.org/info/rfc4648>.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246,
              DOI 10.17487/RFC5246, August 2008,
              <https://www.rfc-editor.org/info/rfc5246>.

   [RFC6570]  Gregorio, J., Fielding, R., Hadley, M., Nottingham, M.,
              and D. Orchard, "URI Template", RFC 6570,
              DOI 10.17487/RFC6570, March 2012,
              <https://www.rfc-editor.org/info/rfc6570>.

   [RFC7230]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
              Protocol (HTTP/1.1): Message Syntax and Routing",
              RFC 7230, DOI 10.17487/RFC7230, June 2014,
              <https://www.rfc-editor.org/info/rfc7230>.

Hoffman & McManus       Expires November 17, 2018              [Page 15]
Internet-Draft        DNS Queries over HTTPS (DOH)              May 2018

   [RFC7231]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
              Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
              DOI 10.17487/RFC7231, June 2014,
              <https://www.rfc-editor.org/info/rfc7231>.

   [RFC7232]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
              Protocol (HTTP/1.1): Conditional Requests", RFC 7232,
              DOI 10.17487/RFC7232, June 2014,
              <https://www.rfc-editor.org/info/rfc7232>.

   [RFC7234]  Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
              Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching",
              RFC 7234, DOI 10.17487/RFC7234, June 2014,
              <https://www.rfc-editor.org/info/rfc7234>.

   [RFC7540]  Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext
              Transfer Protocol Version 2 (HTTP/2)", RFC 7540,
              DOI 10.17487/RFC7540, May 2015,
              <https://www.rfc-editor.org/info/rfc7540>.

   [RFC7541]  Peon, R. and H. Ruellan, "HPACK: Header Compression for
              HTTP/2", RFC 7541, DOI 10.17487/RFC7541, May 2015,
              <https://www.rfc-editor.org/info/rfc7541>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

11.2.  Informative References

   [CORS]     "Cross-Origin Resource Sharing", n.d.,
              <https://fetch.spec.whatwg.org/#http-cors-protocol>.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
              <https://www.rfc-editor.org/info/rfc5280>.

   [RFC5861]  Nottingham, M., "HTTP Cache-Control Extensions for Stale
              Content", RFC 5861, DOI 10.17487/RFC5861, May 2010,
              <https://www.rfc-editor.org/info/rfc5861>.

   [RFC6066]  Eastlake 3rd, D., "Transport Layer Security (TLS)
              Extensions: Extension Definitions", RFC 6066,
              DOI 10.17487/RFC6066, January 2011,
              <https://www.rfc-editor.org/info/rfc6066>.

Hoffman & McManus       Expires November 17, 2018              [Page 16]
Internet-Draft        DNS Queries over HTTPS (DOH)              May 2018

   [RFC6147]  Bagnulo, M., Sullivan, A., Matthews, P., and I. van
              Beijnum, "DNS64: DNS Extensions for Network Address
              Translation from IPv6 Clients to IPv4 Servers", RFC 6147,
              DOI 10.17487/RFC6147, April 2011,
              <https://www.rfc-editor.org/info/rfc6147>.

   [RFC6891]  Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms
              for DNS (EDNS(0))", STD 75, RFC 6891,
              DOI 10.17487/RFC6891, April 2013,
              <https://www.rfc-editor.org/info/rfc6891>.

   [RFC6950]  Peterson, J., Kolkman, O., Tschofenig, H., and B. Aboba,
              "Architectural Considerations on Application Features in
              the DNS", RFC 6950, DOI 10.17487/RFC6950, October 2013,
              <https://www.rfc-editor.org/info/rfc6950>.

   [RFC6960]  Santesson, S., Myers, M., Ankney, R., Malpani, A.,
              Galperin, S., and C. Adams, "X.509 Internet Public Key
              Infrastructure Online Certificate Status Protocol - OCSP",
              RFC 6960, DOI 10.17487/RFC6960, June 2013,
              <https://www.rfc-editor.org/info/rfc6960>.

   [RFC7828]  Wouters, P., Abley, J., Dickinson, S., and R. Bellis, "The
              edns-tcp-keepalive EDNS0 Option", RFC 7828,
              DOI 10.17487/RFC7828, April 2016,
              <https://www.rfc-editor.org/info/rfc7828>.

   [RFC7830]  Mayrhofer, A., "The EDNS(0) Padding Option", RFC 7830,
              DOI 10.17487/RFC7830, May 2016,
              <https://www.rfc-editor.org/info/rfc7830>.

   [RFC7858]  Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D.,
              and P. Hoffman, "Specification for DNS over Transport
              Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May
              2016, <https://www.rfc-editor.org/info/rfc7858>.

Acknowledgments

   This work required a high level of cooperation between experts in
   different technologies.  Thank you Ray Bellis, Stephane Bortzmeyer,
   Manu Bretelle, Sara Dickinson, Tony Finch, Daniel Kahn Gilmor, Olafur
   Guomundsson, Wes Hardaker, Rory Hewitt, Joe Hildebrand, David
   Lawrence, Eliot Lear, John Mattson, Alex Mayrhofer, Mark Nottingham,
   Jim Reid, Adam Roach, Ben Schwartz, Davey Song, Daniel Stenberg,
   Andrew Sullivan, Martin Thomson, and Sam Weiler.

Hoffman & McManus       Expires November 17, 2018              [Page 17]
Internet-Draft        DNS Queries over HTTPS (DOH)              May 2018

Previous Work on DNS over HTTP or in Other Formats

   The following is an incomplete list of earlier work that related to
   DNS over HTTP/1 or representing DNS data in other formats.

   The list includes links to the tools.ietf.org site (because these
   documents are all expired) and web sites of software.

   o  https://tools.ietf.org/html/draft-mohan-dns-query-xml

   o  https://tools.ietf.org/html/draft-daley-dnsxml

   o  https://tools.ietf.org/html/draft-dulaunoy-dnsop-passive-dns-cof

   o  https://tools.ietf.org/html/draft-bortzmeyer-dns-json

   o  https://www.nlnetlabs.nl/projects/dnssec-trigger/

Authors' Addresses

   Paul Hoffman
   ICANN

   Email: paul.hoffman@icann.org

   Patrick McManus
   Mozilla

   Email: mcmanus@ducksong.com

Hoffman & McManus       Expires November 17, 2018              [Page 18]