Page MenuHomePhabricator
Create Task
Maniphest T274431

Wikidough: Support EDNS(0) Padding: RFC 7830 and RFC 8467
Open, Needs TriagePublic
Actions

Description

RFC 7830 describes the EDNS(0) Padding Option that pads DNS queries and responses to prevent size-based correlation of encrypted DNS messages. The policies and their specific details are further described in RFC 8467. Given that Wikidough supports DoT and DoH, it will be good to have (read: we should have) support for padding responses to further improve the privacy of DNS responses over an encrypted channel, specifically, between the stub and the recursor.

Wikidough does not currently support padding:

;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 6717
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 512 B; ext-rcode: NOERROR

;; QUESTION SECTION:
;; example.com.        		IN	A

;; ANSWER SECTION:
example.com.        	86400	IN	A	93.184.216.34

;; Received 56 B
;; Time 2021-02-10 15:22:39 EST

But it should (from another resolver that supports it):

;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 46138
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
;; PADDING: 408 B

;; QUESTION SECTION:
;; example.com.        		IN	A

;; ANSWER SECTION:
example.com.        	65875	IN	A	93.184.216.34

;; Received 468 B <-- as specified in RFC 8467, response padded to 468 bytes
;; Time 2021-02-10 15:22:57 EST

We reported this as a feature request upstream to dnsdist developers in #10018; please see the issue for more details. It was then mentioned that they have already started working on it in #8918, but on the recursor (pdns-recursor) side, and it is marked for the rec-4.5.0 (pdns-recursor 4.5.0) milestone.

Once the features is merged in pdns-recusor, we need to do the following:

  • patch merged in pdns-recursor
  • test the patch to ensure integration with dnsdist
  • backport the patch from rec-4.5.0 to rec-4.4.2 given that it is unlikely we will upgrade to 4.5.0 just yet
  • update the Debian package to include the patch
  • write an integration test for it in knead-wikidough

Details

SubjectRepoBranchLines +/-
wikidough: enable support for EDNS paddingoperations/puppetproduction+3 -0
dnsrecursor: add support for enabling EDNS paddingoperations/puppetproduction+8 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

ssingh created this task.Feb 10 2021, 9:13 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 10 2021, 9:13 PM
ssingh added a parent task: T252132: Deploy Wikimedia DNS: DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) public resolver.Feb 10 2021, 9:14 PM
ssingh moved this task from Backlog to Some old column on the Traffic board.Feb 10 2021, 9:18 PM
Maintenance_bot added a project: SRE.Feb 10 2021, 9:45 PM
ssingh updated the task description. (Show Details)Apr 26 2021, 2:35 PM
BBlack moved this task from Some old column to Upcoming on the Traffic board.Oct 8 2021, 8:19 PM
gerritbot added a comment.Nov 4 2021, 2:15 PM

Change 736776 had a related patch set uploaded (by Ssingh; author: Ssingh):

[operations/puppet@production] dnsrecursor: add support for enabling EDNS padding

https://gerrit.wikimedia.org/r/736776

gerritbot added a project: Patch-For-Review.Nov 4 2021, 2:15 PM
gerritbot added a comment.Nov 11 2021, 2:54 PM

Change 736776 merged by Ssingh:

[operations/puppet@production] dnsrecursor: add support for enabling EDNS padding

https://gerrit.wikimedia.org/r/736776

gerritbot added a comment.Nov 11 2021, 2:59 PM

Change 738251 had a related patch set uploaded (by Ssingh; author: Ssingh):

[operations/puppet@production] wikidough: enable support for EDNS padding

https://gerrit.wikimedia.org/r/738251

gerritbot added a comment.Nov 11 2021, 3:03 PM

Change 738251 merged by Ssingh:

[operations/puppet@production] wikidough: enable support for EDNS padding

https://gerrit.wikimedia.org/r/738251

ssingh added a comment.Nov 11 2021, 3:06 PM

Responses are being padded to 468 bytes, as expected and per the RFC:

kdig @185.71.138.138 +tls-ca +tls-host=wikimedia-dns.org wikipedia.org
;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 12358
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 512 B; ext-rcode: NOERROR
;; PADDING: 406 B

;; QUESTION SECTION:
;; wikipedia.org.      		IN	A

;; ANSWER SECTION:
wikipedia.org.      	581	IN	A	208.80.154.224

;; Received 468 B
;; Time 2021-11-11 10:04:42 EST
;; From 185.71.138.138@853(TCP) in 72.5 ms

And not being padded, in case we +nopadding:

kdig @185.71.138.138 +tls-ca +tls-host=wikimedia-dns.org wikipedia.org +nopadding
;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 20192
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; wikipedia.org.      		IN	A

;; ANSWER SECTION:
wikipedia.org.      	526	IN	A	208.80.154.224

;; Received 47 B
;; Time 2021-11-11 10:05:37 EST
;; From 185.71.138.138@853(TCP) in 70.3 ms

However, there is a bug in dnsdist where it pads the responses incorrectly to 457 bytes instead of 468 bytes; we have reported it to them upstream at https://github.com/PowerDNS/pdns/issues/10884.

ssingh added a comment.Nov 11 2021, 3:08 PM

An example of an incorrectly padded response (and as we reported to dnsdist developers):

kdig @185.71.138.138 +tls-ca +tls-host=wikimedia-dns.org example.org
;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 16682
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 512 B; ext-rcode: NOERROR
;; PADDING: 397 B

;; QUESTION SECTION:
;; example.org.        		IN	A

;; ANSWER SECTION:
example.org.        	86234	IN	A	93.184.216.34

;; Received 457 B
;; Time 2021-11-11 10:07:26 EST
;; From 185.71.138.138@853(TCP) in 73.4 ms

For more information on why this happens, please see the GitHub task above!

KOfori moved this task from Upcoming to Ready for work on the Traffic board.Feb 21 2023, 3:39 PM
Aklapper removed a project: Patch-For-Review.Feb 21 2023, 9:54 PM
BCornwall moved this task from Ready for work to Backlog on the Traffic board.Feb 23 2023, 12:01 AM
Aklapper removed ssingh as the assignee of this task.Mar 21 2023, 9:38 AM

@ssingh: Removing task assignee as this open task has been assigned for more than two years - See the email sent to task assignee on Feburary 22nd, 2023.
Please assign this task to yourself again if you still realistically [plan to] work on this task - it would be welcome! :)
If this task has been resolved in the meantime, or should not be worked on by anybody ("declined"), please update its task status via "Add Action… 🡒 Change Status".
Also see https://www.mediawiki.org/wiki/Bug_management/Assignee_cleanup for tips how to best manage your individual work in Phabricator. Thanks!

ssingh claimed this task.Mar 21 2023, 4:44 PM
cmooney subscribed.Mar 21 2023, 5:48 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL