Internet-Draft | Structured DNS Error | March 2023 |
Wing, et al. | Expires 27 September 2023 | [Page] |
DNS filtering is widely deployed for network security, but filtered DNS responses lack information for the end user to understand the reason for the filtering. Existing mechanisms to provide detail to end users cause harm especially if the blocked DNS response is to an HTTPS website.¶
This document updates RFC 8914 by structuring the EXTRA-TEXT field of the Extended DNS Error to provide details on the DNS filtering. Such details can be parsed by the client and displayed, logged, or used for other purposes. Other than that, this document does not change any thing written in RFC 8914.¶
This note is to be removed before publishing as an RFC.¶
The latest revision of this draft can be found at https://ietf-wg-dnsop.github.io/draft-ietf-dnsop-structured-dns-error/draft-ietf-dnsop-structured-dns-error.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-ietf-dnsop-structured-dns-error/.¶
Discussion of this document takes place on the dnsop Working Group mailing list (mailto:dnsop@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/dnsop/. Subscribe at https://www.ietf.org/mailman/listinfo/dnsop/.¶
Source for this draft and an issue tracker can be found at https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-structured-dns-error.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 27 September 2023.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
DNS filters are deployed for a variety of reasons including endpoint security, parental filtering, and filtering required by law enforcement. Network-based security solutions such as firewalls and Intrusion Prevention Systems (IPS) rely upon network traffic inspection to implement perimeter-based security policies and operate by filtering DNS responses. In a home, DNS filtering is used for the same reasons as above and additionally for parental control. Internet Service Providers typically block access to some DNS domains due to a requirement imposed by an external entity (e.g., law enforcement agency) also performed using DNS-based content filtering.¶
Users of DNS services which perform filtering may wish to receive more information about such filtering to resolve problems with the filter -- for example to contact the administrator to allowlist a domain that was erroneously filtered or to understand the reason a particular domain was filtered. With that information, the user can choose another network, open a trouble ticket with the DNS administrator to resolve erroneous filtering, log the information, or other uses.¶
For the DNS filtering mechanisms described in Section 3 the DNS server can return extended error codes Blocked, Censored, Filtered, or Forged Answer defined in Section 4 of [RFC8914]. However, these codes only explain that filtering occurred but lack detail for the user to diagnose erroneous filtering.¶
No matter which type of response is generated (forged IP address(es), NXDOMAIN or empty answer, even with an extended error code), the user who triggered the DNS query has little chance to understand which entity filtered the query, how to report a mistake in the filter, or why the entity filtered it at all. This document describes a mechanism to provide such detail.¶
One of the other benefits of this approach is to eliminate the need to "spoof" block pages for HTTPS resources. This is achieved since clients implementing this approach would be able to display a meaningful error message, and would not need to connect to such a block page. This approach thus avoids the need to install a local root certificate authority on those IT-managed devices.¶
This document describes a format for computer-parsable data in the EXTRA-TEXT field of [RFC8914]. It updates Section 2 of [RFC8914] which says the information in EXTRA-TEXT field is intended for human consumption (not automated parsing).¶
This document does not recommend DNS filtering but provides a mechanism for better transparency to explain to the users why some DNS queries are filtered.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This document uses terms defined in DNS Terminology [RFC8499].¶
"Requestor" refers to the side that sends a request. "Responder" refers to an authoritative, recursive resolver or other DNS component that responds to questions. Other terminology is used here as defined in the RFCs cited by this document.¶
"Encrypted DNS" refers to any encrypted scheme to convey DNS messages, for example, DNS-over-HTTPS [RFC8484], DNS-over-TLS [RFC7858], or DNS-over-QUIC [RFC9250].¶
The document refers to an extended DNS error using its purpose, not its INFO-CODE as per Table 3 of [RFC8914]. "Forged Answer", "Blocked", "Censored", and "Filtered" are thus used to refer to "Forged Answer (4)", "Blocked (15)", "Censored (16)", and "Filtered (17)".¶
Today, DNS responses can be filtered by sending a bogus (also called "forged") A or AAAA response, NXDOMAIN error or empty answer, or an extended DNS error (EDE) code defined in [RFC8914]. Each of these methods have advantages and disadvantages that are discussed below:¶
The DNS response is forged to provide a list of IP addresses that points to an HTTP(S) server alerting the end user about the reason for blocking access to the requested domain (e.g., malware). When an HTTP(S) enabled domain name is blocked, the network security device (e.g., CPE, firewall) presents a block page instead of the HTTP response from the content provider hosting that domain. If an HTTP enabled domain name is blocked, the network security device intercepts the HTTP request and returns a block page over HTTP. If an HTTPS enabled domain is blocked, the block page is also served over HTTPS. In order to return a block page over HTTPS, man in the middle (MITM) is enabled on endpoints by generating a local root certificate and an accompanying (local) public/private key pair. The local root certificate is installed on the endpoint while the network security device(s) stores a copy of the private key. During the TLS handshake, the network security device modifies the certificate provided by the server and (re)signs it using the private key from the local root certificate.¶
Servers that are compliant with this specification send I-JSON data in the EXTRA-TEXT field [RFC8914] using the Internet JSON (I-JSON) message format [RFC7493].¶
This document defines the following JSON names:¶
The contact details of the IT/InfoSec team to report mis-classified DNS filtering. This field is structured as an array of contact URIs (e.g., tel, sips, https). At least one contact URI MUST be included. This field is mandatory.¶
UTF-8-encoded [RFC5198] textual justification for this particular DNS filtering. The field should be treated only as diagnostic information for IT staff. This field is mandatory.¶
the suberror code for this particular DNS filtering. This field is optional.¶
UTF-8-encoded human-friendly name of the organization that filtered this particular DNS query. This field is optional.¶
New JSON names can be defined in the IANA "application/json+structured-dns-error" registry (Section 10). Such names MUST consist only of lower-case ASCII characters, digits, and hyphens (that is, Unicode characters U+0061 through 007A, U+0030 through U+0039, and U+002D). Also, these names MUST be 63 characters or shorter and it is RECOMMENDED they be as short as possible.¶
The text in the "j" and "o" names can include international characters. If the text is displayed in a language not known to the end user, browser extensions to translate to user's native language can be used. For example, "Google Translate" extension [Chrome-Translate] provided by Google on Chrome can be used to translate the text.¶
To reduce packet overhead the generated JSON SHOULD be as short as possible: short domain names, concise text in the values for the "j" and "o" names, and minified JSON (that is, without spaces or line breaks between JSON elements).¶
The JSON data can be parsed to display to the user, logged, or otherwise used to assist the end-user or IT staff with troubleshooting and diagnosing the cause of the DNS filtering.¶
When generating a DNS query, the client includes the Extended DNS Error option Section 2 of [RFC8914] in the OPT pseudo-RR [RFC6891] to elicit the Extended DNS Error option in the DNS response.¶
When the DNS server filters its DNS response to an A or AAAA record query, the DNS response MAY contain an empty answer, NXDOMAIN, or (less ideally) forged A or AAAA response, as desired by the DNS server. In addition, if the query contained the OPT pseudo-RR the DNS server MAY return more detail in the EXTRA-TEXT field as described in Section 5.3.¶
Servers may decide to return small TTL values in filtered DNS responses (e.g., 2 seconds) to handle domain category and reputation updates.¶
Because the DNS client signals its EDE support (Section 5.1) and because EDE support is signaled via a non-cached OPT resource record (Section 6.2.1 of [RFC6891]) the EDE-aware DNS server can tailor its filtered response to be most appropriate to that client's EDE support. If EDE support is signaled in the query the server MUST NOT return the "Forged Answer" extended error code because the client can take advantage of EDE's more sophisticated error reporting (e.g., "Censored", "Filtered", "Blocked"). Continuing to send "Forged Answer" even to an EDE-supporting client will cause the persistence of the drawbacks described in Section 3.¶
On receipt of a DNS response with an Extended DNS Error option, the following actions are performed if the EXTRA-TEXT field contains valid JSON:¶
This section discusses operation with an RPZ server [RPZ] that indicates filtering with a NXDOMAIN response with the Recursion Available bit cleared (RA=0).¶
When the DNS client supports this specification but the server does not, the server will continue replying when a query is RPZ filtered with NXDOMAIN and RA=0. An DNS client upgraded to support this specification can continue to accept responses with NXDOMAIN and RA=0 from the RPZ server that does not support this specification.¶
When the DNS client supports this specification and the server supports this specification, the client learns of the server's support via [I-D.ietf-add-resolver-info] and the client includes the EDE OPT pseudo-RR in the query. This allows the server to differentiate EDE-aware clients from EDE-unaware clients and respond appropriately.¶
The document defines the following new IANA-registered Sub-Error codes.¶
An example showing the nameserver at 'ns.example.net' that filtered a DNS "A" record query for 'example.org' is shown in Figure 1.¶
In Figure 2 the same content is shown with minified JSON (no whitespace, no blank lines) with '\' line wrapping per [RFC8792].¶
Security considerations in Section 6 of [RFC8914] apply to this document.¶
To minimize impact of active on-path attacks on the DNS channel, the client validates the response as described in Section 5.3.¶
A client might choose to display the information in the "c", "j", and "o" fields if and only if the encrypted resolver has sufficient reputation, according to some local policy (e.g. user configuration, administrative configuration, or a built-in list of respectable resolvers). This limits the ability of a malicious encrypted resolver to cause harm. If the client decides not to display the all of the information in the EXTRA-TEXT field, it can be logged for diagnostics purpose and the client can only display the resolver hostname that blocked the domain, error description for the EDE code and the suberror description for the "s'" field to the end-user.¶
When displaying the free-form text of "c" and "o", the browser SHOULD NOT make any of those elements into actionable (clickable) links.¶
An attacker might inject (or modify) the EDE EXTRA-TEXT field with an DNS proxy or DNS forwarder that is unaware of EDE. Such a DNS proxy or DNS forwarder will forward that attacker-controlled EDE option. To prevent such an attack, clients supporting this document MUST discard the EDE option if their DNS server does not signal EDE support via RESINFO [I-D.ietf-add-resolver-info]. As recommended in [I-D.ietf-add-resolver-info], RESINFO should be retrieved over an encrypted DNS channel or integrity protected with DNSSEC.¶
This document requests two IANA actions as described in the following subsections.¶
This document requests IANA to register the "application/json+structured-dns-error" media type in the "Media Types" registry [IANA-MediaTypes]. This registration follows the procedures specified in [RFC6838]:¶
Type name: application Subtype name: json+structured-dns-error Required parameters: N/A Optional parameters: N/A Encoding considerations: as defined in Section NN of [RFCXXXX]. Security considerations: See Section NNN of [RFCXXXX]. Interoperability considerations: N/A Published specification: [RFCXXXX] Applications that use this media type: Section NNNN of [RFCXXXX]. Fragment identifier considerations: N/A Additional information: N/A Person & email address to contact for further information: IETF, iesg@ietf.org Intended usage: COMMON Restrictions on usage: none Author: See Authors' Addresses section. Change controller: IESG Provisional registration? No¶
This document requests IANA to create a new registry, entitled "SubError Codes" under "Domain Name System (DNS) Parameters, Extended DNS Error Codes" registry [IANA-DNS]. The registration request for a new suberror codes MUST include the following fields:¶
The SubError Code registry shall initially be populated with the following suberror codes:¶
Number | Meaning | RFC8914 error code applicability | Reference | Change Controller |
---|---|---|---|---|
0 | Reserved | Not used | Section 7.1 of this document | IETF |
1 | Malware | "Blocked", "Censored", "Filtered" | Section 5.5 of [RFC5901] | IETF |
2 | Phishing | "Blocked", "Censored", "Filtered" | Section 5.5 of [RFC5901] | IETF |
3 | Spam | "Blocked", "Censored", "Filtered" | Page 289 of [RFC4949] | IETF |
4 | Spyware | "Blocked", "Censored", "Filtered" | Page 291 of [RFC4949] | IETF |
5 | Network operator policy | "Blocked" | Section 7.2 of this document | IETF |
6 | DNS operator policy | "Blocked" | Section 7.3 of this document | IETF |
New entries in this registry are subject to an Expert Review registration policy [RFC8126]. The designated expert MUST ensure that the Reference is stable and publicly available, and that it specifies the suberror code and a short description. The reference may be an individual Internet-Draft, or a document from any other source with similar assurances of stability and availability.¶
Review requests are evaluated on the advice of one or more designated experts. Criteria that should be applied by the designated experts include determining whether the proposed registration duplicates existing entries and whether the registration description is sufficiently detailed and fits the purpose of this registry. The designated experts will either approve or deny the registration request, communicating this decision to IANA. Denials should include an explanation and, if applicable, suggestions as to how to make the request successful.¶
Thanks to Vittorio Bertola, Wes Hardaker, Ben Schwartz, Erid Orth, Viktor Dukhovni, Warren Kumari, Paul Wouters, John Levine, and Bob Harold for the comments.¶