DNS server technology gets experimental upgrade
Support for DoH has been added to the BIND 9 nameserver 9.17.10, a development version of the technology. A backport to the stable (mainstream) is 9.16.x, planned after the current build dependency on the nghttp2 library is made optional.
DoH is a foundational technology for building greater privacy into surfing the web and other activities on the internet. Application of the DoH protocol involves enclosing DNS traffic inside HTTPS packets.
This layer of encryption guards against snooping on the websites consumers are visiting, blocking some aspects of ad tracking as well as protecting against message modification – a benefit in defending against manipulator in the middle (MitM) attacks.
DoH is also a stepping stone in the deployment of Encrypted Client Hello (ECH), a technology that encrypts the handshake between clients TLS servers so that sensitive metadata is kept secret.
BIND – which is developed by the Internet Systems Consortium (ISC) – already supports DNS-over-TLS (DoT), an alternative to DoH that offers similar privacy-enhancing benefits.
Following the latest (experimental or prototype) release, a BIND server can accept conventional DNS queries as well as those based on either DoT or DoH.
“Which transport is used for an individual client query depends on what the client uses to contact BIND,” a blog post by the ISC explains. “Starting from this release we have a specialised HTTP/2 server built into BIND specifically to serve DNS-over-HTTPS queries.”
BIND’s support for DoH remains server-side only at present, though work on client side technology is already underway. The server-side release was tested using Mozilla Firefox among other DoH clients.
The DoH implementation from BIND already boasts some unique features including the ability to offload TLS encryption to another server.
BIND’s blog post goes on to explain the benefits of this feature as well as how to set up DNS-over-HTTPS using its technology. The post also offers a good summary of the overall benefits of DoH as well as dealing with some of the criticisms of the technology.
And another thing…
The latest BIND release for developers also includes a fix for a buffer overflow vulnerability (CVE-2020-8625).
BIND’s implementation of SPNEGO, a negotiation mechanism used by GSSAPI, the application protocol interface for GSS-TSIG, is flawed.
The vulnerability creates a mechanism to crash the process and, although unproven, the possibility to trigger remote code execution.
“Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers,” ISC advises.
GSS-TSIG is an extension to the TSIG protocol that designed to support the secure exchange of keys.
Users are advised to upgrade to the patched release most closely related to your current version of BIND, such as BIND 9.11.28 or BIND 9.16.12.