You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- `<shared-key>`: the shared key derived from `<resolver-pk>` and `<client-sk>`, using the key exchange algorithm defined in the chosen certificate.
53
-
- `<client-query>`: the unencrypted client query. The query is not modified; in particular, the query flags are not altered and the query length MUST be kept in queries prepared to be sent over TCP.
53
+
- `<client-query>`: the unencrypted client query. The query is not modified; in particular, the query flags are not altered and the query length MUST be kept in queries prepared to be sent over TCP {{!RFC7766}}.
54
54
- `<client-nonce-pad>`: `<client-nonce>`length is half the nonce length required by the encryption algorithm. In client queries, the other half, `<client-nonce-pad>` is filled with NUL bytes.
55
55
- `<client-query-pad>`: the variable-length padding.
56
56
@@ -66,7 +66,7 @@ Definitions for server responses:
- `<shared-key>`: the shared key derived from `<resolver-sk>` and `<client-pk>`, using the key exchange algorithm defined in the chosen certificate.
69
-
- `<resolver-response>`: the unencrypted resolver response. The response is not modified; in particular, the query flags are not altered and the response length MUST be kept in responses prepared to be sent over TCP.
69
+
- `<resolver-response>`: the unencrypted resolver response. The response is not modified; in particular, the query flags are not altered and the response length MUST be kept in responses prepared to be sent over TCP {{!RFC7766}}.
70
70
- `<resolver-response-pad>`: the variable-length padding.
71
71
72
72
# Protocol Description
@@ -77,18 +77,18 @@ The DNSCrypt protocol operates through the following steps:
77
77
78
78
1. The DNSCrypt client sends a DNS query to a DNSCrypt server to retrieve the server's public keys.
79
79
2. The client generates its own key pair.
80
-
3. The client encrypts unmodified DNS queries using a server's public key, padding them as necessary, and concatenates them to a nonce and a copy of the client's public key. The resulting output is transmitted to the server via standard DNS transport mechanisms.
80
+
3. The client encrypts unmodified DNS queries using a server's public key, padding them as necessary, and concatenates them to a nonce and a copy of the client's public key. The resulting output is transmitted to the server via standard DNS transport mechanisms {{!RFC1035}}.
81
81
4. Encrypted queries are decrypted by the server using the attached client public key and the server's own secret key. The output is a regular DNS packet that doesn't require any special processing.
82
82
5. To send an encrypted response, the server adds padding to the unmodified response, encrypts the result using the client's public key and the client's nonce, and truncates the response if necessary. The resulting packet, truncated or not, is sent to the client using standard DNS mechanisms.
83
-
6. The client authenticates and decrypts the response using its secret key, the server's public key, the client's nonce included in the response, and the client's original nonce. If the response was truncated, the client MAY adjust internal parameters and retry over TCP. If not, the output is a regular DNS response that can be directly forwarded to applications and stub resolvers.
83
+
6. The client authenticates and decrypts the response using its secret key, the server's public key, the client's nonce included in the response, and the client's original nonce. If the response was truncated, the client MAY adjust internal parameters and retry over TCP {{!RFC7766}}. If not, the output is a regular DNS response that can be directly forwarded to applications and stub resolvers.
84
84
85
85
Key features of the DNSCrypt protocol include:
86
86
87
87
- Stateless operation: Every query can be processed independently from other queries, with no session identifiers required.
88
88
- Flexible key management: Clients can replace their keys whenever they want, without extra interactions with servers.
89
89
- Proxy support: DNSCrypt packets can securely be proxied without having to be decrypted, allowing client IP addresses to be hidden from resolvers ("Anonymized DNSCrypt").
90
90
- Shared infrastructure: Recursive DNS servers can accept DNSCrypt queries on the same IP address and port used for regular DNS traffic.
91
-
- Attack mitigation: DNSCrypt mitigates two common security vulnerabilities in regular DNS over UDP: amplification and fragmentation attacks.
91
+
- Attack mitigation: DNSCrypt mitigates two common security vulnerabilities in regular DNS over UDP: amplification {{!RFC5358}} and fragmentation attacks.
92
92
93
93
## Transport
94
94
@@ -138,7 +138,7 @@ The client MUST authenticate and, if authentication succeeds, decrypt the respon
138
138
139
139
If the response has the TC flag set, the client MUST:
@@ -223,7 +223,7 @@ A successful response to a certificate request contains one or more `TXT` record
223
223
- `<protocol-minor-version>`: `0x00 0x00`
224
224
- `<signature>`: a 64-byte signature of `(<resolver-pk> <client-magic> <serial> <ts-start> <ts-end> <extensions>)` using the Ed25519 algorithm and the provider secret key. Ed25519 MUST be used in this version of the protocol.
225
225
- `<resolver-pk>`: the resolver short-term public key, which is 32 bytes when using X25519.
226
-
- `<client-magic>`: The first 8 bytes of a client query that was built using the information from this certificate. It MAY be a truncated public key. Two valid certificates cannot share the same `<client-magic>`. `<client-magic>` MUST NOT start with `0x00 0x00 0x00 0x00 0x00 0x00 0x00` (seven all-zero bytes) in order to avoid confusion with the QUIC protocol.
226
+
- `<client-magic>`: The first 8 bytes of a client query that was built using the information from this certificate. It MAY be a truncated public key. Two valid certificates cannot share the same `<client-magic>`. `<client-magic>` MUST NOT start with `0x00 0x00 0x00 0x00 0x00 0x00 0x00` (seven all-zero bytes) in order to avoid confusion with the QUIC protocol {{!RFC9000}}.
227
227
- `<serial>`: a 4-byte serial number in big-endian format. If more than one certificate is valid, the client MUST prefer the certificate with a higher serial number.
228
228
- `<ts-start>`: the date the certificate is valid from, as a big-endian 4-byte unsigned Unix timestamp.
229
229
- `<ts-end>`: the date the certificate is valid until (inclusive), as a big-endian 4-byte unsigned Unix timestamp.
@@ -257,9 +257,9 @@ This section discusses security considerations for the DNSCrypt protocol.
257
257
258
258
The DNSCrypt protocol provides several security benefits:
259
259
260
-
1. **Confidentiality**: DNS queries and responses are encrypted using XChaCha20-Poly1305, preventing eavesdropping of DNS traffic.
261
-
2. **Integrity**: Message authentication using Poly1305 ensures that responses cannot be tampered with in transit.
262
-
3. **Authentication**: The use of X25519 for key exchange and Ed25519 for certificate signatures provides strong authentication of resolvers.
260
+
1. **Confidentiality**: DNS queries and responses are encrypted using XChaCha20-Poly1305 {{!RFC8439}}, preventing eavesdropping of DNS traffic.
261
+
2. **Integrity**: Message authentication using Poly1305 {{!RFC8439}} ensures that responses cannot be tampered with in transit.
262
+
3. **Authentication**: The use of X25519 {{!RFC7748}} for key exchange and Ed25519 for certificate signatures provides strong authentication of resolvers.
263
263
4. **Forward Secrecy**: Short-term key pairs are used for each session, providing forward secrecy.
264
264
265
265
## Implementation Security
@@ -290,7 +290,7 @@ Implementations should consider the following security aspects:
290
290
DNSCrypt provides protection against several types of attacks:
291
291
292
292
1. **DNS Spoofing**: The use of authenticated encryption prevents spoofed responses
293
-
2. **Amplification Attacks**: The padding requirements and minimum query length help prevent amplification attacks
293
+
2. **Amplification Attacks**: The padding requirements and minimum query length help prevent amplification attacks {{!RFC5358}}
294
294
3. **Fragmentation Attacks**: The protocol handles fragmentation in a way that prevents certain types of attacks
295
295
4. **Replay Attacks**: The use of nonces and timestamps helps prevent replay attacks
296
296
@@ -323,14 +323,10 @@ Resolvers accepting queries from any client MUST accept any client public key. I
323
323
324
324
Resolvers MUST rotate the short-term key pair every 24 hours at most, and MUST throw away the previous secret key. After a key rotation, a resolver MUST still accept all the previous keys that haven't expired.
325
325
326
-
Provider public keys MAY be published as DNSSEC-signed `TXT` records, in the same zone as the provider name. For example, a query for the `TXT` type on the name `"2.pubkey.example.com"` may return a signed record containing a hexadecimal-encoded provider public key for the provider name `"2.dnscrypt-cert.example.com"`.
326
+
Provider public keys MAY be published as DNSSEC-signed `TXT` records {{!RFC1035}}, in the same zone as the provider name. For example, a query for the `TXT` type on the name `"2.pubkey.example.com"` may return a signed record containing a hexadecimal-encoded provider public key for the provider name `"2.dnscrypt-cert.example.com"`.
327
327
328
328
As a client is likely to reuse the same key pair many times, servers are encouraged to cache shared keys instead of performing the X25519 operation for each query. This makes the computational overhead of DNSCrypt negligible compared to plain DNS.
329
329
330
-
# IANA Considerations
331
-
332
-
This document has no IANA actions.
333
-
334
330
# Anonymized DNSCrypt
335
331
336
332
While DNSCrypt encrypts DNS traffic, DNS server operators can still observe client IP addresses. Anonymized DNSCrypt is an extension to the DNSCrypt protocol that allows queries and responses to be relayed by an intermediate server, hiding the client's IP address from the resolver.
@@ -360,12 +356,14 @@ An Anonymized DNSCrypt query is a standard DNSCrypt query prefixed with informat
@@ -375,29 +373,37 @@ For example, a query for a server at 192.0.2.1:443 would be prefixed with:
375
373
## Relay Behavior
376
374
377
375
Relays MUST:
376
+
378
377
1. Accept queries over both TCP and UDP
379
378
2. Communicate with upstream servers over UDP, even if client queries were sent over TCP
380
379
3. Validate incoming packets:
381
-
- Check that the target IP is not in a private range
380
+
381
+
- Check that the target IP is not in a private range {{!RFC1918}}
382
382
- Verify the port number is in an allowed range
383
383
- Ensure the DNSCrypt query doesn't start with `<anon-magic>`
384
-
- Verify the query doesn't start with 7 zero bytes (to avoid confusion with QUIC)
384
+
- Verify the query doesn't start with 7 zero bytes (to avoid confusion with QUIC {{!RFC9000}})
385
385
4. Forward valid queries unmodified to the server
386
386
5. Verify server responses:
387
+
387
388
- Check that the response is smaller than the query
388
389
- Validate the response format (either starts with resolver magic or is a certificate response)
389
390
- Forward valid responses unmodified to the client
390
391
391
392
## Operational Considerations
392
393
393
394
When using Anonymized DNSCrypt:
395
+
394
396
1. Clients should choose relays and servers operated by different entities
395
397
2. Having relays and servers on different networks is recommended
396
398
3. Relay operators should:
397
-
- Refuse forwarding to reserved IP ranges
399
+
- Refuse forwarding to reserved IP ranges {{!RFC1918}}
398
400
- Restrict allowed server ports (typically only allowing port 443)
399
401
- Monitor for abuse
400
402
403
+
# IANA Considerations
404
+
405
+
This document has no IANA actions.
406
+
401
407
# Appendix 1: The Box-XChaChaPoly Algorithm
402
408
403
409
The `Box-XChaChaPoly` algorithm combines the `X25519` {{!RFC7748}} key exchange mechanism with a variant of the ChaCha20-Poly1305 construction specified in {{!RFC8439}}.
0 commit comments