Internet Engineering Task Force (IETF) S. Bortzmeyer Request for Comments: 9156 AFNIC Obsoletes: 7816 R. Dolmans Category: Standards Track NLnet Labs ISSN: 2070-1721 P. Hoffman ICANN November 2021 DNS Query Name Minimisation to Improve Privacy Abstract This document describes a technique called "QNAME minimisation" to improve DNS privacy, where the DNS resolver no longer always sends the full original QNAME and original QTYPE to the upstream name server. This document obsoletes RFC 7816. Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc9156. Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction and Background 1.1. Experience from RFC 7816 1.2. Terminology 2. Description of QNAME Minimisation 2.1. QTYPE Selection 2.2. QNAME Selection 2.3. Limitation of the Number of Queries 2.4. Implementation by Stub and Forwarding Resolvers 3. Algorithm to Perform QNAME Minimisation 4. QNAME Minimisation Examples 5. Performance Considerations 6. Security Considerations 7. References 7.1. Normative References 7.2. Informative References Acknowledgments Authors' Addresses 1. Introduction and Background The problem statement for this document is described in [RFC9076]. This specific solution is not intended to fully solve the DNS privacy problem; instead, it should be viewed as one tool amongst many. QNAME minimisation follows the principle explained in Section 6.1 of [RFC6973]: the less data you send out, the fewer privacy problems you have. Before QNAME minimisation, when a resolver received the query "What is the AAAA record for www.example.com?", it sent to the root (assuming a resolver, whose cache is empty) the very same question. Sending the full QNAME to the authoritative name server was a tradition, not a protocol requirement. In a conversation with one of the authors in January 2015, Paul Mockapetris explained that this tradition comes from a desire to optimise the number of requests, when the same name server is authoritative for many zones in a given name (something that was more common in the old days, where the same name servers served .com and the root) or when the same name server is both recursive and authoritative (something that is strongly discouraged now). Whatever the merits of this choice at this time, the DNS is quite different now. QNAME minimisation is compatible with the current DNS system and therefore can easily be deployed. Because it is only a change to the way that the resolver operates, it does not change the DNS protocol itself. The behaviour suggested here (minimising the amount of data sent in QNAMEs from the resolver) is allowed by Section 5.3.3 of [RFC1034] and Section 7.2 of [RFC1035]. 1.1. Experience from RFC 7816 This document obsoletes [RFC7816]. [RFC7816] was categorised "Experimental", but ideas from it were widely deployed since its publication. Many resolver implementations now support QNAME minimisation. The lessons learned from implementing QNAME minimisation were used to create this new revision. Data from DNSThought [dnsthought-qnamemin], Verisign [verisign-qnamemin], and APNIC [apnic-qnamemin] shows that a large percentage of the resolvers deployed on the Internet already support QNAME minimisation in some way. Academic research has been performed on QNAME minimisation [devries-qnamemin]. This work shows that QNAME minimisation in relaxed mode causes almost no problems. The paper recommends using the A QTYPE and limiting the number of queries in some way. Some of the issues that the paper found are covered in Section 5. 1.2. Terminology The terminology used in this document is defined in [RFC8499]. In this document, a "cold" cache is one that is empty, having literally no entries in it. A "warm" cache is one that has some entries in it. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 2. Description of QNAME Minimisation The idea behind QNAME minimisation is to minimise the amount of privacy-sensitive data sent from the DNS resolver to the authoritative name server. This section describes how to do QNAME minimisation. The algorithm is summarised in Section 3. When a resolver is not able to answer a query from cache, it has to send a query to an authoritative name server. Traditionally, these queries would contain the full QNAME and the original QTYPE as received in the client query. The full QNAME and original QTYPE are only needed at the name server that is authoritative for the record requested by the client. All other name servers queried while resolving the query only need to receive enough of the QNAME to be able to answer with a delegation. The QTYPE in these queries is not relevant, as the name server is not able to authoritatively answer the records the client is looking for. Sending the full QNAME and original QTYPE to these name servers therefore exposes more privacy-sensitive data than necessary to resolve the client's request. A resolver that implements QNAME minimisation obscures the QNAME and QTYPE in queries directed to an authoritative name server that is not known to be responsible for the original QNAME. These queries contain: * a QTYPE selected by the resolver to possibly obscure the original QTYPE * the QNAME that is the original QNAME, stripped to just one label more than the longest matching domain name for which the name server is known to be authoritative 2.1. QTYPE Selection Note that this document relaxes the recommendation in [RFC7816] to use the NS QTYPE to hide the original QTYPE. Using the NS QTYPE is still allowed. The authority of NS records lies at the child side. The parent side of the delegation will answer using a referral, like it will do for queries with other QTYPEs. Using the NS QTYPE therefore has no added value over other QTYPEs. The QTYPE to use while minimising queries can be any possible data type (as defined in Section 3.1 of [RFC6895]) for which the authority always lies below the zone cut (i.e., not DS, NSEC, NSEC3, OPT, TSIG, TKEY, ANY, MAILA, MAILB, AXFR, and IXFR), as long as there is no relation between the incoming QTYPE and the selection of the QTYPE to use while minimising. The A or AAAA QTYPEs are always good candidates to use because these are the least likely to raise issues in DNS software and middleboxes that do not properly support all QTYPEs. QTYPE=A or QTYPE=AAAA queries will also blend into traffic from nonminimising resolvers, making it in some cases harder to observe that the resolver is using QNAME minimisation. Using a QTYPE that occurs most in incoming queries will slightly reduce the number of queries, as there is no extra check needed for delegations on non- apex records. 2.2. QNAME Selection The minimising resolver works perfectly when it knows the zone cut (zone cuts are described in Section 6 of [RFC2181]). But zone cuts do not necessarily exist at every label boundary. In the name www.foo.bar.example, it is possible that there is a zone cut between "foo" and "bar" but not between "bar" and "example". So, assuming that the resolver already knows the name servers of example, when it receives the query "What is the AAAA record of www.foo.bar.example?", it does not always know where the zone cut will be. To find the zone cut, it will query the example name servers for a record for bar.example. It will get a non-referral answer, so it has to query the example name servers again with one more label, and so on. (Section 3 describes this algorithm in deeper detail.) 2.3. Limitation of the Number of Queries When using QNAME minimisation, the number of labels in the received QNAME can influence the number of queries sent from the resolver. This opens an attack vector and can decrease performance. Resolvers supporting QNAME minimisation MUST implement a mechanism to limit the number of outgoing queries per user request. Take for example an incoming QNAME with many labels, like www.host.group.department.example.com, where host.group.department.example.com is hosted on example.com's name servers. (Such deep domains are especially common under ip6.arpa.) Assume a resolver that knows only the name servers of example.com. Without QNAME minimisation, it would send these example.com name servers a query for www.host.group.department.example.com and immediately get a specific referral or an answer, without the need for more queries to probe for the zone cut. For such a name, a cold resolver with QNAME minimisation will send more queries, one per label. Once the cache is warm, there will be less difference with a traditional resolver. Testing of this is described in [Huque-QNAME-Min]. The behaviour of sending multiple queries can be exploited by sending queries with a large number of labels in the QNAME that will be answered using a wildcard record. Take for example a record for *.example.com, hosted on example.com's name servers. An incoming query containing a QNAME with more than 100 labels, ending in example.com, will result in a query per label. By using random labels, the attacker can bypass the cache and always require the resolver to send many queries upstream. Note that [RFC8198] can limit this attack in some cases. One mechanism that MAY be used to reduce this attack vector is by appending more than one label per iteration for QNAMEs with a large number of labels. To do this, a maximum number of QNAME minimisation iterations MUST be selected (MAX_MINIMISE_COUNT); a RECOMMENDED value is 10. Optionally, a value for the number of queries that should only have one label appended MAY be selected (MINIMISE_ONE_LAB); a good value is 4. The assumption here is that the number of labels on delegations higher in the hierarchy are rather small; therefore, not exposing too many labels early on has the most privacy benefit. Another potential, optional mechanism for limiting the number of queries is to assume that labels that begin with an underscore (_) character do not represent privacy-relevant administrative boundaries. For example, if the QNAME is "_25._tcp.mail.example.org" and the algorithm has already searched for "mail.example.org", the next query can be for all the underscore-prefixed names together, namely "_25._tcp.mail.example.org". When a resolver needs to send out a query, it will look for the closest-known delegation point in its cache. The number of not-yet- exposed labels is the difference between this closest name server and the incoming QNAME. The first MINIMISE_ONE_LAB labels will be handled as described in Section 2. The number of labels that are still not exposed now need to be divided proportionally over the remaining iterations (MAX_MINIMISE_COUNT - MINIMISE_ONE_LAB). If the not-yet-exposed labels cannot be equally divided over the remaining iterations, the remainder of the division should be added to the last iterations. For example, when resolving a QNAME with 18 labels with MAX_MINIMISE_COUNT set to 10 and MINIMISE_ONE_LAB set to 4, the number of labels added per iteration are: 1,1,1,1,2,2,2,2,3,3. 2.4. Implementation by Stub and Forwarding Resolvers Stub and forwarding resolvers MAY implement QNAME minimisation. Minimising queries that will be sent to an upstream resolver does not help in hiding data from the upstream resolver because all information will end up there anyway. It might however limit the data exposure between the upstream resolver and the authoritative name server in the situation where the upstream resolver does not support QNAME minimisation. Using QNAME minimisation in a stub or forwarding resolver that does not have a mechanism to find and cache zone cuts will drastically increase the number of outgoing queries. 3. Algorithm to Perform QNAME Minimisation This algorithm performs name resolution with QNAME minimisation in the presence of zone cuts that are not yet known. Although a validating resolver already has the logic to find the zone cuts, implementers of resolvers may want to use this algorithm to locate the zone cuts. (0) If the query can be answered from the cache, do so; otherwise, iterate as follows: (1) Get the closest delegation point that can be used for the original QNAME from the cache. (1a) For queries with a QTYPE for which the authority only lies at the parent side (like QTYPE=DS), this is the NS RRset with the owner matching the most labels with QNAME stripped by one label. QNAME will be a subdomain of (but not equal to) this NS RRset. Call this ANCESTOR. (1b) For queries with other original QTYPEs, this is the NS RRset with the owner matching the most labels with QNAME. QNAME will be equal to or a subdomain of this NS RRset. Call this ANCESTOR. (2) Initialise CHILD to the same as ANCESTOR. (3) If CHILD is the same as QNAME, or if CHILD is one label shorter than QNAME and the original QTYPE can only be at the parent side (like QTYPE=DS), resolve the original query as normal, starting from ANCESTOR's name servers. Start over from step 0 if new names need to be resolved as a result of this answer, for example, when the answer contains a CNAME or DNAME [RFC6672] record. (4) Otherwise, update the value of CHILD by adding the next relevant label or labels from QNAME to the start of CHILD. The number of labels to add is discussed in Section 2.3. (5) Look for a cache entry for the RRset at CHILD with the original QTYPE. If the cached response code is NXDOMAIN and the resolver has support for [RFC8020], the NXDOMAIN can be used in response to the original query, and stop. If the cached response code is NOERROR (including NODATA), go back to step 3. If the cached response code is NXDOMAIN and the resolver does not support [RFC8020], go back to step 3. (6) Query for CHILD with the selected QTYPE using one of ANCESTOR's name servers. The response can be: (6a) A referral. Cache the NS RRset from the authority section, and go back to step 1. (6b) A DNAME response. Proceed as if a DNAME is received for the original query. Start over from step 0 to resolve the new name based on the DNAME target. (6c) All other NOERROR answers (including NODATA). Cache this answer. Regardless of the answered RRset type, including CNAMEs, continue with the algorithm from step 3 by building the original QNAME. (6d) An NXDOMAIN response. If the resolver supports [RFC8020], return an NXDOMAIN response to the original query, and stop. If the resolver does not support [RFC8020], go to step 3. (6e) A timeout or response with another RCODE. The implementation may choose to retry step 6 with a different ANCESTOR name server. 4. QNAME Minimisation Examples As a first example, assume that a resolver receives a request to resolve foo.bar.baz.example. Assume that the resolver already knows that ns1.nic.example is authoritative for .example and that the resolver does not know a more specific authoritative name server. It will send the query with QNAME=baz.example and the QTYPE selected to hide the original QTYPE to ns1.nic.example. +=======+=================+=========================+======+ | QTYPE | QNAME | TARGET | NOTE | +=======+=================+=========================+======+ | MX | a.b.example.org | root name server | | +-------+-----------------+-------------------------+------+ | MX | a.b.example.org | org name server | | +-------+-----------------+-------------------------+------+ | MX | a.b.example.org | example.org name server | | +-------+-----------------+-------------------------+------+ Table 1: Cold Cache, Traditional Resolution Algorithm without QNAME Minimisation, Request for MX Record of a.b.example.org The following are more detailed examples of requests for an MX record of a.b.example.org with QNAME minimisation, using A QTYPE to hide the original QTYPE and using other names and authoritative servers: +=======+=================+=========================+============+ | QTYPE | QNAME | TARGET | NOTE | +=======+=================+=========================+============+ | A | org | root name server | | +-------+-----------------+-------------------------+------------+ | A | example.org | org name server | | +-------+-----------------+-------------------------+------------+ | A | b.example.org | example.org name server | | +-------+-----------------+-------------------------+------------+ | A | a.b.example.org | example.org name server | "a" may be | | | | | delegated | +-------+-----------------+-------------------------+------------+ | MX | a.b.example.org | example.org name server | | +-------+-----------------+-------------------------+------------+ Table 2: Cold Cache with QNAME Minimisation Note that, in the above example, one query would have been saved if the incoming QTYPE was the same as the QTYPE selected by the resolver to hide the original QTYPE. Only one query for a.b.example.org would have been needed if the original QTYPE would have been A. Using the most-used QTYPE to hide the original QTYPE therefore slightly reduces the number of outgoing queries compared to using any other QTYPE to hide the original QTYPE. +=======+=================+=========================+============+ | QTYPE | QNAME | TARGET | NOTE | +=======+=================+=========================+============+ | A | example.org | org name server | | +-------+-----------------+-------------------------+------------+ | A | b.example.org | example.org name server | | +-------+-----------------+-------------------------+------------+ | A | a.b.example.org | example.org name server | "a" may be | | | | | delegated | +-------+-----------------+-------------------------+------------+ | MX | a.b.example.org | example.org name server | | +-------+-----------------+-------------------------+------------+ Table 3: Warm Cache with QNAME Minimisation 5. Performance Considerations The main goal of QNAME minimisation is to improve privacy by sending less data. However, it may have other advantages. For instance, if a resolver sends a root name server queries for A.example followed by B.example followed by C.example, the result will be three NXDOMAINs, since .example does not exist in the root zone. When using QNAME minimisation, the resolver would send only one question (for .example itself) to which they could answer NXDOMAIN. The resolver can cache this answer and use it to prove that nothing below .example exists [RFC8020]. A resolver now knows a priori that neither B.example nor C.example exist. Thus, in this common case, the total number of upstream queries under QNAME minimisation could be counterintuitively less than the number of queries under the traditional iteration (as described in the DNS standard). QNAME minimisation can increase the number of queries based on the incoming QNAME. This is described in Section 2.3. As described in [devries-qnamemin], QNAME minimisation both increases the number of DNS lookups by up to 26% and leads to up to 5% more failed lookups. Filling the cache in a production resolver will soften that overhead. 6. Security Considerations QNAME minimisation's benefits are clear in the case where you want to decrease exposure of the queried name to the authoritative name server. But minimising the amount of data sent also, in part, addresses the case of a wire sniffer as well as the case of privacy invasion by the authoritative name servers. Encryption is of course a better defense against wire sniffers, but, unlike QNAME minimisation, it changes the protocol and cannot be deployed unilaterally. Also, the effect of QNAME minimisation on wire sniffers depends on whether the sniffer is on the DNS path. QNAME minimisation offers no protection against the recursive resolver, which still sees the full request coming from the stub resolver. A resolver using QNAME minimisation can possibly be used to cause a query storm to be sent to servers when resolving queries containing a QNAME with a large number of labels, as described in Section 2.3. That section proposes methods to significantly dampen the effects of such attacks. 7. References 7.1. Normative References [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, . [RFC1035] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, November 1987, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., Morris, J., Hansen, M., and R. Smith, "Privacy Considerations for Internet Protocols", RFC 6973, DOI 10.17487/RFC6973, July 2013, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, January 2019, . 7.2. Informative References [apnic-qnamemin] Huston, G. and J. Damas, "Measuring Query Name Minimization", September 2020, . [devries-qnamemin] de Vries, W., Scheitle, Q., Müller, M., Toorop, W., Dolmans, R., and R. van Rijswijk-Deij, "A First Look at QNAME Minimization in the Domain Name System", March 2019, . [dnsthought-qnamemin] "Qname Minimisation", October 2021, . [Huque-QNAME-Min] Huque, S., "Query name minimization and authoritative server behavior", May 2015, . [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS Specification", RFC 2181, DOI 10.17487/RFC2181, July 1997, . [RFC6672] Rose, S. and W. Wijngaards, "DNAME Redirection in the DNS", RFC 6672, DOI 10.17487/RFC6672, June 2012, . [RFC6895] Eastlake 3rd, D., "Domain Name System (DNS) IANA Considerations", BCP 42, RFC 6895, DOI 10.17487/RFC6895, April 2013, . [RFC7816] Bortzmeyer, S., "DNS Query Name Minimisation to Improve Privacy", RFC 7816, DOI 10.17487/RFC7816, March 2016, . [RFC8020] Bortzmeyer, S. and S. Huque, "NXDOMAIN: There Really Is Nothing Underneath", RFC 8020, DOI 10.17487/RFC8020, November 2016, . [RFC8198] Fujiwara, K., Kato, A., and W. Kumari, "Aggressive Use of DNSSEC-Validated Cache", RFC 8198, DOI 10.17487/RFC8198, July 2017, . [RFC9076] Wicinski, T., Ed., "DNS Privacy Considerations", RFC 9076, DOI 10.17487/RFC9076, July 2021, . [verisign-qnamemin] Thomas, M., "Maximizing Qname Minimization: A New Chapter in DNS Protocol Evolution", September 2020, . Acknowledgments The acknowledgments from RFC 7816 apply here. In addition, many participants from the DNSOP Working Group helped with proposals for simplification, clarification, and general editorial help. Authors' Addresses Stephane Bortzmeyer AFNIC 1, rue Stephenson 78180 Montigny-le-Bretonneux France Phone: +33 1 39 30 83 46 Email: bortzmeyer+ietf@nic.fr URI: https://www.afnic.fr/ Ralph Dolmans NLnet Labs Email: ralph@nlnetlabs.nl Paul Hoffman ICANN Email: paul.hoffman@icann.org