Encrypting DNS Zone Transfers

By the Brave Web Standards Team

This is the fifth in a series of ongoing blog posts on Brave’s participation in standards bodies. This post is written by Shivan Kaul Sahib, Privacy PM and Engineer, and Pete Snyder, Director of Privacy and Senior Privacy Researcher.

Brave, along with a team of DNS experts from the industry and open source communities, recently helped publish an IETF standard (RFC 9103) to fix a long-standing privacy and security hole in the DNS.

The Domain Name System (DNS) - the system the browser uses to translate human-readable names to machine-understandable IP addresses - has received scrutiny by the security and privacy community over the last few years. Traditionally, DNS messages were transmitted in cleartext, making them susceptible to surveillance and machine-in-the-middle attacks. The standardization of DNS over Transport Layer Security (TLS) and later DNS over HTTPS improved query privacy, but there are still some DNS transactions that happen over cleartext. Until recently, that included DNS zone transfers.

A zone is a portion of the DNS namespace managed by a specific administrator. Zone transfers occur when DNS primary servers send out zone updates to secondaries - this is done to replicate the zone across multiple servers for reasons of (for instance) reliability. DNS zones today often contain data that the zone owner has good reason to want to keep private. For example, the contents of the zone could include sensitive corporate information or names of persons used in names of hosts. In 2008, a court in North Dakota, USA ruled that performing a zone transfer as an outsider was a violation of North Dakota laws. Given the privacy-sensitive nature of zone contents, it has been an open problem keeping zone transfers private because of the lack of standardization.

That changes with RFC 9103, which was recently published as an IETF Standards Track document. RFC 9103 specifies the use of TLS 1.3 as a transport layer for transferring DNS zone data - for both full and incremental zone transfer. There’s already implementer interest in RFC 9103: ISC BIND 9.17 and NSD 4.3.7 include support for zone transfers over TLS.

Brave’s goal is to improve privacy on the internet. Encrypted DNS zone transfers are an important part of the overall DNS privacy picture, and a private DNS means a private internet. While the main way Brave advances privacy is through the Brave browser, we also help maintain open source privacy-protecting software and publish research on Web privacy; standards work in the IETF and W3C is another way Brave is trying to improve privacy for everyone, by making sure that widely-deployed internet standards respect privacy by default.

Related articles

Privacy And Competition Concerns with Google’s Privacy Sandbox

The UK CMA (along with other regulators and web activists) are largely evaluating Google’s Privacy Sandbox as an isolated, independent set of features. Evaluations that fail to consider how Privacy Sandbox will interact with other upcoming Google proposals will miss how radical and harmful Privacy Sandbox will be to the Web in practice. This piece presents how Privacy Sandbox, when considered with other upcoming Chrome features, will harm user choice, privacy, and competition on the Web.

Read this article →

Ready for a better Internet?

Brave’s easy-to-use browser blocks ads by default, making the Web cleaner, faster, and safer for people all over the world.