WebStandards@Brave

#5: Encrypting DNS Zone Transfers

This is the fifth in a series of ongoing blog posts on Brave’s participation in standards bodies. This post is written by Shivan Kaul Sahib, Privacy PM and Engineer, and Pete Snyder, Director of Privacy and Senior Privacy Researcher.

Brave, along with a team of DNS experts from the industry and open source communities, recently helped publish an IETF standard (RFC 9103) to fix a long-standing privacy and security hole in the DNS.

The Domain Name System (DNS) - the system the browser uses to translate human-readable names to machine-understandable IP addresses - has received scrutiny by the security and privacy community over the last few years. Traditionally, DNS messages were transmitted in cleartext, making them susceptible to surveillance and machine-in-the-middle attacks. The standardization of DNS over Transport Layer Security (TLS) and later DNS over HTTPS improved query privacy, but there are still some DNS transactions that happen over cleartext. Until recently, that included DNS zone transfers.

A zone is a portion of the DNS namespace managed by a specific administrator. Zone transfers occur when DNS primary servers send out zone updates to secondaries - this is done to replicate the zone across multiple servers for reasons of (for instance) reliability. DNS zones today often contain data that the zone owner has good reason to want to keep private. For example, the contents of the zone could include sensitive corporate information or names of persons used in names of hosts. In 2008, a court in North Dakota, USA ruled that performing a zone transfer as an outsider was a violation of North Dakota laws. Given the privacy-sensitive nature of zone contents, it has been an open problem keeping zone transfers private because of the lack of standardization.

That changes with RFC 9103, which was recently published as an IETF Standards Track document. RFC 9103 specifies the use of TLS 1.3 as a transport layer for transferring DNS zone data - for both full and incremental zone transfer. There’s already implementer interest in RFC 9103: ISC BIND 9.17 and NSD 4.3.7 include support for zone transfers over TLS.

Brave’s goal is to improve privacy on the internet. Encrypted DNS zone transfers are an important part of the overall DNS privacy picture, and a private DNS means a private internet. While the main way Brave advances privacy is through the Brave browser, we also help maintain open source privacy-protecting software and publish research on Web privacy; standards work in the IETF and W3C is another way Brave is trying to improve privacy for everyone, by making sure that widely-deployed internet standards respect privacy by default.

Related articles

#4: Global Privacy Control, a new Privacy Standard Proposal

As part of our privacy-in-Web-Standards work, we’re proud to have been involved in the design for the Global Privacy Control proposal. GPC allows Web users to signal that they do not want to be tracked online, and where relevant, assert legal privacy rights, as described in legislation like the EU’s GDPR and California’s CCPA.

Read this article →

#3: WebBundles Harmful to Content Blocking, Security Tools, and the Open Web

Google is proposing a new standard called WebBundles. This standard allows websites to “bundle” resources together, and will make it impossible for browsers to reason about sub-resources by URL. While we appreciate the problems the WebBundles and related proposals aim to solve, we believe there are other, better ways of achieving the same ends without compromising the open, transparent, user-first nature of the Web.

Read this article →

#2: Brave, Fingerprinting, and Privacy Budgets

This post first summarizes what browser fingerprinting is, and common defenses. Second, the post presents problems with “dynamic privacy approaches”, and why Brave is skeptical they are effective for protecting against fingerprinting. Third, the post presents Brave’s fingerprinting protections, current, upcoming and longer-term.

Read this article →

Ready to Brave the new internet?

Brave is built by a team of privacy focused, performance oriented pioneers of the web. Help us fix browsing together.

Download Brave Nightly

Select what kind of chip your Mac comes with

Intel Chip icon Intel Chip

Most common

Apple Chip icon Apple Chip

Nov 2020 and later

How to find my chip

  1. At the top left, Open the Apple menu.

  2. Select “About This Mac”.

  3. In the “Overview” tab, look for “Processor” or “Chip”.

  4. Check if it says “Intel” or “Apple”.

Download Brave Beta

Select what kind of chip your Mac comes with

Intel Chip icon Intel Chip

Most common

Apple Chip icon Apple Chip

Nov 2020 and later

How to find my chip

  1. At the top left, Open the Apple menu.

  2. Select “About This Mac”.

  3. In the “Overview” tab, look for “Processor” or “Chip”.

  4. Check if it says “Intel” or “Apple”.

Download Brave

Select what kind of chip your Mac comes with

Intel Chip icon Intel Chip

Most common

Apple Chip icon Apple Chip

Nov 2020 and later

How to find my chip

  1. At the top left, Open the Apple menu.

  2. Select “About This Mac”.

  3. In the “Overview” tab, look for “Processor” or “Chip”.

  4. Check if it says “Intel” or “Apple”.

Brave Search is live! Private, independent, and now default in the Brave Browser. Learn more.