Timm Böttger
Eder Leão Fernandes
Steve Uhlig
ABSTRACT
DNS is a vital component for almost every networked application. Originally it was designed as an unencrypted protocol, making user security a concern. DNS-over-HTTPS (DoH) is the latest proposal to make name resolution more secure.
In this paper we study the current DNS-over-HTTPS ecosystem, especially the cost of the additional security. We start by surveying the current DoH landscape by assessing standard compliance and supported features of public DoH servers. We then compare different transports for secure DNS, to highlight the improvements DoH makes over its predecessor, DNS-over-TLS (DoT). These improvements explain in part the significantly larger take-up of DoH in comparison to DoT.
Finally, we quantify the overhead incurred by the additional layers of the DoH transport and their impact on web page load times. We find that these overheads only have limited impact on page load times, suggesting that it is possible to obtain the improved security of DoH with only marginal performance impact.
References
- Bernhard Ager, Wolfgang Mühlbauer, Georgios Smaragdakis, and Steve Uhlig. 2010. Comparing DNS resolvers in the wild. In Proceedings of IMC.Google Scholar
Digital Library
- Marios Anagnostopoulos, Georgios Kambourakis, Panagiotis Kopanos, Georgios Louloudakis, and Stefanos Gritzalis. 2013. DNS Amplification Attack Revisited. Computers & Security (2013).Google Scholar
- Stéphane Bortzmeyer. 2013. JSON format to represent DNS data. Internet-Draft draft-bortzmeyer-dns-json-01. https://datatracker.ietf.org/doc/html/draft-bortzmeyer-dns-json-01 Work in progress.Google Scholar
- Stéphane Bortzmeyer. 2015. DNS Privacy Considerations. RFC 7626. https://doi.org/10.17487/RFC7626Google Scholar
- Timm Böttger, Felix Cuadrado, Gareth Tyson, Ignacio Castro, and Steve Uhlig. 2018. Open Connect Everywhere: A Glimpse at the Internet ecosystem through the Lens of the Netflix CDN. SIGCOMM CCR (2018).Google Scholar
- Ilker Nadi Bozkurt, Anthony Aguirre, Balakrishnan Chandrasekaran, P Brighten Godfrey, Gregory Laughlin, Bruce Maggs, and Ankit Singla. 2017. Why is the Internet so slow?!. In Proceedings of PAM.Google ScholarCross Ref
- Michael Butkiewicz, Harsha V. Madhyastha, and Vyas Sekar. 2011. Understanding Website Complexity: Measurements, Metrics, and Implications. In Proceedings of IMC.Google ScholarDigital Library
- Matt Calder, Xun Fan, Zi Hu, Ethan Katz-Bassett, John Heidemann, and Ramesh Govindan. 2013. Mapping the Expansion of Google's serving Infrastructure. In Proceedings of IMC.Google ScholarDigital Library
- Phillip Hallam-Baker and Rob Stradling. 2013. DNS Certification Authority Authorization (CAA) Resource Record. RFC 6844. https://rfc-editor.org/rfc/rfc6844.txtGoogle Scholar
- Paul E. Hoffman and Patrick McManus. 2018. DNS Queries over HTTPS (DoH). RFC 8484. https://doi.org/10.17487/RFC8484Google Scholar
- Zi Hu, Liang Zhu, John Heidemann, Allison Mankin, Duane Wessels, and Paul E. Hoffman. 2016. Specification for DNS over Transport Layer Security (TLS). RFC 7858. https://rfc-editor.org/rfc/rfc7858.txtGoogle Scholar
- Geoff Huston. [n.d.]. APNIC Labs enters into a Research Agreement with Cloud-flare. https://labs.apnic.net/?p=1127.Google Scholar
- Geoff Huston. [n.d.]. DOH! DNS over HTTPS explained. https://blog.apnic.net/2018/10/12/doh-dns-over-https-explained.Google Scholar
- Philip Levis. 2012. The Collateral Damage of Internet Censorship by DNS Injection. SIGCOMM CCR (2012).Google Scholar
- Patrick McManus. [n.d.]. Firefox Nightly Secure DNS Experimental Results. https://blog.nightly.mozilla.org/2018/08/28/firefox-nightly-secure-dns-experimental-results.Google Scholar
- Mozilla. [n.d.]. Bug 264354 - Enable HTTP pipelining by default. https://bugzilla.mozilla.org/show_bug.cgi?id=264354.Google Scholar
- Mozilla. [n.d.]. Window: load event. https://developer.mozilla.org/en-US/docs/Web/API/Window/load_event.Google Scholar
- Henrik Frystyk Nielsen, Jeffrey Mogul, Larry M Masinter, Roy T. Fielding, Jim Gettys, Paul J. Leach, and Tim Berners-Lee. 1999. Hypertext Transfer Protocol - HTTP/1.1. RFC 2616. https://rfc-editor.org/rfc/rfc2616.txtGoogle Scholar
- John S Otto, Mario A Sánchez, John P Rula, and Fabián E Bustamante. 2012. Content Delivery and the Natural Evolution of DNS: Remote DNS Trends, Performance Issues and Alternative Solutions. In Proceedings of IMC.Google ScholarDigital Library
- Roberto Peon and Herve Ruellan. 2015. HPACK: Header Compression for HTTP/2. RFC 7541. https://rfc-editor.org/rfc/rfc7541.txtGoogle Scholar
- The Chromium Projects. [n.d.]. HTTP Pipelining. https://www.chromium.org/developers/design-documents/network-stack/http-pipelining.Google Scholar
- Stefan Santesson, Michael Myers, Rich Ankney, Ambarish Malpani, Slava Galperin, and Dr. Carlisle Adams. 2013. X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. RFC 6960. https://doi.org/10.17487/RFC6960Google Scholar
- Kyle Schomp, Tom Callahan, Michael Rabinovich, and Mark Allman. 2013. On measuring the client-side DNS infrastructure. In Proceedings of IMC.Google ScholarDigital Library
- Marty Strong. [n.d.]. Fixing reachability to 1.1.1.1, GLOBALLY! https://blog.cloudflare.com/fixing-reachability-to-1-1-1-1-globally.Google Scholar
- Srikanth Sundaresan, Nazanin Magharei, Nick Feamster, Renata Teixeira, and Sam Crawford. 2013. Web performance bottlenecks in broadband access networks. In SIGMETRICS Performance Evaluation Review.Google Scholar
- Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin, and Nikita Somaiya. 2015. Connection-oriented DNS to improve privacy and security. In IEEE Symposium on Security and Privacy (SP).Google ScholarDigital Library
Index Terms
An Empirical Study of the Cost of DNS-over-HTTPS
Comments