9 research outputs found
An Empirical Study of the Cost of DNS-over-HTTPS
DNS is a vital component for almost every networked application. Originally
it was designed as an unencrypted protocol, making user security a concern.
DNS-over-HTTPS (DoH) is the latest proposal to make name resolution more
secure. In this paper we study the current DNS-over-HTTPS ecosystem, especially
the cost of the additional security. We start by surveying the current DoH
landscape by assessing standard compliance and supported features of public DoH
servers. We then compare different transports for secure DNS, to highlight the
improvements DoH makes over its predecessor, DNS-over-TLS (DoT). These
improvements explain in part the significantly larger take-up of DoH in
comparison to DoT. Finally, we quantify the overhead incurred by the additional
layers of the DoH transport and their impact on web page load times. We find
that these overheads only have limited impact on page load times, suggesting
that it is possible to obtain the improved security of DoH with only marginal
performance impact
K-resolver: Towards Decentralizing Encrypted DNS Resolution
Centralized DNS over HTTPS/TLS (DoH/DoT) resolution, which has started being
deployed by major hosting providers and web browsers, has sparked controversy
among Internet activists and privacy advocates due to several privacy concerns.
This design decision causes the trace of all DNS resolutions to be exposed to a
third-party resolver, different than the one specified by the user's access
network. In this work we propose K-resolver, a DNS resolution mechanism that
disperses DNS queries across multiple DoH resolvers, reducing the amount of
information about a user's browsing activity exposed to each individual
resolver. As a result, none of the resolvers can learn a user's entire web
browsing history. We have implemented a prototype of our approach for Mozilla
Firefox, and used it to evaluate the performance of web page load time compared
to the default centralized DoH approach. While our K-resolver mechanism has
some effect on DNS resolution time and web page load time, we show that this is
mainly due to the geographical location of the selected DoH servers. When more
well-provisioned anycast servers are available, our approach incurs negligible
overhead while improving user privacy.Comment: NDSS Workshop on Measurements, Attacks, and Defenses for the Web
(MADWeb) 202
Measuring the global recursive DNS infrastructure: a view from the edge
The Domain Name System (DNS) is one of the most critical Internet subsystems. While the
majority of ISPs deploy and operate their own DNS infrastructure, many end users resort to third-party DNS
providers with hopes of enhancing their privacy, security, and web performance. However, bad user choices
and the uneven geographical deployment of DNS providers could render insecure and inef cient DNS
con gurations for millions of users. In this paper, we propose a novel and exible measurement method to
(1) study the infrastructure of recursive DNS resolvers, including both ISP's and third-party DNS providers'
deployment strategies; and (2) study end-user DNS choices, both in a timely manner and at a global scale. For
that, we leverage the outreach capacity of online advertising networks to distribute lightweight JavaScriptbased
DNS measurement scripts. To showcase the potential of our technique, we launch two separate ad
campaigns that triggered more than 3M DNS lookups, which allow us to identify and study more than
76k recursive DNS resolvers giving support to more than 25k eyeball ASes in 178 countries. The analysis
of the data offers new insights into the DNS infrastructure, such as user preferences towards third-party
DNS providers (namely, Google, OpenDNS, Level3, and Cloud are recursive DNS resolvers account for
~13% of the total DNS requests triggered by our campaigns), and into deployment decisions of many ISPs
providing both mobile and xed access networks to separate the DNS infrastructure serving each type of
access technology.This work was supported in part by the Spanish Grant TIN2017-88749-R (DiscoEdge), in part by the Region of Madrid EdgeData-CM
Program under Grant P2018/TCS-4499, in part by the Ministerio de EconomĂa y Empresa, Spain, under Project TEC2016-76795-C6-3-R
and Grant RyC-2015-17732, and in part by the European H2020 Project SMOOTH under Grant 786741
Measuring DoH with web ads
In this paper we present a large measurement study of the impact on the performance of the adoption of HTTPS as a transport for the DNS protocol (DoH) with public resolvers compared to the existent approach of using non-encrypted transport of DNS queries with the resolver services locally provided by ISPs. Using on web-ads as the mean to execute our tests, we perform over 42 million measurements from more than 4 million vantage points distributed in 32 countries and served by over 2,500 ISPs. We find that, the median resolution time increased 17 ms when using DoH with Cloudflare, 41 ms when using DoH with Quad9, 68 ms when using DoH with Google and 170 ms when using DoH with DNS.SB, compared to using Do53 with the local resolver for a non-cached name. We find similar increases even when using caching. The results presented in the paper contribute to the ongoing discussion of the tradeoffs involved in the combined adoption of public resolvers and DoH.This work has been partially funded by the Internet Society (ISOC), the EU through the 5G-VINNI project (GA- 815279) and the Madrid Government (Comunidad de Madrid-Spain) under the Multiannual Agreement with UC3M in the line of Excellence of University Professors (EPUC3M21), and in the context of the V PRICIT (Regional Programme of Research and Technological Innovation). Funding for APC: Universidad Carlos III de Madrid (Read & Publish Agreement CRUE-CSIC 2022). Approval of the version of the manuscript to be published
On Cross-Layer Interactions of QUIC, Encrypted DNS and HTTP/3: Design, Evaluation and Dataset
Every Web session involves a DNS resolution. While, in the last decade, we
witnessed a promising trend towards an encrypted Web in general, DNS encryption
has only recently gained traction with the standardisation of DNS over TLS
(DoT) and DNS over HTTPS (DoH). Meanwhile, the rapid rise of QUIC deployment
has now opened up an exciting opportunity to utilise the same protocol to not
only encrypt Web communications, but also DNS. In this paper, we evaluate this
benefit of using QUIC to coalesce name resolution via DNS over QUIC (DoQ), and
Web content delivery via HTTP/3 (H3) with 0-RTT. We compare this scenario using
several possible combinations where H3 is used in conjunction with DoH and DoQ,
as well as the unencrypted DNS over UDP (DoUDP). We observe, that when using H3
1-RTT, page load times with DoH can get inflated by 30\% over fixed-line and
by 50\% over mobile when compared to unencrypted DNS with DoUDP. However,
this cost of encryption can be drastically reduced when encrypted connections
are coalesced (DoQ + H3 0-RTT), thereby reducing the page load times by 1/3
over fixed-line and 1/2 over mobile, overall making connection coalescing with
QUIC the best option for encrypted communication on the Internet.Comment: 15 pages, 12 figures and 2 table
Assessing the Privacy Benefits of Domain Name Encryption
As Internet users have become more savvy about the potential for their
Internet communication to be observed, the use of network traffic encryption
technologies (e.g., HTTPS/TLS) is on the rise. However, even when encryption is
enabled, users leak information about the domains they visit via DNS queries
and via the Server Name Indication (SNI) extension of TLS. Two recent proposals
to ameliorate this issue are DNS over HTTPS/TLS (DoH/DoT) and Encrypted SNI
(ESNI). In this paper we aim to assess the privacy benefits of these proposals
by considering the relationship between hostnames and IP addresses, the latter
of which are still exposed. We perform DNS queries from nine vantage points
around the globe to characterize this relationship. We quantify the privacy
gain offered by ESNI for different hosting and CDN providers using two
different metrics, the k-anonymity degree due to co-hosting and the dynamics of
IP address changes. We find that 20% of the domains studied will not gain any
privacy benefit since they have a one-to-one mapping between their hostname and
IP address. On the other hand, 30% will gain a significant privacy benefit with
a k value greater than 100, since these domains are co-hosted with more than
100 other domains. Domains whose visitors' privacy will meaningfully improve
are far less popular, while for popular domains the benefit is not significant.
Analyzing the dynamics of IP addresses of long-lived domains, we find that only
7.7% of them change their hosting IP addresses on a daily basis. We conclude by
discussing potential approaches for website owners and hosting/CDN providers
for maximizing the privacy benefits of ESNI.Comment: In Proceedings of the 15th ACM Asia Conference on Computer and
Communications Security (ASIA CCS '20), October 5-9, 2020, Taipei, Taiwa
On Performance Impact of DoH and DoT in Africa: Why a Userâs DNS choice matters
Internet security and Quality of Experience (QoE) are two antagonistic concepts that the research community has been attempting to reconcile. Internet security has of late received attention due to users' online privacy and security concerns. One example is the introduction of encrypted Domain Name System (DNS) protocols. These protocols, combined with suboptimal routing paths and offshore hosting, have the potential to negatively impact the quality of web browsing experience for users in Africa. This is particularly the case in edge access networks that are far away from essential infrastructures such as DNS and content servers. In this paper, we analyse the QoE impact of using open public DoH and DoT resolvers when resolving websites that are hosted in Africa versus those hosted offshore. The study further compares the performance of DoT and DoH under different network conditions (mobile, community network, Eduroam and Campus wired network). Our results show that high latency and circuitous DNS resolution paths amplify the performance impact of secure DNS protocols on DNS resolution time and page load time. The study further shows that users' DNS resolver preferences hugely determine the level of QoE. This study proposes wider adoption of Transport Layer Security version 1.3 (TLSv1.3) to leverage its latency-reduction features such as false start and Zero or One Round Trip Time (0/1-RTT). The study further proposes the localisation of content and secure DNS infrastructure. This, coupled with peering and cache sharing recommended by other works, will further minimise the impact of secure DNS protocols on Quality of Experience