An End-to-End, Large-Scale Measurement of DNS-over-Encryption

Lü, C.; Liu, Baojun; Zhou, Li; Hao, Shuang; Duan, Haixin; Zhang, Mingming; Leng, Chunying; Liu, Ying; Zhang, Zaifeng; Wu, Jianping

doi:10.1145/3355369.3355580

Cited by 81 publications

(57 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…They find that despite higher response times, page load times for DoT and DoH can be faster than DNS on lossy networks. Lu et al utilized residential TCP SOCKS networks to measure response times from 166 countries and found that, in the median case with connection re-use, DoT and DoH were slower than conventional DNS over TCP by 9 ms and 6 ms, respectively [14].…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Can Encrypted DNS Be Fast?

Hounsel

Schmitt

Borgolte

et al. 2021

Passive and Active Measurement

View full text Add to dashboard Cite

In this paper, we study the performance of encrypted DNS protocols and conventional DNS from thousands of home networks in the United States, over one month in 2020. We perform these measurements from the homes of 2,693 participating panelists in the Federal Communications Commission’s (FCC) Measuring Broadband America program. We found that clients do not have to trade DNS performance for privacy. For certain resolvers, DoT was able to perform faster than DNS in median response times, even as latency increased. We also found significant variation in DoH performance across recursive resolvers. Based on these results, we recommend that DNS clients (e.g., web browsers) should periodically conduct simple latency and response time measurements to determine which protocol and resolver a client should use. No single DNS protocol nor resolver performed the best for all clients.

show abstract

Section: Related Workmentioning

confidence: 99%

“…Past work has shown that typical DoT and DoH query response times are typically marginally slower than DNS [3,9,14]. However, these measurements were performed from university networks, proxy networks, and cloud data centers, rather than directly from homes.…”

Section: Introductionmentioning

confidence: 99%

Can Encrypted DNS Be Fast?

Hounsel

Schmitt

Borgolte

et al. 2021

Passive and Active Measurement

View full text Add to dashboard Cite

show abstract

“…Moura et al [71] shows that 30% of the DNS queries to their studied '.nz' and '.nl' country code Top Level Domains (ccTLDs) are generated by the recursive resolvers, which resided in 5 top cloud providers. Lu et al [63] also found an increasing pattern in using DoT and DoH with public resolvers. As such, public recursive resolvers, which are neither in the clients' local networks nor their ISPs, form a significant portion of DNS queries over the Internet.…”

Section: Stage-1mentioning

confidence: 90%

“…DoT is a relatively new DNS scheme, which has been deployed by large public DNS resolvers (e.g., Google, 1 Cloudflare, and Comcast [32]). Previous research [63] showed that the number of DoT clients was increasing during their research period. Transferring DNS messages over secure TLS sessions adds new TLS-related vulnerabilities to the DNS ecosystem.…”

Section: Problem Statementmentioning

confidence: 98%

“…Lu et al [63] briefly evaluated DNS-over-Encryption (DoE) protocols-the general class of protocols designed to secure the stub-to-recursive resolver communication, including DoT and DoH. They [63] provided a multi-aspect comparative assessment of DoE protocols, and evaluated security of each aspect using two parameters, namely "Uses standard TLS" and "Resists DNS traffic analysis". They showed that during their research period, the number of clients that adopted DoT and DoH, using public resolvers (e.g., Google and Cloudflare) had increased [63].…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Survey And Evaluation of Secure-DNS Alternatives Through Passive Measurements

jahromi¹

View full text Add to dashboard Cite

As security was not among the original DNS design goals, over ten secure-DNS schemes have been proposed to improve security and privacy during the name resolution process.One of the schemes is DNS-over-TLS (DoT), which relies on the Internet's PKI for establishing trust in recursive resolvers. The security research community has studied and improved security shortcomings in the web certificate ecosystem. DoT's certificates, on the other hand, have not been investigated comprehensively. This thesis analyzes the certificate ecosystem of DoT in comparison to HTTPS. The results are so far promising, as they show that DoT appears to have benefited from the PKI security advancements that were designed for HTTPS. The thesis then surveys secure-DNS schemes, and presents an evaluation framework to assess their security, availability, privacy, and anonymity benefits. Our evaluation illustrates that none of the DNS schemes secures the complete path of the domain name resolution. All rated schemes provide only partial security benefits in specific domain name resolution stages. The results shed light on the challenges of designing a comprehensive and widely-deployable secure-DNS scheme to secure the complete name resolution path.However, as some schemes can be combined, their resultant benefits can address individual shortcomings.

show abstract

Detection of NAT64/DNS64 by SRV Records: Detection Using Global DNS Tree in the World Beyond Plain-Text DNS

Hunek

Pliva

2020

Computer Networks

View full text Add to dashboard Cite

An End-to-End, Large-Scale Measurement of DNS-over-Encryption

Cited by 81 publications

References 10 publications

Can Encrypted DNS Be Fast?

Can Encrypted DNS Be Fast?

Survey And Evaluation of Secure-DNS Alternatives Through Passive Measurements

Detection of NAT64/DNS64 by SRV Records: Detection Using Global DNS Tree in the World Beyond Plain-Text DNS

Contact Info

Product

Resources

About