John Heidemann / Papers / T-DNS: Connection-Oriented DNS to Improve Privacy and Security (abstract with poster)

T-DNS: Connection-Oriented DNS to Improve Privacy and Security (abstract with poster)
Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin and Nikita Somaiya
USC/Information Sciences Institute

Citation

Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin and Nikita Somaiya. T-DNS: Connection-Oriented DNS to Improve Privacy and Security (abstract with poster). Technical Report ISI-TR-2016-706. USC/Information Sciences Institute. [PDF] [alt PDF]

Abstract

DNS is the canonical protocol for connectionless UDP. Yet DNS today is challenged by eavesdropping that compromises privacy, source-address spoofing that results in denial- of-service (DoS) attacks on the server and third parties, injection attacks that exploit fragmentation, and size limitations that constrain policy and operational choices. We propose T-DNS to address these problems. It uses TCP to smoothly support large payloads and to mitigate spoofing and amplification for DoS. T-DNS uses transport-layer security (TLS) to provide privacy from users to their DNS re- solvers and optionally to authoritative servers. Expectations about DNS suggest connections will balloon client latency and overwhelm servers with state, but our evaluation shows costs are modest: end-to-end latency from TLS to the recursive resolver is only about 9% slower with UDP to the au- thoritative server, and 22% slower with TCP to the authoritative. With diverse traces we show that frequent connection reuse is possible (60–95% for stub and recursive resolvers, although half that for authoritative servers), and after connec- tion establishment, we show TCP and TLS latency is equivalent to UDP. With conservative timeouts (20 s at authoritative servers and 60 s elsewhere) and conservative estimates of connection state memory requirements, we show that server memory requirements match current hardware: a large recursive resolver may have 24k active connections requiring about 3.6 GB additional RAM. We identify the key design and implementation decisions needed to minimize overhead: query pipelining, out-of-order responses, TLS connection resumption, and plausible timeouts.

Bibtex Citation

@techreport{Zhu16b,
  author = {Zhu, Liang and Hu, Zi and Heidemann, John and Wessels, Duane and Mankin, Allison and Somaiya, Nikita},
  title = {T-DNS: Connection-Oriented DNS to Improve Privacy and
                    Security (abstract with poster)},
  institution = {USC/Information Sciences Institute},
  year = {2016},
  sortdate = {2016-03-08},
  project = {ant, retrofuture, lacrend, tdns},
  jsubject = {dns},
  number = {ISI-TR-2016-706},
  month = mar,
  jlocation = {johnh: pafile},
  keywords = {DNS, privacy, t-dns, dns-over-tcp, dns-over-tls},
  url = {https://ant.isi.edu/%7ejohnh/PAPERS/Zhu16b.html},
  pdfurl = {https://ant.isi.edu/%7ejohnh/PAPERS/Zhu16b.pdf},
  otherurl = {https://ant.isi.edu/publications/trpublic/files/tr-706.pdf},
  myorganization = {USC/Information Sciences Institute},
  copyrightholder = {authors}
}
Copyright © by John Heidemann