T-DNS: Connection-Oriented DNS to Improve Privacy and
Security (abstract with poster)
Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin and Nikita Somaiya
USC/Information Sciences Institute
Citation
Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin and Nikita Somaiya. T-DNS: Connection-Oriented DNS to Improve Privacy and Security (abstract with poster). Technical Report ISI-TR-2016-706. USC/Information Sciences Institute. [PDF] [alt PDF]
Abstract
DNS is the canonical protocol for connectionless UDP. Yet DNS today is challenged by eavesdropping that compromises privacy, source-address spoofing that results in denial- of-service (DoS) attacks on the server and third parties, injection attacks that exploit fragmentation, and size limitations that constrain policy and operational choices. We propose T-DNS to address these problems. It uses TCP to smoothly support large payloads and to mitigate spoofing and amplification for DoS. T-DNS uses transport-layer security (TLS) to provide privacy from users to their DNS re- solvers and optionally to authoritative servers. Expectations about DNS suggest connections will balloon client latency and overwhelm servers with state, but our evaluation shows costs are modest: end-to-end latency from TLS to the recursive resolver is only about 9% slower with UDP to the au- thoritative server, and 22% slower with TCP to the authoritative. With diverse traces we show that frequent connection reuse is possible (60–95% for stub and recursive resolvers, although half that for authoritative servers), and after connec- tion establishment, we show TCP and TLS latency is equivalent to UDP. With conservative timeouts (20 s at authoritative servers and 60 s elsewhere) and conservative estimates of connection state memory requirements, we show that server memory requirements match current hardware: a large recursive resolver may have 24k active connections requiring about 3.6 GB additional RAM. We identify the key design and implementation decisions needed to minimize overhead: query pipelining, out-of-order responses, TLS connection resumption, and plausible timeouts.Bibtex Citation
@techreport{Zhu16b, author = {Zhu, Liang and Hu, Zi and Heidemann, John and Wessels, Duane and Mankin, Allison and Somaiya, Nikita}, title = {T-DNS: Connection-Oriented DNS to Improve Privacy and Security (abstract with poster)}, institution = {USC/Information Sciences Institute}, year = {2016}, sortdate = {2016-03-08}, project = {ant, retrofuture, lacrend, tdns}, jsubject = {dns}, number = {ISI-TR-2016-706}, month = mar, jlocation = {johnh: pafile}, keywords = {DNS, privacy, t-dns, dns-over-tcp, dns-over-tls}, url = {https://ant.isi.edu/%7ejohnh/PAPERS/Zhu16b.html}, pdfurl = {https://ant.isi.edu/%7ejohnh/PAPERS/Zhu16b.pdf}, otherurl = {https://ant.isi.edu/publications/trpublic/files/tr-706.pdf}, myorganization = {USC/Information Sciences Institute}, copyrightholder = {authors} }