T-DNS: DNS over TCP and TLS

Project Description

DNS is the canonical example of a connectionless, single packet, request/response protocol, with UDP as its dominant transport. Yet DNS today is challenged by eavesdropping that compromises privacy, source address spoofing that results in denial-of-service (DoS) attacks on the server and third parties, injection attacks that exploit fragmentation, and size limitations that constrain policy and operational choices.

We propose t-DNS to address these problems: it combines TCP to smoothly support large payloads and mitigate spoofing and amplification for DoS. T-DNS uses transport-layer security (TLS) to provide privacy from users to their DNS resolvers and optionally to authoritative servers.

People

John Heidemann, PI on this project, project leader and professor (USC/ISI)

Alumni

Zi Hu, USC CS MS graduate (2014) (USC CS Dept. and ISI)
Allison Mankin, researcher (Salesforce)
Duane Wessels, collaborating researcher (Verisign Labs)
Liang Zhu, USC CS PhD graduate (2018) (USC CS Dept. and ISI)

Publications

Z. Hu, L. Zhu, J. Heidemann, A. Mankin, D. Wessels and P. Hoffman 2016. Specification for DNS over Transport Layer Security (TLS) . Technical Report 7858. Internet Request For Comments. [DOI] [PDF] Details
Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin and Nikita Somaiya 2016. T-DNS: Connection-Oriented DNS to Improve Privacy and Security (poster abstract). Technical Report ISI-TR-2016-706. USC/Information Sciences Institute. [PDF] Details
Zi Hu, Liang Zhu, John Heidemann, Allison Mankin, Duane Wessels and Paul Hoffman 2015. TLS for DNS: Initiation and Performance Considerations, draft-ietf-dprive-start-tls-for-dns-00. IETF Internet Draft. [PDF] Details
Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin and Nikita Somaiya 2015. Connection-Oriented DNS to Improve Privacy and Security. Proceedings of the 36thIEEE Symposium on Security and Privacy (San Jose, Californa, USA, May 2015), 171–186. [DOI] [PDF] [Dataset] Details
Liang Zhu, Duane Wessels, Allison Mankin and John Heidemann 2015. Measuring DANE TLSA Deployment. Proceedings of the 7th IEEE International Workshop on Traffic Monitoring and Analysis (Barcelona, Spain, Apr. 2015), 219–232. [DOI] [PDF] Details
Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin and Nikita Somaiya 2015. Connection-Oriented DNS to Improve Privacy and Security (extended). Technical Report ISI-TR-2015-695. USC/Information Sciences Institute. [PDF] Details
Liang Zhu, Zi Hu and John Heidemann 2015. Evaluation of Future DNSSEC Response Sizes at a Root and a TLD Server. [PDF] Details
Liang Zhu, Duane Wessels, Allison Mankin and John Heidemann 2014. Measuring DANE TLSA Deployment. Presentation at DNS-OARC Fall Workshop. [PDF] Details
Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin and Nikita Somaiya 2014. T-DNS: Connection-Oriented DNS to Improve Privacy and Security (extended). Technical Report ISI-TR-2014-693. USC/Information Sciences Institute. [PDF] Details
John Heidemann 2014. T-DNS: Connection-Oriented DNS to Improve Privacy and Security. Presentation at the Spring DNS-OARC Meeting. [PDF] Details
Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin and Nikita Somaiya 2014. T-DNS: Connection-Oriented DNS to Improve Privacy and Security. Technical Report ISI-TR-2014-688. USC/Information Sciences Institute. [PDF] Details

Software

digit Digit is a client query tool for T-DNS (DNS with TCP and TLS), designed to measure performance.
tdns-client-proxy Tdns-client-proxy is a client-side proxy for DNS, designed to run on a computer taking UDP in and sending it privately with T-DNS to a remote recursive resolver
tdns-server-proxy Tdns-server-proxy is a server-side proxy for DNS. It listens to incoming private T-DNS (with TCP and TLS) and turns it back into UDP queries to a local DNS resolver
T-DNS support for unbound patch Unbound patches add STARTTLS handling to incoming unbound queries (but not outgoing T-DNS)

See also the ANT software web page and Verisign T-DNS tools.