T-DNS: DNS over TCP and TLS

Project Description

DNS is the canonical example of a connectionless, single packet, request/response protocol, with UDP as its dominant transport. Yet DNS today is challenged by eavesdropping that compromises privacy, source address spoofing that results in denial-of-service (DoS) attacks on the server and third parties, injection attacks that exploit fragmentation, and size limitations that constrain policy and operational choices.

We propose t-DNS to address these problems: it combines TCP to smoothly support large payloads and mitigate spoofing and amplification for DoS. T-DNS uses transport-layer security (TLS) to provide privacy from users to their DNS resolvers and optionally to authoritative servers.

People

  • John Heidemann, PI on this project, project leader and professor (USC/ISI)

Alumni

Publications

  • Z. Hu, L. Zhu, J. Heidemann, A. Mankin, D. Wessels and P. Hoffman 2016. Specification for DNS over Transport Layer Security (TLS) . Technical Report 7858. Internet Request For Comments. [DOI] [PDF] Details
  • Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin and Nikita Somaiya 2016. T-DNS: Connection-Oriented DNS to Improve Privacy and Security (poster abstract). Technical Report ISI-TR-2016-706. USC/Information Sciences Institute. [PDF] Details
  • Zi Hu, Liang Zhu, John Heidemann, Allison Mankin, Duane Wessels and Paul Hoffman 2015. TLS for DNS: Initiation and Performance Considerations, draft-ietf-dprive-start-tls-for-dns-00. IETF Internet Draft. [PDF] Details
  • Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin and Nikita Somaiya 2015. Connection-Oriented DNS to Improve Privacy and Security. Proceedings of the 36thIEEE Symposium on Security and Privacy (San Jose, Californa, USA, May 2015), 171–186. [DOI] [PDF] [Code] [Dataset] Details
  • Liang Zhu, Duane Wessels, Allison Mankin and John Heidemann 2015. Measuring DANE TLSA Deployment. Proceedings of the 7th IEEE International Workshop on Traffic Monitoring and Analysis (Barcelona, Spain, Apr. 2015), 219–232. [DOI] [PDF] [Code] Details
  • Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin and Nikita Somaiya 2015. Connection-Oriented DNS to Improve Privacy and Security (extended). Technical Report ISI-TR-2015-695. USC/Information Sciences Institute. [PDF] [Code] Details
  • Liang Zhu, Zi Hu and John Heidemann 2015. Evaluation of Future DNSSEC Response Sizes at a Root and a TLD Server. [PDF] Details
  • Liang Zhu, Duane Wessels, Allison Mankin and John Heidemann 2014. Measuring DANE TLSA Deployment. Presentation at DNS-OARC Fall Workshop. [PDF] Details
  • Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin and Nikita Somaiya 2014. T-DNS: Connection-Oriented DNS to Improve Privacy and Security (extended). Technical Report ISI-TR-2014-693. USC/Information Sciences Institute. [PDF] [Code] Details
  • John Heidemann 2014. T-DNS: Connection-Oriented DNS to Improve Privacy and Security. Presentation at the Spring DNS-OARC Meeting. [PDF] Details
  • Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin and Nikita Somaiya 2014. T-DNS: Connection-Oriented DNS to Improve Privacy and Security. Technical Report ISI-TR-2014-688. USC/Information Sciences Institute. [PDF] Details

Software

  • digit Digit is a client query tool for T-DNS (DNS with TCP and TLS), designed to measure performance.
  • tdns-client-proxy Tdns-client-proxy is a client-side proxy for DNS, designed to run on a computer taking UDP in and sending it privately with T-DNS to a remote recursive resolver
  • tdns-server-proxy Tdns-server-proxy is a server-side proxy for DNS. It listens to incoming private T-DNS (with TCP and TLS) and turns it back into UDP queries to a local DNS resolver
  • T-DNS support for unbound patch Unbound patches add STARTTLS handling to incoming unbound queries (but not outgoing T-DNS)

See also the ANT software web page and Verisign T-DNS tools.