T-DNS: Connection-Oriented DNS to Improve Privacy and Security

T-DNS: Connection-Oriented DNS to Improve Privacy and Security. Heidemann, J. Presentation at the Spring DNS-OARC Meeting, May, 2014. This talk is about the technical report ISI-TR-2014-688, joint work with Liang Zhu, Zi Hu, duane Wessels, Allison Mankin, and Nikita Somaiya

Paper abstract bibtex

This talk will discuss \emphconnection-oriented DNS to improve DNS security and privacy. DNS is the canonical example of a connectionless, single packet, request/response protocol, with UDP as its dominant transport. Yet DNS today is challenged by eavesdropping that compromises privacy, source-address spoofing that results in denial-of-service (DoS) attacks on the server and third parties, injection attacks that exploit fragmentation, and size limitations that constrain policy and operational choices. We propose \empht-DNS to address these problems: it uses TCP to smoothly support large payloads and mitigate spoofing and amplification for DoS. T-DNS uses transport-layer security (TLS) to provide privacy from users to their DNS resolvers and optionally to authoritative servers. \newline ∈dent Traditional wisdom is that connection setup will balloon latency for clients and overwhelm servers. We provide data to show that these assumptions are overblown—our model of end-to-end latency shows \emphTLS to the recursive resolver is only about 5–24% slower, with UDP to the authoritative server. End-to-end latency is 19–33% slower with TLS to recursive and TCP to authoritative. Experiments behind these models show that after connection establishment, TCP and TLS latency is equivalent to UDP. Using diverse trace data we show that frequent connection reuse is possible (60–95% for stub and recursive resolvers, although half that for authoritative servers). With conservative timeouts (20 s at authoritative servers and 60 s elsewhere) we show that \emphserver memory requirements match current hardware: a large recursive resolver may have 25k active connections consuming about 9 GB of RAM. These results depend on specific design and implementation decisions—query pipelining, out-of-order responses, TLS connection resumption, and plausible timeouts. \newline ∈dent We hope to solicit feedback from the OARC community about this work to understand design and operational concerns if T-DNS deployment was widespread. The work in the talk is by Liang Zhu, Zi Hu, and John Heidemann (all of USC/ISI), Duane Wessels and Allison Mankin (both of Verisign), and Nikita Somaiya (USC/ISI). \newline ∈dent A technical report describing the work is at ˘rlhttps://ant.isi.edu/%7ejohnh/PAPERS/Zhu14a.pdf and the protocol changes are described as ˘rlhttp://datatracker.ietf.org/doc/draft-hzhwm-start-tls-for-dns/.

@Misc{Heidemann14c,
	author = 	"John Heidemann",
	title = 	"T-DNS: Connection-Oriented {DNS} to Improve Privacy and Security",
	howpublished = "Presentation at the Spring DNS-OARC Meeting",
	month = 	may,
	year = 	2014,
	sortdate = 	"2014-05-01",
	project = "ant, lacrend, tdns",
	jsubject = "dns",
	jlocation = 	"johnh: pafile",
	keywords = 	"based on [Zhu14a]",
	note = "This talk is about the technical report
                  ISI-TR-2014-688, joint work with Liang Zhu, Zi Hu,
                  duane Wessels, Allison Mankin, and Nikita Somaiya",
	url =		"https://ant.isi.edu/%7ejohnh/PAPERS/Heidemann14c.html",
	pdfurl =	"https://ant.isi.edu/%7ejohnh/PAPERS/Heidemann14c.pdf",
	myorganization =	"USC/Information Sciences Institute",
	copyrightholder = "authors",
	blogurl = "https://ant.isi.edu/blog/?p=491",
	abstract = "
This talk will discuss \emph{connection-oriented DNS} to improve DNS
security and privacy.  DNS is the canonical example of a
connectionless, single packet, request/response protocol, with UDP as
its dominant transport.  Yet DNS today is challenged by eavesdropping
that compromises privacy, source-address spoofing that results in
denial-of-service (DoS) attacks on the server and third parties,
injection attacks that exploit fragmentation, and size limitations
that constrain policy and operational choices.  We propose \emph{t-DNS} 
to address these problems:  it uses TCP to smoothly
support large payloads and mitigate spoofing and amplification for
DoS.  T-DNS uses transport-layer security (TLS) to provide privacy
from users to their DNS resolvers and optionally to authoritative
servers.  \newline \indent
Traditional wisdom is that connection setup will balloon latency for
clients and overwhelm servers.  We provide data to show that these
assumptions are overblown---our model of end-to-end latency shows
\emph{TLS to the recursive resolver is only about 5--24\% slower}, with
UDP to the authoritative server.  End-to-end latency is 19--33\% slower
with TLS to recursive and TCP to authoritative.  Experiments behind
these models show that after connection establishment, TCP and TLS
latency is equivalent to UDP.  Using diverse trace data we show that
frequent connection reuse is possible (60--95\% for stub and recursive
resolvers, although half that for authoritative servers).  With
conservative timeouts (20 s at authoritative servers and 60 s
elsewhere) we show that \emph{server memory requirements match current
hardware}:  a large recursive resolver may have 25k active connections
consuming about 9 GB of RAM.  These results depend on specific
design and implementation decisions---query pipelining, out-of-order
responses, TLS connection resumption, and plausible timeouts.  \newline \indent
We hope to solicit feedback from the OARC community about this work to
understand design and operational concerns if T-DNS deployment was
widespread.  The work in the talk is by Liang Zhu, Zi Hu, and John Heidemann
(all of USC/ISI), Duane Wessels and Allison Mankin (both of Verisign),
and Nikita Somaiya (USC/ISI).    \newline \indent
A technical report describing the work is
at \url{https://ant.isi.edu/%7ejohnh/PAPERS/Zhu14a.pdf}
and the protocol changes are described 
as \url{http://datatracker.ietf.org/doc/draft-hzhwm-start-tls-for-dns/}.
",
}


%	correcttitle = 	"{Internet} Populations (Good and Bad): Measurement, Estimation, and Correlation",

Downloads: 0

{"_id":"gmctehiEoq63xemme","bibbaseid":"heidemann-tdnsconnectionorienteddnstoimproveprivacyandsecurity-2014","author_short":["Heidemann, J."],"bibdata":{"bibtype":"misc","type":"misc","author":[{"firstnames":["John"],"propositions":[],"lastnames":["Heidemann"],"suffixes":[]}],"title":"T-DNS: Connection-Oriented DNS to Improve Privacy and Security","howpublished":"Presentation at the Spring DNS-OARC Meeting","month":"May","year":"2014","sortdate":"2014-05-01","project":"ant, lacrend, tdns","jsubject":"dns","jlocation":"johnh: pafile","keywords":"based on [Zhu14a]","note":"This talk is about the technical report ISI-TR-2014-688, joint work with Liang Zhu, Zi Hu, duane Wessels, Allison Mankin, and Nikita Somaiya","url":"https://ant.isi.edu/%7ejohnh/PAPERS/Heidemann14c.html","pdfurl":"https://ant.isi.edu/%7ejohnh/PAPERS/Heidemann14c.pdf","myorganization":"USC/Information Sciences Institute","copyrightholder":"authors","blogurl":"https://ant.isi.edu/blog/?p=491","abstract":"This talk will discuss \\emphconnection-oriented DNS to improve DNS security and privacy. DNS is the canonical example of a connectionless, single packet, request/response protocol, with UDP as its dominant transport. Yet DNS today is challenged by eavesdropping that compromises privacy, source-address spoofing that results in denial-of-service (DoS) attacks on the server and third parties, injection attacks that exploit fragmentation, and size limitations that constrain policy and operational choices. We propose \\empht-DNS to address these problems: it uses TCP to smoothly support large payloads and mitigate spoofing and amplification for DoS. T-DNS uses transport-layer security (TLS) to provide privacy from users to their DNS resolvers and optionally to authoritative servers. \\newline ∈dent Traditional wisdom is that connection setup will balloon latency for clients and overwhelm servers. We provide data to show that these assumptions are overblown—our model of end-to-end latency shows \\emphTLS to the recursive resolver is only about 5–24% slower, with UDP to the authoritative server. End-to-end latency is 19–33% slower with TLS to recursive and TCP to authoritative. Experiments behind these models show that after connection establishment, TCP and TLS latency is equivalent to UDP. Using diverse trace data we show that frequent connection reuse is possible (60–95% for stub and recursive resolvers, although half that for authoritative servers). With conservative timeouts (20 s at authoritative servers and 60 s elsewhere) we show that \\emphserver memory requirements match current hardware: a large recursive resolver may have 25k active connections consuming about 9 GB of RAM. These results depend on specific design and implementation decisions—query pipelining, out-of-order responses, TLS connection resumption, and plausible timeouts. \\newline ∈dent We hope to solicit feedback from the OARC community about this work to understand design and operational concerns if T-DNS deployment was widespread. The work in the talk is by Liang Zhu, Zi Hu, and John Heidemann (all of USC/ISI), Duane Wessels and Allison Mankin (both of Verisign), and Nikita Somaiya (USC/ISI). \\newline ∈dent A technical report describing the work is at ˘rlhttps://ant.isi.edu/%7ejohnh/PAPERS/Zhu14a.pdf and the protocol changes are described as ˘rlhttp://datatracker.ietf.org/doc/draft-hzhwm-start-tls-for-dns/. ","bibtex":"@Misc{Heidemann14c,\n\tauthor = \t\"John Heidemann\",\n\ttitle = \t\"T-DNS: Connection-Oriented {DNS} to Improve Privacy and Security\",\n\thowpublished = \"Presentation at the Spring DNS-OARC Meeting\",\n\tmonth = \tmay,\n\tyear = \t2014,\n\tsortdate = \t\"2014-05-01\",\n\tproject = \"ant, lacrend, tdns\",\n\tjsubject = \"dns\",\n\tjlocation = \t\"johnh: pafile\",\n\tkeywords = \t\"based on [Zhu14a]\",\n\tnote = \"This talk is about the technical report\n ISI-TR-2014-688, joint work with Liang Zhu, Zi Hu,\n duane Wessels, Allison Mankin, and Nikita Somaiya\",\n\turl =\t\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Heidemann14c.html\",\n\tpdfurl =\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Heidemann14c.pdf\",\n\tmyorganization =\t\"USC/Information Sciences Institute\",\n\tcopyrightholder = \"authors\",\n\tblogurl = \"https://ant.isi.edu/blog/?p=491\",\n\tabstract = \"\nThis talk will discuss \\emph{connection-oriented DNS} to improve DNS\nsecurity and privacy. DNS is the canonical example of a\nconnectionless, single packet, request/response protocol, with UDP as\nits dominant transport. Yet DNS today is challenged by eavesdropping\nthat compromises privacy, source-address spoofing that results in\ndenial-of-service (DoS) attacks on the server and third parties,\ninjection attacks that exploit fragmentation, and size limitations\nthat constrain policy and operational choices. We propose \\emph{t-DNS} \nto address these problems: it uses TCP to smoothly\nsupport large payloads and mitigate spoofing and amplification for\nDoS. T-DNS uses transport-layer security (TLS) to provide privacy\nfrom users to their DNS resolvers and optionally to authoritative\nservers. \\newline \\indent\nTraditional wisdom is that connection setup will balloon latency for\nclients and overwhelm servers. We provide data to show that these\nassumptions are overblown---our model of end-to-end latency shows\n\\emph{TLS to the recursive resolver is only about 5--24\\% slower}, with\nUDP to the authoritative server. End-to-end latency is 19--33\\% slower\nwith TLS to recursive and TCP to authoritative. Experiments behind\nthese models show that after connection establishment, TCP and TLS\nlatency is equivalent to UDP. Using diverse trace data we show that\nfrequent connection reuse is possible (60--95\\% for stub and recursive\nresolvers, although half that for authoritative servers). With\nconservative timeouts (20 s at authoritative servers and 60 s\nelsewhere) we show that \\emph{server memory requirements match current\nhardware}: a large recursive resolver may have 25k active connections\nconsuming about 9 GB of RAM. These results depend on specific\ndesign and implementation decisions---query pipelining, out-of-order\nresponses, TLS connection resumption, and plausible timeouts. \\newline \\indent\nWe hope to solicit feedback from the OARC community about this work to\nunderstand design and operational concerns if T-DNS deployment was\nwidespread. The work in the talk is by Liang Zhu, Zi Hu, and John Heidemann\n(all of USC/ISI), Duane Wessels and Allison Mankin (both of Verisign),\nand Nikita Somaiya (USC/ISI). \\newline \\indent\nA technical report describing the work is\nat \\url{https://ant.isi.edu/%7ejohnh/PAPERS/Zhu14a.pdf}\nand the protocol changes are described \nas \\url{http://datatracker.ietf.org/doc/draft-hzhwm-start-tls-for-dns/}.\n\",\n}\n\n\n%\tcorrecttitle = \t\"{Internet} Populations (Good and Bad): Measurement, Estimation, and Correlation\",\n","author_short":["Heidemann, J."],"bibbaseid":"heidemann-tdnsconnectionorienteddnstoimproveprivacyandsecurity-2014","role":"author","urls":{"Paper":"https://ant.isi.edu/%7ejohnh/PAPERS/Heidemann14c.html"},"keyword":["based on [Zhu14a]"],"metadata":{"authorlinks":{}}},"bibtype":"misc","biburl":"https://bibbase.org/f/dHevizJoWEhWowz8q/johnh-2023-2.bib","dataSources":["YLyu3mj3xsBeoqiHK","fLZcDgNSoSuatv6aX","fxEParwu2ZfurScPY","7nuQvtHTqKrLmgu99"],"keywords":["based on [zhu14a]"],"search_terms":["dns","connection","oriented","dns","improve","privacy","security","heidemann"],"title":"T-DNS: Connection-Oriented DNS to Improve Privacy and Security","year":2014}