Connection-Oriented DNS to Improve Privacy and Security (extended). Zhu, L., Hu, Z., Heidemann, J., Wessels, D., Mankin, A., & Somaiya, N. Technical Report ISI-TR-2015-695, USC/Information Sciences Institute, February, 2015.
Connection-Oriented DNS to Improve Privacy and Security (extended) [link]Paper  abstract   bibtex   
The Domain Name System (DNS) seems ideal for connectionless UDP, yet this choice results in challenges of eavesdropping that compromises privacy, source-address spoofing that simplifies denial-of-service (DoS) attacks on the server and third parties, injection attacks that exploit fragmentation, and reply-size limits that constrain key sizes and policy choices. We propose \emphT-DNS to address these problems. It uses TCP to smoothly support large payloads and to mitigate spoofing and amplification for DoS\@. T-DNS uses transport-layer security (TLS) to provide privacy from users to their DNS resolvers and optionally to authoritative servers. TCP and TLS are hardly novel, and expectations about DNS suggest connections will balloon client latency and overwhelm server with state. Our contribution is to show that T-DNS significantly improves security and privacy: TCP prevents denial-of-service (DoS) amplification against others, reduces the effects of DoS on the server, and simplifies policy choices about key size. TLS protects against eavesdroppers to the recursive resolver. Our second contribution is to show that with careful implementation choices, these benefits come at only modest cost: end-to-end latency from \emphTLS to the recursive resolver is only about 9% slower when UDP is used to the authoritative server, and 22% slower with TCP to the authoritative. With diverse traces we show that connection reuse can be frequent (60–95% for stub and recursive resolvers, although half that for authoritative servers), and after connection establishment, experiments show that TCP and TLS latency is equivalent to UDP\@. With conservative timeouts (20\,s at authoritative servers and 60\,s elsewhere) and estimated per-connection memory, we show that \emphserver memory requirements match current hardware: a large recursive resolver may have 24k active connections requiring about 3.6\,GB additional RAM\@. Good performance requires key design and implementation decisions we identify: query pipelining, out-of-order responses, TCP fast-open and TLS connection resumption, possible. and plausible timeouts.
@TechReport{Zhu15c,
	author = 	"Liang Zhu and Zi Hu and John Heidemann and
 Duane Wessels and Allison Mankin and Nikita Somaiya",
	title = "Connection-Oriented {DNS} to Improve Privacy
                  and Security (extended)",
	institution = 	"USC/Information Sciences Institute",
	year = 		2015,
	sortdate = 		"2015-02-01",
	project = "ant, retrofuture, lacrend, tdns",
	jsubject = "dns",
	number =	"ISI-TR-2015-695",
	month =		feb,
	jlocation =	"johnh: pafile",
	keywords = 	"DNS, privacy, t-dns, dns-over-tcp, dns-over-tls",
	url =		"https://ant.isi.edu/%7ejohnh/PAPERS/Zhu15c.html",
	pdfurl =	"https://ant.isi.edu/%7ejohnh/PAPERS/Zhu15c.pdf",
	otherurl = "http://www.isi.edu/publications/trpublic/files/tr-695.pdf",
	myorganization =	"USC/Information Sciences Institute",
	copyrightholder = "authors",
	datasetlurl = 	"https://ant.isi.edu/datasets/all.html",
	codeurl = 	"https://ant.isi.edu/software/tdns/index.html",
	abstract = "
The Domain Name System (DNS) seems ideal for connectionless UDP, yet
this choice results in challenges of eavesdropping that compromises
privacy, source-address spoofing that simplifies denial-of-service
(DoS) attacks on the server and third parties, injection attacks that
exploit fragmentation, and reply-size limits that constrain key sizes
and policy choices.  We propose \emph{T-DNS} to address these
problems.  It uses TCP to smoothly support large payloads and to
mitigate spoofing and amplification for DoS\@.  T-DNS uses
transport-layer security (TLS) to provide privacy from users to their
DNS resolvers and optionally to authoritative servers.  TCP and TLS
are hardly novel, and expectations about DNS suggest connections will
balloon client latency and overwhelm server with state.  Our
contribution is to show that T-DNS significantly improves security and
privacy:  TCP prevents denial-of-service (DoS) amplification against
others, reduces the effects of DoS on the server, and simplifies
policy choices about key size.  TLS protects against eavesdroppers to
the recursive resolver.  Our second contribution is to show that with
careful implementation choices, these benefits come at only modest
cost:  end-to-end latency from \emph{TLS to the recursive resolver is
only about 9\% slower} when UDP is used to the authoritative server,
and 22\% slower with TCP to the authoritative.  With diverse traces we
show that connection reuse can be frequent (60--95\% for stub and
recursive resolvers, although half that for authoritative servers),
and after connection establishment, experiments show that TCP and TLS
latency is equivalent to UDP\@.  With conservative timeouts (20\,s at
authoritative servers and 60\,s elsewhere) and estimated
per-connection memory, we show that \emph{server memory requirements
match current hardware}:  a large recursive resolver may have 24k
active connections requiring about 3.6\,GB additional RAM\@.  Good
performance requires key design and implementation decisions we
identify:  query pipelining, out-of-order responses, TCP fast-open and
TLS connection resumption, 
possible.  and plausible timeouts.
",
}

Downloads: 0