T-DNS: Connection-Oriented DNS to Improve Privacy and Security (poster abstract). Zhu, L., Hu, Z., Heidemann, J., Wessels, D., Mankin, A., & Somaiya, N. Technical Report ISI-TR-2016-706, USC/Information Sciences Institute, March, 2016.
T-DNS: Connection-Oriented DNS to Improve Privacy and Security (poster abstract) [link]Paper  abstract   bibtex   
DNS is the canonical protocol for connectionless UDP. Yet DNS today is challenged by eavesdropping that compromises privacy, source-address spoofing that results in denial- of-service (DoS) attacks on the server and third parties, injection attacks that exploit fragmentation, and size limitations that constrain policy and operational choices. We propose T-DNS to address these problems. It uses TCP to smoothly support large payloads and to mitigate spoofing and amplification for DoS. T-DNS uses transport-layer security (TLS) to provide privacy from users to their DNS re- solvers and optionally to authoritative servers. Expectations about DNS suggest connections will balloon client latency and overwhelm servers with state, but our evaluation shows costs are modest: end-to-end latency from TLS to the recursive resolver is only about 9% slower with UDP to the au- thoritative server, and 22% slower with TCP to the authoritative. With diverse traces we show that frequent connection reuse is possible (60–95% for stub and recursive resolvers, although half that for authoritative servers), and after connec- tion establishment, we show TCP and TLS latency is equivalent to UDP. With conservative timeouts (20 s at authoritative servers and 60 s elsewhere) and conservative estimates of connection state memory requirements, we show that server memory requirements match current hardware: a large recursive resolver may have 24k active connections requiring about 3.6 GB additional RAM. We identify the key design and implementation decisions needed to minimize overhead: query pipelining, out-of-order responses, TLS connection resumption, and plausible timeouts.
@TechReport{Zhu16b,
	author = 	"Liang Zhu and Zi Hu and John Heidemann and
 Duane Wessels and Allison Mankin and Nikita Somaiya",
	title = "T-DNS: Connection-Oriented DNS to Improve Privacy and Security (poster abstract)",
	institution = 	"USC/Information Sciences Institute",
	year = 		2016,
	sortdate = 		"2016-03-08",
	project = "ant, retrofuture, lacrend, tdns",
	jsubject = "dns",
	number =	"ISI-TR-2016-706",
	month =		mar,
	jlocation =	"johnh: pafile",
	keywords = 	"DNS, privacy, t-dns, dns-over-tcp, dns-over-tls",
	url =		"https://ant.isi.edu/%7ejohnh/PAPERS/Zhu16b.html",
	pdfurl =	"https://ant.isi.edu/%7ejohnh/PAPERS/Zhu16b.pdf",
	otherurl = "http://www.isi.edu/publications/trpublic/files/tr-706.pdf",
	myorganization =	"USC/Information Sciences Institute",
	copyrightholder = "authors",

        abstract = "DNS is the canonical protocol for connectionless
                  UDP.  Yet DNS today is challenged by eavesdropping
                  that compromises privacy, source-address spoofing
                  that results in denial- of-service (DoS) attacks on
                  the server and third parties, injection attacks that
                  exploit fragmentation, and size limitations that
                  constrain policy and operational choices. We propose
                  T-DNS to address these problems. It uses TCP to
                  smoothly support large payloads and to mitigate
                  spoofing and amplification for DoS. T-DNS uses
                  transport-layer security (TLS) to provide privacy
                  from users to their DNS re- solvers and optionally
                  to authoritative servers. Expectations about DNS
                  suggest connections will balloon client latency and
                  overwhelm servers with state, but our evaluation
                  shows costs are modest: end-to-end latency from TLS
                  to the recursive resolver is only about 9\% slower
                  with UDP to the au- thoritative server, and 22\%
                  slower with TCP to the authoritative. With diverse
                  traces we show that frequent connection reuse is
                  possible (60–95\% for stub and recursive resolvers,
                  although half that for authoritative servers), and
                  after connec- tion establishment, we show TCP and
                  TLS latency is equivalent to UDP. With conservative
                  timeouts (20 s at authoritative servers and 60 s
                  elsewhere) and conservative estimates of connection
                  state memory requirements, we show that server
                  memory requirements match current hardware: a large
                  recursive resolver may have 24k active connections
                  requiring about 3.6 GB additional RAM. We identify
                  the key design and implementation decisions needed
                  to minimize overhead:  query pipelining,
                  out-of-order responses, TLS connection resumption,
                  and plausible timeouts.",
}
Downloads: 0
About
Documentation
Keywords
Search
Users
Terms and Conditions of Use
Privacy Policy
Sitemap
© BibBase.org 2021