Skip to main content
SpringerLink
Log in

Measuring DNS over TLS from the Edge: Adoption, Reliability, and Response Times

  • Conference paper
  • First Online:
Passive and Active Measurement (PAM 2021)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 12671))

Included in the following conference series:

Abstract

The Domain Name System (DNS) is a cornerstone of communication on the Internet. DNS over TLS (DoT) has been standardized in 2016 as an extension to the DNS protocol, however, its performance has not been extensively studied yet. In the first study that measures DoT from the edge, we leverage 3.2k RIPE Atlas probes deployed in home networks to assess the adoption, reliability, and response times of DoT in comparison with DNS over UDP/53 (Do53). Each probe issues 200 domain name lookups to 15 public resolvers, five of which support DoT, and to the probes’ local resolvers over a period of one week, resulting in 90M DNS measurements in total. We find that the support for DoT among open resolvers has increased by 23.1% after nine months in comparison with previous studies. However, we observe that DoT is still only supported by local resolvers for 0.4% of the RIPE Atlas probes. In terms of reliability, we find failure rates for DoT to be inflated by 0.4–32.2% points (p.p.) when compared to Do53. While Do53 failure rates for most resolvers individually are consistent across continents, DoT failure rates have much higher variation. As for response times, we see high regional differences for DoT and find that nearly all DoT requests take at least 100 ms to return a response (in a large part due to connection and session establishment), showing an inflation in response times of more than 100 ms compared to Do53. Despite the low adoption of DoT among local resolvers, they achieve DoT response times of around 140–150 ms similar to public resolvers (130–230 ms), although local resolvers also exhibit higher failure rates in comparison.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Repository: https://github.com/tv-doan/pam-2021-ripe-atlas-dot.

References

  1. Bajpai, V., et al.: The Dagstuhl beginners guide to reproducibility for experimental networking research. Comput. Commun. Rev. (CCR) 49(1), 24–30 (2019). https://doi.org/10.1145/3314212.3314217

    Article  Google Scholar 

  2. Bajpai, V., Eravuchira, S.J., Schönwälder, J.: Lessons learned from using the RIPE Atlas platform for measurement research. Comput. Commun. Rev. (CCR) 45(3), 35–42 (2015). https://doi.org/10.1145/2805789.2805796

    Article  Google Scholar 

  3. Bajpai, V., Eravuchira, S.J., Schönwälder, J., Kisteleki, R., Aben, E.: Vantage point selection for IPv6 measurements: benefits and limitations of RIPE Atlas tags. In: Symposium on Integrated Network and Service Management (IM), pp. 37–44. IEEE (2017). https://doi.org/10.23919/INM.2017.7987262

  4. Bertola, V.: Recommendations for DNS privacy client applications. Internet-Draft draft-bertola-bcp-doh-clients-01, September 2019, Work in Progress. https://datatracker.ietf.org/doc/html/draft-bertola-bcp-doh-clients-01

  5. Böttger, T., et al.: An empirical study of the cost of DNS-over-HTTPS. In: Internet Measurement Conference (IMC), pp. 15–21. ACM (2019). https://doi.org/10.1145/3355369.3355575

  6. Boucadair, M., Reddy. K,T., Wing, D., Cook, N.: DHCP and router advertisement options for encrypted DNS discovery within home networks. Internet-Draft draft-btw-add-home-09, September 2020, Work in Progress. https://datatracker.ietf.org/doc/html/draft-btw-add-home-09

  7. Cho, K., Mitsuya, K., Kato, A.: Traffic data repository at the WIDE project. In: USENIX Annual Technical Conference (ATC), Freenix Track, pp. 263–270. USENIX (2000). http://www.usenix.org/publications/library/proceedings/usenix2000/freenix/cho.html

  8. Deccio, C.T., Davis, J.: DNS privacy in practice and preparation. In: Conference on Emerging Networking Experiments and Technologies (CoNEXT), pp. 138–143. ACM (2019). https://doi.org/10.1145/3359989.3365435

  9. Deckelmann, S.: Mozilla Blog: firefox continues push to bring DNS over HTTPS by default for US users, February 2020. https://blog.mozilla.org/blog/2020/02/25/firefox-continues-push-to-bring-dns-over-https-by-default-for-us-users/. Accessed 13 Jan 2021

  10. Greschbach, B., Pulls, T., Roberts, L.M., Winter, P., Feamster, N.: The effect of DNS on Tor’s anonymity. In: Network and Distributed System Security Symposium (NDSS). ISOC (2017). https://www.ndss-symposium.org/ndss2017/ndss-2017-programme/e-effect-dns-tors-anonymity/

  11. Herrmann, D., Banse, C., Federrath, H.: Behavior-based tracking: exploiting characteristic patterns in DNS traffic. Comput. Secur. 39, 17–33 (2013). https://doi.org/10.1016/j.cose.2013.03.012

  12. Hoang, N.P., Lin, I., Ghavamnia, S., Polychronakis, M.: K-resolver: towards decentralizing encrypted DNS resolution. In: Workshop on Measurements, Attacks, and Defenses for the Web (MADWEB) (2020). https://doi.org/10.14722/madweb.2020.23009

  13. Hoffman, P.E., McManus, P.: DNS Queries over HTTPS (DoH). RFC 8484, pp. 1–21 (2018). https://doi.org/10.17487/RFC8484

  14. Holterbach, T., Pelsser, C., Bush, R., Vanbever, L.: Quantifying interference between measurements on the RIPE Atlas platform. In: Internet Measurement Conference (IMC). ACM (2015). https://doi.org/10.1145/2815675.2815710

  15. Holz, R., et al.: Tracking the deployment of TLS 1.3 on the Web: a story of experimentation and centralization. Comput. Commun. Rev. (CCR) 50(3), 3–15 (2020). https://doi.org/10.1145/3411740.3411742

  16. Honda, M., Nishida, Y., Raiciu, C., Greenhalgh, A., Handley, M., Tokuda, H.: Is it still possible to extend TCP? In: Internet Measurement Conference (IMC), pp. 181–194. ACM (2011). https://doi.org/10.1145/2068816.2068834

  17. Hounsel, A., Borgolte, K., Schmitt, P., Holland, J., Feamster, N.: Comparing the effects of DNS, DoT, and DoH on web performance. In: The Web Conference (WWW), pp. 562–572. ACM/IW3C2 (2020). https://doi.org/10.1145/3366423.3380139

  18. Houser, R., Li, Z., Cotton, C., Wang, H.: An investigation on information leakage of DNS over TLS. In: Conference on Emerging Networking Experiments and Technologies (CoNEXT), pp. 123–137. ACM (2019). https://doi.org/10.1145/3359989.3365429

  19. Hu, Z., Zhu, L., Heidemann, J.S., Mankin, A., Wessels, D., Hoffman, P.E.: Specification for DNS over Transport Layer Security (TLS). RFC 7858 (2016). https://doi.org/10.17487/RFC7858

  20. Huitema, C., Mankin, A., Dickinson, S.: Specification of DNS over dedicated QUIC connections. Internet-Draft draft-ietf-dprive-dnsoquic-01, October 2020, Work in Progress. https://datatracker.ietf.org/doc/html/draft-ietf-dprive-dnsoquic-01

  21. Internet Society: Internet Society: Russia’s Proposal Would Weaken the Internet, Make It Less Secure, September 2020. https://www.internetsociety.org/news/statements/2020/internet-society-russias-proposal-would-weaken-the-internet-make-it-less-secure/. Accessed 13 Jan 2021

  22. Kirchler, M., Herrmann, D., Lindemann, J., Kloft, M.: Tracked without a trace: linking sessions of users by unsupervised learning of patterns in their DNS traffic. In: Workshop on Artificial Intelligence and Security (AISec), pp. 23–34. ACM (2016). https://doi.org/10.1145/2996758.2996770

  23. Klein, A., Pinkas, B.: DNS cache-based user tracking. In: Network and Distributed System Security Symposium (NDSS). ISOC (2019). https://www.ndss-symposium.org/ndss-paper/dns-cache-based-user-tracking/

  24. Kline, E., Schwartz, B.: DNS over TLS support in Android P Developer Preview (2018). https://android-developers.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html. Accessed 13 Jan 2021

  25. Livingood, J., Antonakakis, M., Sleigh, B., Winfield, A.: Centralized DNS over HTTPS (DoH) implementation issues and risks. Internet-Draft draft-livingood-doh-implementation-risks-issues-04, September 2019, Work in Progress. https://datatracker.ietf.org/doc/html/draft-livingood-doh-implementation-risks-issues-04

  26. Lu, C., et al.: An end-to-end, large-scale measurement of DNS-over-encryption: how far have we come? In: Internet Measurement Conference (IMC), pp. 22–35. ACM (2019). https://doi.org/10.1145/3355369.3355580

  27. Moura, G.C.M., Castro, S., Hardaker, W., Wullink, M., Hesselman, C.: Clouding up the Internet: how centralized is DNS traffic becoming? In: Internet Measurement Conference (IMC), pp. 42–49. ACM (2020). https://doi.org/10.1145/3419394.3423625

  28. Nottingham, M.: The Internet is for End Users. RFC 8890, pp. 1–10 (2020) https://doi.org/10.17487/RFC8890

  29. Papastergiou, G., et al.: De-ossifying the internet transport layer: a survey and future perspectives. Commun. Surv. Tutor. 19(1), 619–639 (2017). https://doi.org/10.1109/COMST.2016.2626780

  30. Rekhter, Y., Moskowitz, B.G., Karrenberg, D., de Groot, G.J., Lear, E.: Address Allocation for Private Internets. RFC 1918, pp. 1–9 (1996). https://doi.org/10.17487/RFC1918

  31. Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446, pp. 1–160 (2018). https://doi.org/10.17487/RFC8446

  32. RIPE NCC: RIPE Atlas: a global internet measurement network. Internet Protoc. J. (IPJ) (2015). http://ipj.dreamhosters.com/wp-content/uploads/2015/10/ipj18.3.pdf

  33. Scheitle, Q., et al.: A long way to the top: significance, structure, and stability of internet top lists. In: Internet Measurement Conference (IMC), pp. 478–493. ACM (2018). https://doi.org/10.1145/3278532.3278574

  34. Siby, S., Juárez, M., Díaz, C., Vallina-Rodriguez, N., Troncoso, C.: Encrypted DNS \(\Rightarrow \) Privacy? A traffic analysis perspective. In: Network and Distributed System Security Symposium (NDSS). ISOC (2020). https://www.ndss-symposium.org/wp-content/uploads/2020/02/24301-paper.pdf

  35. Sood, P., Hoffman, P.E.: Upgrading communication from stub resolvers to DoT or DoH. Internet-Draft draft-pp-add-stub-upgrade-02, June 2020, Work in Progress. https://datatracker.ietf.org/doc/html/draft-pp-add-stub-upgrade-02

  36. Sun, M., Xu, G., Zhang, J., Kim, D.W.: Tracking you through DNS traffic: linking user sessions by clustering with Dirichlet mixture model. In: Conference on Modelling, Analysis and Simulation of Wireless and Mobile Systems, pp. 303–310. ACM (2017). https://doi.org/10.1145/3127540.3127567

  37. The Chromium Projects: DNS over HTTPS (aka DoH): Auto-upgrade project (2020). https://www.chromium.org/developers/dns-over-https. Accessed 13 Jan 2021

  38. WWDC 2020 - Apple Developer: Enable encrypted DNS (2020). https://developer.apple.com/videos/play/wwdc2020/10047. Accessed 13 Jan 2021

Download references

Acknowledgements

We thank Alexander Niedrist (TUM), Johan ter Beest and Philip Homburg (RIPE NCC), and the volunteering RIPE Atlas probe hosts for their valuable support regarding our measurement study. We also thank our shepherd Timm Böttger and the anonymous reviewers for their insightful feedback and suggestions.

Author information

Authors and Affiliations

  1. Technical University of Munich, Munich, Germany

    Trinh Viet Doan, Irina Tsareva & Vaibhav Bajpai

Authors
  1. Trinh Viet Doan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Irina Tsareva
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Vaibhav Bajpai
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Trinh Viet Doan .

Editor information

Editors and Affiliations

  1. Brandenburg University of Technology (BTU), Cottbus, Germany

    Oliver Hohlfeld

  2. Telefonica Research, Barcelona, Spain

    Andra Lutu

  3. Iribe Center, University of Maryland, College Park, MD, USA

    Dave Levin

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Doan, T.V., Tsareva, I., Bajpai, V. (2021). Measuring DNS over TLS from the Edge: Adoption, Reliability, and Response Times. In: Hohlfeld, O., Lutu, A., Levin, D. (eds) Passive and Active Measurement. PAM 2021. Lecture Notes in Computer Science(), vol 12671. Springer, Cham. https://doi.org/10.1007/978-3-030-72582-2_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-72582-2_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-72581-5

  • Online ISBN: 978-3-030-72582-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation