More Web Proxy on the site http://driver.im/

research-article

Open access

An Empirical Study of the Cost of DNS-over-HTTPS

Authors:

Felix Cuadrado,

Gianni Antichi,

Eder Leão Fernandes,

Ignacio Castro,

Steve UhligAuthors Info & Claims

IMC '19: Proceedings of the Internet Measurement Conference

Pages 15 - 21

https://doi.org/10.1145/3355369.3355575

Published: 21 October 2019 Publication History

Abstract

DNS is a vital component for almost every networked application. Originally it was designed as an unencrypted protocol, making user security a concern. DNS-over-HTTPS (DoH) is the latest proposal to make name resolution more secure.

In this paper we study the current DNS-over-HTTPS ecosystem, especially the cost of the additional security. We start by surveying the current DoH landscape by assessing standard compliance and supported features of public DoH servers. We then compare different transports for secure DNS, to highlight the improvements DoH makes over its predecessor, DNS-over-TLS (DoT). These improvements explain in part the significantly larger take-up of DoH in comparison to DoT.

Finally, we quantify the overhead incurred by the additional layers of the DoH transport and their impact on web page load times. We find that these overheads only have limited impact on page load times, suggesting that it is possible to obtain the improved security of DoH with only marginal performance impact.

References

[1]

Bernhard Ager, Wolfgang Mühlbauer, Georgios Smaragdakis, and Steve Uhlig. 2010. Comparing DNS resolvers in the wild. In Proceedings of IMC.

Digital Library

[2]

Marios Anagnostopoulos, Georgios Kambourakis, Panagiotis Kopanos, Georgios Louloudakis, and Stefanos Gritzalis. 2013. DNS Amplification Attack Revisited. Computers & Security (2013).

[3]

Stéphane Bortzmeyer. 2013. JSON format to represent DNS data. Internet-Draft draft-bortzmeyer-dns-json-01. https://datatracker.ietf.org/doc/html/draft-bortzmeyer-dns-json-01 Work in progress.

[4]

Stéphane Bortzmeyer. 2015. DNS Privacy Considerations. RFC 7626. https://doi.org/10.17487/RFC7626

[5]

Timm Böttger, Felix Cuadrado, Gareth Tyson, Ignacio Castro, and Steve Uhlig. 2018. Open Connect Everywhere: A Glimpse at the Internet ecosystem through the Lens of the Netflix CDN. SIGCOMM CCR (2018).

[6]

Ilker Nadi Bozkurt, Anthony Aguirre, Balakrishnan Chandrasekaran, P Brighten Godfrey, Gregory Laughlin, Bruce Maggs, and Ankit Singla. 2017. Why is the Internet so slow?!. In Proceedings of PAM.

[7]

Michael Butkiewicz, Harsha V. Madhyastha, and Vyas Sekar. 2011. Understanding Website Complexity: Measurements, Metrics, and Implications. In Proceedings of IMC.

Digital Library

[8]

Matt Calder, Xun Fan, Zi Hu, Ethan Katz-Bassett, John Heidemann, and Ramesh Govindan. 2013. Mapping the Expansion of Google's serving Infrastructure. In Proceedings of IMC.

Digital Library

[9]

Phillip Hallam-Baker and Rob Stradling. 2013. DNS Certification Authority Authorization (CAA) Resource Record. RFC 6844. https://rfc-editor.org/rfc/rfc6844.txt

[10]

Paul E. Hoffman and Patrick McManus. 2018. DNS Queries over HTTPS (DoH). RFC 8484. https://doi.org/10.17487/RFC8484

[11]

Zi Hu, Liang Zhu, John Heidemann, Allison Mankin, Duane Wessels, and Paul E. Hoffman. 2016. Specification for DNS over Transport Layer Security (TLS). RFC 7858. https://rfc-editor.org/rfc/rfc7858.txt

[12]

Geoff Huston. [n.d.]. APNIC Labs enters into a Research Agreement with Cloud-flare. https://labs.apnic.net/?p=1127.

[13]

Geoff Huston. [n.d.]. DOH! DNS over HTTPS explained. https://blog.apnic.net/2018/10/12/doh-dns-over-https-explained.

[14]

Philip Levis. 2012. The Collateral Damage of Internet Censorship by DNS Injection. SIGCOMM CCR (2012).

[15]

Patrick McManus. [n.d.]. Firefox Nightly Secure DNS Experimental Results. https://blog.nightly.mozilla.org/2018/08/28/firefox-nightly-secure-dns-experimental-results.

[16]

Mozilla. [n.d.]. Bug 264354 - Enable HTTP pipelining by default. https://bugzilla.mozilla.org/show_bug.cgi?id=264354.

[17]

Mozilla. [n.d.]. Window: load event. https://developer.mozilla.org/en-US/docs/Web/API/Window/load_event.

[18]

Henrik Frystyk Nielsen, Jeffrey Mogul, Larry M Masinter, Roy T. Fielding, Jim Gettys, Paul J. Leach, and Tim Berners-Lee. 1999. Hypertext Transfer Protocol - HTTP/1.1. RFC 2616. https://rfc-editor.org/rfc/rfc2616.txt

[19]

John S Otto, Mario A Sánchez, John P Rula, and Fabián E Bustamante. 2012. Content Delivery and the Natural Evolution of DNS: Remote DNS Trends, Performance Issues and Alternative Solutions. In Proceedings of IMC.

Digital Library

[20]

Roberto Peon and Herve Ruellan. 2015. HPACK: Header Compression for HTTP/2. RFC 7541. https://rfc-editor.org/rfc/rfc7541.txt

[21]

The Chromium Projects. [n.d.]. HTTP Pipelining. https://www.chromium.org/developers/design-documents/network-stack/http-pipelining.

[22]

Stefan Santesson, Michael Myers, Rich Ankney, Ambarish Malpani, Slava Galperin, and Dr. Carlisle Adams. 2013. X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. RFC 6960. https://doi.org/10.17487/RFC6960

[23]

Kyle Schomp, Tom Callahan, Michael Rabinovich, and Mark Allman. 2013. On measuring the client-side DNS infrastructure. In Proceedings of IMC.

Digital Library

[24]

Marty Strong. [n.d.]. Fixing reachability to 1.1.1.1, GLOBALLY! https://blog.cloudflare.com/fixing-reachability-to-1-1-1-1-globally.

[25]

Srikanth Sundaresan, Nazanin Magharei, Nick Feamster, Renata Teixeira, and Sam Crawford. 2013. Web performance bottlenecks in broadband access networks. In SIGMETRICS Performance Evaluation Review.

[26]

Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin, and Nikita Somaiya. 2015. Connection-oriented DNS to improve privacy and security. In IEEE Symposium on Security and Privacy (SP).

Digital Library

Cited By

Takanashi YKimura S(2024)Method for Detecting DoH Communications from Non-Encrypted Information at a MiddleboxInternational Journal of Networking and Computing10.15803/ijnc.14.2_15714:2(157-185)Online publication date: 2024
https://doi.org/10.15803/ijnc.14.2_157
Pinto JScheid EFranco MGranville L(2024)Eeny, Meeny, Miny, Moe: Analyzing and Comparing the Selection of DNS Lookup Tools2024 IEEE Symposium on Computers and Communications (ISCC)10.1109/ISCC61673.2024.10733718(1-6)Online publication date: 26-Jun-2024
https://doi.org/10.1109/ISCC61673.2024.10733718
Pati APanigrahi AParhi MKumar Pattanayak BSahu BKant S(2024)Simulating Fog of Medical Things: Research Challenges and OpportunitiesIEEE Access10.1109/ACCESS.2024.346801512(146527-146550)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3468015
Show More Cited By

Index Terms

An Empirical Study of the Cost of DNS-over-HTTPS
1. Networks

Recommendations

An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come?
IMC '19: Proceedings of the Internet Measurement Conference

DNS packets are designed to travel in unencrypted form through the Internet based on its initial standard. Recent discoveries show that real-world adversaries are actively exploiting this design vulnerability to compromise Internet users' security and ...
Understanding the Impact of Encrypted DNS on Internet Censorship
WWW '21: Proceedings of the Web Conference 2021

DNS traffic is transmitted in plaintext, resulting in privacy leakage. To combat this problem, secure protocols have been used to encrypt DNS messages. Existing studies have investigated the performance overhead and privacy benefits of encrypted DNS ...
Measuring DNS-over-HTTPS Downgrades: Prevalence, Techniques, and Bypass Strategies
PACMNET

DNS-over-HTTPS (DoH) is a privacy-enhancing protocol that encrypts plaintext query data in DNS resolution. However, DoH often faces accessibility challenges due to phenomena known as DoH downgrades, where DoH queries are reverted to plaintext DNS ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '19: Proceedings of the Internet Measurement Conference

October 2019

497 pages

ISBN:9781450369480

DOI:10.1145/3355369

Copyright © 2019 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 October 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Engineering and Physical Sciences Research Council

Conference

IMC '19

Sponsor:

IMC '19: ACM Internet Measurement Conference

October 21 - 23, 2019

Amsterdam, Netherlands

Acceptance Rates

IMC '19 Paper Acceptance Rate 39 of 197 submissions, 20%;

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

61
Total Citations
View Citations
3,437
Total Downloads

Downloads (Last 12 months)601
Downloads (Last 6 weeks)44

Reflects downloads up to 01 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Takanashi YKimura S(2024)Method for Detecting DoH Communications from Non-Encrypted Information at a MiddleboxInternational Journal of Networking and Computing10.15803/ijnc.14.2_15714:2(157-185)Online publication date: 2024
https://doi.org/10.15803/ijnc.14.2_157
Pinto JScheid EFranco MGranville L(2024)Eeny, Meeny, Miny, Moe: Analyzing and Comparing the Selection of DNS Lookup Tools2024 IEEE Symposium on Computers and Communications (ISCC)10.1109/ISCC61673.2024.10733718(1-6)Online publication date: 26-Jun-2024
https://doi.org/10.1109/ISCC61673.2024.10733718
Pati APanigrahi AParhi MKumar Pattanayak BSahu BKant S(2024)Simulating Fog of Medical Things: Research Challenges and OpportunitiesIEEE Access10.1109/ACCESS.2024.346801512(146527-146550)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3468015
Li BZhu YDing YSun YZhang YLiu QGuo L(2024)From Fingerprint to Footprint: Characterizing the Dependencies in Encrypted DNS InfrastructuresComputer Security – ESORICS 202410.1007/978-3-031-70890-9_3(45-64)Online publication date: 16-Sep-2024
https://dl.acm.org/doi/10.1007/978-3-031-70890-9_3
Abu Al-Haija QAlohaly MOdeh A(2023)A Lightweight Double-Stage Scheme to Identify Malicious DNS over HTTPS Traffic Using a Hybrid Learning ApproachSensors10.3390/s2307348923:7(3489)Online publication date: 27-Mar-2023
https://doi.org/10.3390/s23073489
Alzighaibi A(2023)Detection of DoH Traffic Tunnels Using Deep Learning for Encrypted Traffic ClassificationComputers10.3390/computers1203004712:3(47)Online publication date: 22-Feb-2023
https://doi.org/10.3390/computers12030047
Li BZhu YLiu QSun YZhang YGuo L(2023)Wrapping DNS into HTTP(S): An Empirical Study on Name Resolution in Mobile Applications2023 IFIP Networking Conference (IFIP Networking)10.23919/IFIPNetworking57963.2023.10186431(1-9)Online publication date: 12-Jun-2023
https://doi.org/10.23919/IFIPNetworking57963.2023.10186431
Sengupta JKosek MFries JDikshit PBajpai V(2023)Web Privacy By Design: Evaluating Cross-layer Interactions of QUIC, DNS and H/32023 IFIP Networking Conference (IFIP Networking)10.23919/IFIPNetworking57963.2023.10186362(1-9)Online publication date: 12-Jun-2023
https://doi.org/10.23919/IFIPNetworking57963.2023.10186362
Thiagarajan KKumar RBustamante FSchulzrinne HKohler EMaltz DMisra V(2023)Poster: A Peek Backstage: Organizations in DNS Resolver HierarchiesProceedings of the ACM SIGCOMM 2023 Conference10.1145/3603269.3610870(1088-1090)Online publication date: 10-Sep-2023
https://dl.acm.org/doi/10.1145/3603269.3610870
Anderson FGhosh AGraham MMougeot LWisnosky D(2023)Bounded-Degree Plane Geometric Spanners in PracticeACM Journal of Experimental Algorithmics10.1145/358249728(1-36)Online publication date: 8-Apr-2023
https://dl.acm.org/doi/10.1145/3582497
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents