[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/3355369.3355575acmconferencesArticle/Chapter ViewAbstractPublication PagesimcConference Proceedingsconference-collections
research-article
Open access

An Empirical Study of the Cost of DNS-over-HTTPS

Published: 21 October 2019 Publication History

Abstract

DNS is a vital component for almost every networked application. Originally it was designed as an unencrypted protocol, making user security a concern. DNS-over-HTTPS (DoH) is the latest proposal to make name resolution more secure.
In this paper we study the current DNS-over-HTTPS ecosystem, especially the cost of the additional security. We start by surveying the current DoH landscape by assessing standard compliance and supported features of public DoH servers. We then compare different transports for secure DNS, to highlight the improvements DoH makes over its predecessor, DNS-over-TLS (DoT). These improvements explain in part the significantly larger take-up of DoH in comparison to DoT.
Finally, we quantify the overhead incurred by the additional layers of the DoH transport and their impact on web page load times. We find that these overheads only have limited impact on page load times, suggesting that it is possible to obtain the improved security of DoH with only marginal performance impact.

References

[1]
Bernhard Ager, Wolfgang Mühlbauer, Georgios Smaragdakis, and Steve Uhlig. 2010. Comparing DNS resolvers in the wild. In Proceedings of IMC.
[2]
Marios Anagnostopoulos, Georgios Kambourakis, Panagiotis Kopanos, Georgios Louloudakis, and Stefanos Gritzalis. 2013. DNS Amplification Attack Revisited. Computers & Security (2013).
[3]
Stéphane Bortzmeyer. 2013. JSON format to represent DNS data. Internet-Draft draft-bortzmeyer-dns-json-01. https://datatracker.ietf.org/doc/html/draft-bortzmeyer-dns-json-01 Work in progress.
[4]
Stéphane Bortzmeyer. 2015. DNS Privacy Considerations. RFC 7626. https://doi.org/10.17487/RFC7626
[5]
Timm Böttger, Felix Cuadrado, Gareth Tyson, Ignacio Castro, and Steve Uhlig. 2018. Open Connect Everywhere: A Glimpse at the Internet ecosystem through the Lens of the Netflix CDN. SIGCOMM CCR (2018).
[6]
Ilker Nadi Bozkurt, Anthony Aguirre, Balakrishnan Chandrasekaran, P Brighten Godfrey, Gregory Laughlin, Bruce Maggs, and Ankit Singla. 2017. Why is the Internet so slow?!. In Proceedings of PAM.
[7]
Michael Butkiewicz, Harsha V. Madhyastha, and Vyas Sekar. 2011. Understanding Website Complexity: Measurements, Metrics, and Implications. In Proceedings of IMC.
[8]
Matt Calder, Xun Fan, Zi Hu, Ethan Katz-Bassett, John Heidemann, and Ramesh Govindan. 2013. Mapping the Expansion of Google's serving Infrastructure. In Proceedings of IMC.
[9]
Phillip Hallam-Baker and Rob Stradling. 2013. DNS Certification Authority Authorization (CAA) Resource Record. RFC 6844. https://rfc-editor.org/rfc/rfc6844.txt
[10]
Paul E. Hoffman and Patrick McManus. 2018. DNS Queries over HTTPS (DoH). RFC 8484. https://doi.org/10.17487/RFC8484
[11]
Zi Hu, Liang Zhu, John Heidemann, Allison Mankin, Duane Wessels, and Paul E. Hoffman. 2016. Specification for DNS over Transport Layer Security (TLS). RFC 7858. https://rfc-editor.org/rfc/rfc7858.txt
[12]
Geoff Huston. [n.d.]. APNIC Labs enters into a Research Agreement with Cloud-flare. https://labs.apnic.net/?p=1127.
[13]
Geoff Huston. [n.d.]. DOH! DNS over HTTPS explained. https://blog.apnic.net/2018/10/12/doh-dns-over-https-explained.
[14]
Philip Levis. 2012. The Collateral Damage of Internet Censorship by DNS Injection. SIGCOMM CCR (2012).
[15]
Patrick McManus. [n.d.]. Firefox Nightly Secure DNS Experimental Results. https://blog.nightly.mozilla.org/2018/08/28/firefox-nightly-secure-dns-experimental-results.
[16]
Mozilla. [n.d.]. Bug 264354 - Enable HTTP pipelining by default. https://bugzilla.mozilla.org/show_bug.cgi?id=264354.
[17]
Mozilla. [n.d.]. Window: load event. https://developer.mozilla.org/en-US/docs/Web/API/Window/load_event.
[18]
Henrik Frystyk Nielsen, Jeffrey Mogul, Larry M Masinter, Roy T. Fielding, Jim Gettys, Paul J. Leach, and Tim Berners-Lee. 1999. Hypertext Transfer Protocol - HTTP/1.1. RFC 2616. https://rfc-editor.org/rfc/rfc2616.txt
[19]
John S Otto, Mario A Sánchez, John P Rula, and Fabián E Bustamante. 2012. Content Delivery and the Natural Evolution of DNS: Remote DNS Trends, Performance Issues and Alternative Solutions. In Proceedings of IMC.
[20]
Roberto Peon and Herve Ruellan. 2015. HPACK: Header Compression for HTTP/2. RFC 7541. https://rfc-editor.org/rfc/rfc7541.txt
[21]
The Chromium Projects. [n.d.]. HTTP Pipelining. https://www.chromium.org/developers/design-documents/network-stack/http-pipelining.
[22]
Stefan Santesson, Michael Myers, Rich Ankney, Ambarish Malpani, Slava Galperin, and Dr. Carlisle Adams. 2013. X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. RFC 6960. https://doi.org/10.17487/RFC6960
[23]
Kyle Schomp, Tom Callahan, Michael Rabinovich, and Mark Allman. 2013. On measuring the client-side DNS infrastructure. In Proceedings of IMC.
[24]
Marty Strong. [n.d.]. Fixing reachability to 1.1.1.1, GLOBALLY! https://blog.cloudflare.com/fixing-reachability-to-1-1-1-1-globally.
[25]
Srikanth Sundaresan, Nazanin Magharei, Nick Feamster, Renata Teixeira, and Sam Crawford. 2013. Web performance bottlenecks in broadband access networks. In SIGMETRICS Performance Evaluation Review.
[26]
Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin, and Nikita Somaiya. 2015. Connection-oriented DNS to improve privacy and security. In IEEE Symposium on Security and Privacy (SP).

Cited By

View all
  • (2024)Method for Detecting DoH Communications from Non-Encrypted Information at a MiddleboxInternational Journal of Networking and Computing10.15803/ijnc.14.2_15714:2(157-185)Online publication date: 2024
  • (2024)Eeny, Meeny, Miny, Moe: Analyzing and Comparing the Selection of DNS Lookup Tools2024 IEEE Symposium on Computers and Communications (ISCC)10.1109/ISCC61673.2024.10733718(1-6)Online publication date: 26-Jun-2024
  • (2024)Simulating Fog of Medical Things: Research Challenges and OpportunitiesIEEE Access10.1109/ACCESS.2024.346801512(146527-146550)Online publication date: 2024
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences
IMC '19: Proceedings of the Internet Measurement Conference
October 2019
497 pages
ISBN:9781450369480
DOI:10.1145/3355369
This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 October 2019

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. DNS-over-HTTPS
  2. Performance
  3. Transport

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Funding Sources

Conference

IMC '19
IMC '19: ACM Internet Measurement Conference
October 21 - 23, 2019
Amsterdam, Netherlands

Acceptance Rates

IMC '19 Paper Acceptance Rate 39 of 197 submissions, 20%;
Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)607
  • Downloads (Last 6 weeks)47
Reflects downloads up to 04 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Method for Detecting DoH Communications from Non-Encrypted Information at a MiddleboxInternational Journal of Networking and Computing10.15803/ijnc.14.2_15714:2(157-185)Online publication date: 2024
  • (2024)Eeny, Meeny, Miny, Moe: Analyzing and Comparing the Selection of DNS Lookup Tools2024 IEEE Symposium on Computers and Communications (ISCC)10.1109/ISCC61673.2024.10733718(1-6)Online publication date: 26-Jun-2024
  • (2024)Simulating Fog of Medical Things: Research Challenges and OpportunitiesIEEE Access10.1109/ACCESS.2024.346801512(146527-146550)Online publication date: 2024
  • (2024)From Fingerprint to Footprint: Characterizing the Dependencies in Encrypted DNS InfrastructuresComputer Security – ESORICS 202410.1007/978-3-031-70890-9_3(45-64)Online publication date: 16-Sep-2024
  • (2023)A Lightweight Double-Stage Scheme to Identify Malicious DNS over HTTPS Traffic Using a Hybrid Learning ApproachSensors10.3390/s2307348923:7(3489)Online publication date: 27-Mar-2023
  • (2023)Detection of DoH Traffic Tunnels Using Deep Learning for Encrypted Traffic ClassificationComputers10.3390/computers1203004712:3(47)Online publication date: 22-Feb-2023
  • (2023)Wrapping DNS into HTTP(S): An Empirical Study on Name Resolution in Mobile Applications2023 IFIP Networking Conference (IFIP Networking)10.23919/IFIPNetworking57963.2023.10186431(1-9)Online publication date: 12-Jun-2023
  • (2023)Web Privacy By Design: Evaluating Cross-layer Interactions of QUIC, DNS and H/32023 IFIP Networking Conference (IFIP Networking)10.23919/IFIPNetworking57963.2023.10186362(1-9)Online publication date: 12-Jun-2023
  • (2023)Poster: A Peek Backstage: Organizations in DNS Resolver HierarchiesProceedings of the ACM SIGCOMM 2023 Conference10.1145/3603269.3610870(1088-1090)Online publication date: 10-Sep-2023
  • (2023)Bounded-Degree Plane Geometric Spanners in PracticeACM Journal of Experimental Algorithmics10.1145/358249728(1-36)Online publication date: 8-Apr-2023
  • Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media