John Heidemann / Papers / T-DNS: Connection-Oriented DNS to Improve Privacy and Security (poster abstract)

T-DNS: Connection-Oriented DNS to Improve Privacy and Security (poster abstract)
Liang Zhu, Zi Hu, John Heidemann, Allison Mankin and Duane Wessels
USC/Information Sciences Institute

Citation

Liang Zhu, Zi Hu, John Heidemann, Allison Mankin and Duane Wessels. T-DNS: Connection-Oriented DNS to Improve Privacy and Security (poster abstract). Poster at SIGCOMM 2014. [DOI] [PDF] [alt PDF]

Abstract

DNS is the canonical protocol for connectionless UDP. Yet DNS today is challenged by eavesdropping that compromises privacy, source-address spoofing that results in denial-of-service (DoS) attacks on the server and third parties, injection attacks that exploit fragmentation, and size limitations that constrain policy and operational choices. We propose T-DNS to address these problems. It uses TCP to smoothly support large payloads and to mitigate spoofing and amplification for DoS. T-DNS uses transport-layer security (TLS) to provide privacy from users to their DNS resolvers and optionally to authoritative servers. Our model shows end-to-end latency from TLS to the recursive resolver is only about 9% slower when UDP is used to the authoritative server, and 22% slower with TCP to the authoritative. With diverse traces we show that frequent connection reuse is possible (60-95% for stub and recursive resolvers, although half that for authoritative servers). Our experiment shows that after connection establishment, TCP and TLS latency is equivalent to UDP. With conservative timeouts (20 s at authoritative servers and 60 s elsewhere) and conservative estimates of connection state memory requirements, we show that server memory requirements well within current, commodity server hardware. We identify the key design and implementation decisions needed to minimize overhead: query pipelining, out-of-order responses, TLS connection resumption, and plausible timeouts. This poster abstract summarizes work we describe in detail in ISI-TR-2014-693.

Bibtex Citation

@misc{Zhu14d,
  author = {Zhu, Liang and Hu, Zi and Heidemann, John and Mankin, Allison and Wessels, Duane},
  title = {T-DNS: Connection-Oriented DNS to Improve Privacy
                    and Security (poster abstract)},
  howpublished = {Poster at SIGCOMM 2014},
  month = aug,
  year = {2014},
  keywords = {DNS, privacy, t-dns, dns-over-tcp, dns-over-tls},
  jlocation = {johnh: pafile xxx not on file},
  url = {https://ant.isi.edu/%7ejohnh/PAPERS/Zhu14d.html},
  pdfurl = {https://ant.isi.edu/%7ejohnh/PAPERS/Zhu14d.pdf},
  doi = {http://dx.doi.org/10.1145/2740070.2631442},
  myorganization = {USC/Information Sciences Institute},
  copyrightholder = {authors}
}
Copyright © by John Heidemann