T-DNS: Connection-Oriented DNS to Improve Privacy and Security

T-DNS: Connection-Oriented DNS to Improve Privacy and Security

Zhu, Liang and Hu, Zi and Heidemann, John and Wessels, Duane and Mankin, Allison and Somaiya, Nikita
USC/Information Sciences Institute

Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin and Nikita Somaiya 2014. T-DNS: Connection-Oriented DNS to Improve Privacy and Security. Technical Report ISI-TR-2014-688. USC/Information Sciences Institute.

Abstract

This paper explores \emphconnection-oriented DNS to improve DNS security and privacy. DNS is the canonical example of a connectionless, single packet, request/response protocol, with UDP as its dominant transport. Yet DNS today is challenged by eavesdropping that compromises privacy, source-address spoofing that results in denial-of-service (DoS) attacks on the server and third parties, injection attacks that exploit fragmentation, and size limitations that constrain policy and operational choices. We propose \empht-DNS to address these problems: it combines TCP to smoothly support large payloads and mitigate spoofing and amplification for DoS\@. T-DNS uses transport-layer security (TLS) to provide privacy from users to their DNS resolvers and optionally to authoritative servers. Traditional wisdom is that connection setup will balloon latency for clients and overwhelm servers. These are myths—our model of end-to-end latency shows \emphTLS to the recursive resolver is only about 21% slower, with UDP to the authoritative server. End-to-end latency is 90% slower with TLS to recursive and TCP to authoritative. Experiments behind these models show that after connection establishment, TCP and TLS latency is equivalent to UDP\@. Using diverse trace data we show that frequent connection reuse is possible (60–95% for stub and recursive resolvers, although half that for authoritative servers). With conservative timeouts (20 s at authoritative servers and 60 s elsewhere) we show that \emphserver memory requirements match current hardware: a large recursive resolver may have 25k active connections consuming about 9 GB of RAM\@. We identify the key design and implementation decisions needed to minimize overhead—query pipelining, out-of-order responses, TLS connection resumption, and plausible timeouts.

Reference

@techreport{Zhu14a,
  author = {Zhu, Liang and Hu, Zi and Heidemann, John and Wessels, Duane and Mankin, Allison and Somaiya, Nikita},
  title = {T-{DNS}: Connection-Oriented {DNS} to Improve Privacy and Security},
  institution = {USC/Information Sciences Institute},
  note = {This technical report has been superceeded by ISI-TR-2014-693},
  year = {2014},
  sortdate = {2014-02-01},
  number = {ISI-TR-2014-688},
  month = feb,
  location = {johnh: pafile},
  keywords = {network outage detection, hurricane sandy},
  url = {http://www.isi.edu/%7ejohnh/PAPERS/Zhu14a.html},
  pdfurl = {http://www.isi.edu/%7ejohnh/PAPERS/Zhu14a.pdf},
  otherurl = {ftp://ftp.isi.edu/isi-pubs/tr-688.pdf},
  myorganization = {USC/Information Sciences Institute},
  copyrightholder = {authors},
  project = {ant, lacrend, tdns}
}