Dear dprive WG,
Over the past 6 months, we measured the adoption of DNS over QUIC (and the
different drafts) on resolvers worldwide, and evaluated their performance in
comparison to DoUDP, DoTCP, DoT as well as DoH. The paper recently got accepted
at PAM 2022, and might be of interest to the WG:
One to Rule them All? A First Look at DNS over QUIC
https://arxiv.org/abs/2202.02987 <https://arxiv.org/abs/2202.02987>
Please find the abstract below this email. We also published the raw data of
our measurements on github:
https://github.com/kosekmi/2022-pam-dns-over-quic
<https://github.com/kosekmi/2022-pam-dns-over-quic>
While we plan to build up on this work in future studies, we are happy to get
feedback of what might be of interest to the WG - please get back to us with
any feedback or suggestions!
Best,
Mike, Viet, Malte, Vaibhav
TUM Technical University of Munich
---- Abstract ----
The DNS is one of the most crucial parts of the Internet. Since the original
DNS specifications defined UDP and TCP as the underlying transport protocols,
DNS queries are inherently unencrypted, making them vulnerable to eavesdropping
and on-path manipulations. Consequently, concerns about DNS privacy have gained
attention in recent years, which resulted in the introduction of the encrypted
protocols DNS over TLS (DoT) and DNS over HTTPS (DoH). Although these protocols
address the key issues of adding privacy to the DNS, they are inherently
restrained by their underlying transport protocols, which are at strife with,
e.g., IP fragmentation or multi-RTT handshakes - challenges which are addressed
by QUIC. As such, the recent addition of DNS over QUIC (DoQ) promises to
improve upon the established DNS protocols. However, no studies focusing on
DoQ, its adoption, or its response times exist to this date - a gap we close
with our study. Our active measurements show a slowly but steadily increasing
adoption of DoQ and reveal a high week-over-week fluctuation, which reflects
the ongoing development process: As DoQ is still in standardization,
implementations and services undergo rapid changes. Analyzing the response
times of DoQ, we find that roughly 40% of measurements show considerably higher
handshake times than expected, which traces back to the enforcement of the
traffic amplification limit despite successful validation of the client's
address. However, DoQ already outperforms DoT as well as DoH, which makes it
the best choice for encrypted DNS to date.
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
