Connection-Oriented DNS to Improve Privacy and Security

Zhu, Liang and Hu, Zi and Heidemann, John and Wessels, Duane and Mankin, Allison and Somaiya, Nikita
USC/Information Sciences Institute

citation

Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin and Nikita Somaiya 2015. Connection-Oriented DNS to Improve Privacy and Security. Proceedings of the 36thIEEE Symposium on Security and Privacy (San Jose, Californa, USA, May 2015), 171–186. [DOI] [PDF] [Software] [Dataset]

abstract

The Domain Name System (DNS) seems ideal for connectionless UDP, yet this choice results in challenges of eavesdropping that compromises privacy, source-address spoofing that simplifies denial-of-service (DoS) attacks on the server and third parties, injection attacks that exploit fragmentation, and reply-size limits that constrain key sizes and policy choices. We propose T-DNS to address these problems. It uses TCP to smoothly support large payloads and to mitigate spoofing and amplification for DoS\@. T-DNS uses transport-layer security (TLS) to provide privacy from users to their DNS resolvers and optionally to authoritative servers. TCP and TLS are hardly novel, and expectations about DNS suggest connections will balloon client latency and overwhelm server with state. Our contribution is to show that T-DNS significantly improves security and privacy: TCP prevents denial-of-service (DoS) amplification against others, reduces the effects of DoS on the server, and simplifies policy choices about key size. TLS protects against eavesdroppers to the recursive resolver. Our second contribution is to show that with careful implementation choices, these benefits come at only modest cost: end-to-end latency from TLS to the recursive resolver is only about 9% slower when UDP is used to the authoritative server, and 22% slower with TCP to the authoritative. With diverse traces we show that connection reuse can be frequent (60–95% for stub and recursive resolvers, although half that for authoritative servers), and after connection establishment, experiments show that TCP and TLS latency is equivalent to UDP\@. With conservative timeouts (20 s at authoritative servers and 60 s elsewhere) and estimated per-connection memory, we show that server memory requirements match current hardware: a large recursive resolver may have 24k active connections requiring about 3.6 GB additional RAM\@. Good performance requires key design and implementation decisions we identify: query pipelining, out-of-order responses, TCP fast-open and TLS connection resumption, possible. and plausible timeouts.

reference

@inproceedings{Zhu15b,
  author = {Zhu, Liang and Hu, Zi and Heidemann, John and Wessels, Duane and Mankin, Allison and Somaiya, Nikita},
  title = {Connection-Oriented {DNS} to Improve Privacy
                    and Security},
  booktitle = {Proceedings of the 36thIEEE Symposium on Security and Privacy},
  year = {2015},
  sortdate = {2015-05-01},
  pages = {171--186},
  month = may,
  address = {San Jose, Californa, USA},
  publisher = {IEEE},
  jlocation = {johnh: pafile},
  copyright = {IEEE},
  copyrightterms = {
  	Personal use of this material is permitted.  Permission from IEEE must
  	be obtained for all other uses, in any current or future media,
  	including reprinting/republishing this material for advertising or
  	promotional purposes, creating new collective works, for resale or
  	redistribution to servers or lists, or reuse of any copyrighted
  	component of this work in other works.
    },
  myorganization = {USC/Information Sciences Institute},
  keywords = {DNS, privacy, t-dns, dns-over-tcp, dns-over-tls},
  doi = {http://dx.doi.org/10.1109/SP.2015.18},
  url = {https://ant.isi.edu/%7ejohnh/PAPERS/Zhu15b.html},
  pdfurl = {https://ant.isi.edu/%7ejohnh/PAPERS/Zhu15b.pdf},
  project = {ant, retrofuture, lacrend, tdns},
  blogurl = {https://ant.isi.edu/blog/?p=660},
  dataseturl = {https://ant.isi.edu/datasets/all.html},
  softwareurl = {https://ant.isi.edu/software/tdns/index.html}
}

copyright

Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.