10–11 May 2014
Sofitel Warsaw Victoria
Europe/Warsaw timezone

T-DNS: Connection-Oriented DNS to Improve Privacy and Security

10 May 2014, 15:00
30m
Opera (Sofitel Warsaw Victoria)

Opera

Sofitel Warsaw Victoria

11 Królewska Street 00-065 Warsaw
Public Workshop

Speaker

Mr John Heidemann (USC/Information Sciences Institute)

Description

This talk will discuss _connection-oriented DNS_ to improve DNS security and privacy. DNS is the canonical example of a connectionless, single packet, request/response protocol, with UDP as its dominant transport. Yet DNS today is challenged by eavesdropping that compromises privacy, source-address spoofing that results in denial-of-service (DoS) attacks on the server and third parties, injection attacks that exploit fragmentation, and size limitations that constrain policy and operational choices. We propose _t-DNS_ to address these problems: it uses TCP to smoothly support large payloads and mitigate spoofing and amplification for DoS. T-DNS uses transport-layer security (TLS) to provide privacy from users to their DNS resolvers and optionally to authoritative servers.

Summary

Traditional wisdom is that connection setup will balloon latency for clients and overwhelm servers. We provide data to show that these assumptions are overblown---our model of end-to-end latency shows TLS to the recursive resolver is only about 21% slower, with UDP to the authoritative server. End-to-end latency is 90% slower with TLS to recursive and TCP to authoritative. Experiments behind these models show that after connection establishment, TCP and TLS latency is equivalent to UDP. Using diverse trace data we show that frequent connection reuse is possible (60--95% for stub and recursive resolvers, although half that for authoritative servers). With conservative timeouts (20 s at authoritative servers and 60 s elsewhere) we show that server memory requirements match current hardware: a large recursive resolver may have 25k active connections consuming about 9 GB of RAM. These results depend on specific design and implementation decisions---query pipelining, out-of-order responses, TLS connection resumption, and plausible timeouts.

We hope to solicit feedback from the OARC community about this work to understand design and operational concerns if T-DNS deployment was widespread. The work in the talk is Liang Zhu, Zi Hu, and John Heidemann (all of USC/ISI), Duane Wessels and Allison Mankin (both of Verisign), and Nikita Somaiya (USC/ISI).

A technical report describing the work is at
http://www.isi.edu/~johnh/PAPERS/Zhu14a.pdf

and the protocol changes are described as
http://datatracker.ietf.org/doc/draft-hzhwm-start-tls-for-dns/

Primary author

Mr John Heidemann (USC/Information Sciences Institute)

Presentation materials