October 31, 2019 to November 1, 2019 AGM
JW Marriott Austin
America/Winnipeg timezone
OARC31 Presentation Videos available at https://youtube.com/DNS-OARC

An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come?

Oct 31, 2019, 3:00 PM
Griffin Hall (JW Marriott Austin)

Griffin Hall

JW Marriott Austin

110 E 2nd St Austin TX 78701 USA
No longer available: Standard Presentation Public Workshop


Prof. Shuang Hao (University of Texas at Dallas)


DNS packets are designed to travel in unencrypted form through the Internet based on its initial standard. However, recent studies show that adversaries are actively exploiting this design vulnerability to compromise Internet users' security and privacy. To mitigate such threats, several protocols have been proposed to encrypt DNS queries between DNS clients and recursive servers, which we jointly term as DNS-over-Encryption. Particularly, two prominent protocols, DNS-over-TLS and DNS-over-HTTPS, have been standardized by IETF and gaining strong support from the industry.

Despite the “top-down” effort, little has been done to understand the operational status of DNS-over-Encryption from the view of Internet users. In this work, we aim to perform a comprehensive and end-to-end measurement study on DNS-over-Encryption. We seek answers to questions including: 1) How many providers are offering DNS-over-Encryption services? 2) What does their performance look like for users distributed globally? 3) How is the current real-world usage of DNS-over-Encryption?

The study is made possible by our extensive collection of data, including Internet-wide scanning, user-end measurement and passive monitoring logs. To begin with, we launch periodical Internet-wide scan to discover all service providers of DNS-over-Encryption, and verify their SSL certificates. To evaluate client-side usability, we measure the reachability and performance of popular DNS-over-Encryption servers by using 122K vantage points globally. Finally, we use large-scale passive datasets (NetFlow and Passive DNS) to measure the usage of the new protocols.

So far, we have gained several unique insights on the “early” view of the DNS-over-Encryption ecosystem. In general, the service quality of DNS-over-Encryption is satisfying, in terms of accessibility and latency. For DNS clients, DNS-over-Encryption queries are less likely to be disrupted compared to traditional DNS, and the extra overhead is minor with reused connections. On the other hand, we also discover several configuration issues regarding how the services are operated. As an example, we find 25% DNS-over-TLS service providers use invalid SSL certificates. Furthermore, compared to traditional DNS, DNS-over-Encryption is used by far fewer users but we have witnessed a growing trend.

Our study performs by far the first large-scale analysis on DNS-over-Encryption, which we believe will provide guidance in pushing the adoption and improving the ecosystem of DNS-over-Encryption. Our data is also available on our project website. This work is accepted by IMC’19.

PLEASE NOTE at the speaker's request, this talk will not be webcast or video recorded.

Primary author

Mr Chaoyi Lu (Tsinghua University)


Mr Baojun Liu (Tsinghua University) Prof. Zhou Li (UC Irvine) Prof. Shuang Hao (University of Texas at Dallas) Prof. Haixin Duan (Tsinghua University; Qi An Xin Security Research Institute) Ms Mingming Zhang (Tsinghua University) Ms Chunying Leng (Tsinghua University) Prof. Ying Liu (Tsinghua University) Mr Zaifeng Zhang (360 Netlab) Prof. Jianping Wu (Tsinghua University)

Presentation materials

There are no materials yet.