Analyzing the Costs (and Benefits) of DNS, DoT, and DoH for the - - PowerPoint PPT Presentation

analyzing the costs and benefits of dns dot and doh for
SMART_READER_LITE
LIVE PREVIEW

Analyzing the Costs (and Benefits) of DNS, DoT, and DoH for the - - PowerPoint PPT Presentation

Jul 30, 2023 272 likes •472 views

Analyzing the Costs (and Benefits) of DNS, DoT, and DoH for the Modern Web Austin Hounsel* Kevin Borgolte* Paul Schmitt* Jordan Holland* Nick Feamster Princeton University* University of Chicago DNS Privacy Has Become a

slide-1
SLIDE 1

Analyzing the Costs (and Benefits) of DNS, DoT, and DoH for the Modern Web

Austin Hounsel* Kevin Borgolte* Paul Schmitt* Jordan Holland* Nick Feamster† Princeton University* University of Chicago†

slide-2
SLIDE 2

https://arxiv.org/abs/1907.08089

DNS Privacy Has Become a Significant Concern

  • On-path network observers can spy on and tamper with DNS traffic

(Do53)

  • Two protocols have been proposed to encrypt DNS traffic

○ DNS-over-TLS (DoT): RFC 7858 ○ DNS-over-HTTPS (DoH): RFC 8484

2

slide-3
SLIDE 3

https://arxiv.org/abs/1907.08089

Contributions

  • Extensive performance study of Do53, DoT, and DoH
  • Insights to optimize DNS performance

3

slide-4
SLIDE 4

https://arxiv.org/abs/1907.08089

Experiment Overview

  • Goal: Understand how Do53, DoT, and DoH affect user experience

○ Query response times ○ Page load times ○ Effect of changing network conditions

4

slide-5
SLIDE 5

5

slide-6
SLIDE 6

https://arxiv.org/abs/1907.08089

Response Times from Cloudflare on Princeton’s Network

6

slide-7
SLIDE 7

https://arxiv.org/abs/1907.08089

Response Times from Google on Princeton’s Network

7

slide-8
SLIDE 8

https://arxiv.org/abs/1907.08089

Response Times from Quad9 on Princeton’s Network

8

slide-9
SLIDE 9

https://arxiv.org/abs/1907.08089

Takeaway: DoH Can Outperform Do53

  • DoH outperforms Do53 in the tail of response times

○ Caching of DNS wire format?

  • This result supports Mozilla’s findings

9

slide-10
SLIDE 10

https://arxiv.org/abs/1907.08089

Measuring Page Load Time

  • We measured page load times to understand user experience
  • For this talk, we’re only focusing on Cloudflare

○ Fastest response times

10

slide-11
SLIDE 11

https://arxiv.org/abs/1907.08089

Measuring Page Load Time

  • We also performed traffic shaping

○ Princeton’s network was the baseline ○ 4G: 53.3ms additional latency, 1ms jitter, 0.5% loss ○ Lossy 4G: 53.3ms additional latency, 1ms jitter, 1.5% loss ○ 3G: 150ms additional latency, 8ms jitter, 2.5% loss

11

slide-12
SLIDE 12

https://arxiv.org/abs/1907.08089

Page Loads with Cloudflare on Princeton’s Network

12

slide-13
SLIDE 13

https://arxiv.org/abs/1907.08089

Page Loads with Cloudflare on Emulated 4G Network

13

slide-14
SLIDE 14

https://arxiv.org/abs/1907.08089

Page Loads with Cloudflare on Emulated, Lossy 4G Network

14

slide-15
SLIDE 15

https://arxiv.org/abs/1907.08089

Page Loads with Cloudflare on Emulated 3G Network

15

slide-16
SLIDE 16

https://arxiv.org/abs/1907.08089

Takeaway: DNS-over-TCP Can Help Page Load Times

  • TCP packets can be retransmitted as soon as two round-trips
  • This helps DoT/DoH perform well on lossy networks
  • Timeout for Do53 implementations might be higher

16

slide-17
SLIDE 17

https://arxiv.org/abs/1907.08089

Potential Improvements for Do53, DoT, and DoH

  • Opportunistic partial responses
  • Wire format caching
  • HTTP/2 push for DoH

17

slide-18
SLIDE 18

Conclusion

  • DoT performs better than DoH, and sometimes better than Do53
  • DoH has potential!
  • Choice of recursor & network matter
  • Transport characteristics of TCP should be explored

Check out the full pre-print: https://arxiv.org/abs/1907.08089

18