[dns-operations] DNS over TLS: slowly happening

Hellqvist, Björn bjorn.hellqvist at teliacompany.com
Tue Jun 26 11:17:46 UTC 2018 

Hi,

Have anyone done any real research with real-world numbers on the server side when using DNS-over-TLS?

Let say you have a moderate setup with 1M daily unique clients per server, and the server is handling up to 30k QPS in normal traffic in peak hours. 

And what happens during an attack and each client opens up a large number of new unique connections? 
Or if a vendor introduce a bug that does not reuse the TCP connection and open up a new one each time and not closing the unused one? 
Also how will this work in an ISP Anycast situation?

Personally I think that such studies should be done before any vendor introduces this functionality. The study should also take into account for global DNS providers, ISP DNS providers and maybe enterprise DNS infrastructure. 

I also would personally prefer a UDP-based solution like DNS-over-QUIC, which I believe will be more efficient on the server side. (without doing any testing)

Moving over to TCP, there will probably be a new way of calculating resources. Usually with UDP you could mostly rely on QPS, but with TCP and TLS there are other resource limits to take into account. And we don't want to come into a situation where X amount of servers was needed in normal UDP based configuration, but say now there is a need for 5X-10X to handle the same amount of traffic. 

Although we should aim to privacy, we should not jump in to a solution where operators actively will disable it due to resource and cost limits. 

For me this kind of sounds like a way to promote Google DNS resolver than thinking for all other potential problematic scenarios that can happen when this is introduced. 

BR,
Bjorn Hellqvist
Senior System Specialist (Internet & DNS)
Telia Company
Solna, Sweden



> -----Original Message-----
> From: dns-operations [mailto:dns-operations-bounces at dns-oarc.net] On Behalf
> Of bert hubert
> Sent: den 26 juni 2018 11:10
> To: dns-operations at dns-oarc.net
> Subject: [dns-operations] DNS over TLS: slowly happening
> 
> Hi everyone,
> 
> [tl;dr enable DNS over TLS on your resolvers and CPE/modem if you can]
> 
> As announced in https://android-developers.googleblog.com/2018/04/dns-over-
> tls-support-in-android-p.html
> Android "P" will attempt to talk DNS over TLS to its resolver by default.
> 
> We've asked a few very large scale resolver operators (at service providers) if
> they see this happening already and they confirm, but it is tiiiiiny.
> 
> Among tens of millions of subscribers "dozens" of IP addresses attempt
> connections to port 853 of resolvers.
> 
> The reason this does not yet happen a lot is of course partly because Android P
> is not widely deployed, but also because most service providers now provision
> their modem/router/CPE/default GW as nameserver.
> 
> And in fact, most of the attempts we have heard of come from mobile phones
> on cellular networks, and not from home wifi.
> 
> Anyhow, if you are planning DNS operations, be aware phones will start
> attempting to talk 853 to your CPE. And if you are a mobile operator, expect
> the same to happen on your resolvers.
> 
> We are aware of at least one moderately large service provider that will
> enable DNS over TLS on their resolvers.
> 
> (Mobile) service providers that want to prevent their users from eventually
> receiving the popup "your internet connection is not secure, use our private
> lookup service?" may want to ponder doing the same.
> 
> 	Bert
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list