[dns-operations] DNS over TLS: slowly happening

bert hubert bert.hubert at powerdns.com
Tue Jun 26 13:02:25 UTC 2018 

Hi Björn,

Good to see someone from the resolver community post on this list! Usually
most of us are from the (cc)TLD or hosting community.

On Tue, Jun 26, 2018 at 11:17:46AM +0000, Hellqvist, Björn wrote:
> Have anyone done any real research with real-world numbers on the server side when using DNS-over-TLS?

Somewhat: https://ripe76.ripe.net/presentations/92-RIPE76_DNS_Privacy_measurements.pdf
and https://ripe76.ripe.net/presentations/95-jonglez-dns-tcp-ripe76.pdf

These numbers are not entirely 'real world' though.

> And what happens during an attack and each client opens up a large number
> of new unique connections?  Or if a vendor introduce a bug that does not
> reuse the TCP connection and open up a new one each time and not closing
> the unused one?

I personally recommend having a proxy do the dnsdist termination, this means
that at worst the proxy fails. This has also been measured in the
presentations above.

> Also how will this work in an ISP Anycast situation?

DNS TCP is routinely anycast and this appears to work very well.

> Personally I think that such studies should be done before any vendor
> introduces this functionality.  The study should also take into account
> for global DNS providers, ISP DNS providers and maybe enterprise DNS
> infrastructure.

People from the DNS Privacy Project are doing such measurements. It may
also be possible to replay existing DNS traffic over DNS over TLS. I agree
lots of measuring "in the real world" is required.

> Although we should aim to privacy, we should not jump in to a solution
> where operators actively will disable it due to resource and cost limits.

I'm afraid that if service providers will not make a move, the browsers of
their subscribers will, and start prefering the DNS of their vendor or
preferred partner, like CloudFlare. 

You mention disabling things, but DNS over HTTPS is specifically designed to
be hard to disable.

So the service provider community may not have a lot of choice, unless they
are fine with third parties taking over their customers DNS (this is a
common choice in Africa for example).

> For me this kind of sounds like a way to promote Google DNS resolver than
> thinking for all other potential problematic scenarios that can happen
> when this is introduced.

You may well be right. If this is an outcome we like or not is open to
discussion...

	Bert

More information about the dns-operations mailing list