[dns-operations] DNS over TLS: slowly happening
Sara Dickinson
sara at sinodun.com
Wed Jun 27 10:09:44 UTC 2018
> On 26 Jun 2018, at 14:02, bert hubert <bert.hubert at powerdns.com> wrote:
>
> Hi Björn,
>
> Good to see someone from the resolver community post on this list! Usually
> most of us are from the (cc)TLD or hosting community.
>
> On Tue, Jun 26, 2018 at 11:17:46AM +0000, Hellqvist, Björn wrote:
>> Have anyone done any real research with real-world numbers on the server side when using DNS-over-TLS?
>
> Somewhat: https://ripe76.ripe.net/presentations/92-RIPE76_DNS_Privacy_measurements.pdf
> and https://ripe76.ripe.net/presentations/95-jonglez-dns-tcp-ripe76.pdf
>
> These numbers are not entirely 'real world' though.
We are waiting to hear about some more funding to extend our study as, yes, it is basic. Also, with this kind of testing there are so many more dimensions to consider to model the ‘real world’ than when profiling DNS-over-UDP….
>
>> And what happens during an attack and each client opens up a large number
>> of new unique connections? Or if a vendor introduce a bug that does not
>> reuse the TCP connection and open up a new one each time and not closing
>> the unused one?
>
> I personally recommend having a proxy do the dnsdist termination, this means
> that at worst the proxy fails. This has also been measured in the
> presentations above.
I’d also recommend this approach for a large scale deployment.
>
>> Although we should aim to privacy, we should not jump in to a solution
>> where operators actively will disable it due to resource and cost limits.
>
> I'm afraid that if service providers will not make a move, the browsers of
> their subscribers will, and start prefering the DNS of their vendor or
> preferred partner, like CloudFlare.
>
> You mention disabling things, but DNS over HTTPS is specifically designed to
> be hard to disable.
>
> So the service provider community may not have a lot of choice, unless they
> are fine with third parties taking over their customers DNS (this is a
> common choice in Africa for example).
I completely agree with Bert and John here. The move to browsers doing their own DNS directly using DoH (probably to preferred providers) is happening whether we like it or not. It is a hard argument to persuade users to switch back to an unencrypted transport to their ISP when browsers are ‘protecting their DNS’ (or however it is sold).
Sara.
More information about the dns-operations
mailing list