[dns-operations] DNS over TLS: slowly happening

Henderson, Karl KHenderson at verisign.com
Thu Jun 28 11:45:57 UTC 2018 

I’m in full support of Bjorn’s request for real-world non-peacetime performance numbers. Most of the research I’ve found, concentrate on peacetime numbers in a lab environment.

Karl Henderson
Sr. Engineer
CTO Technical Team
Verisign, Inc

-----Original Message-----
Hi,

Have anyone done any real research with real-world numbers on the server side when using DNS-over-TLS?

Let say you have a moderate setup with 1M daily unique clients per server, and the server is handling up to 30k QPS in normal traffic in peak hours.

And what happens during an attack and each client opens up a large number of new unique connections?
Or if a vendor introduce a bug that does not reuse the TCP connection and open up a new one each time and not closing the unused one?
Also how will this work in an ISP Anycast situation?

Personally I think that such studies should be done before any vendor introduces this functionality. The study should also take into account for global DNS providers, ISP DNS providers and maybe enterprise DNS infrastructure.

I also would personally prefer a UDP-based solution like DNS-over-QUIC, which I believe will be more efficient on the server side. (without doing any testing)

Moving over to TCP, there will probably be a new way of calculating resources. Usually with UDP you could mostly rely on QPS, but with TCP and TLS there are other resource limits to take into account. And we don't want to come into a situation where X amount of servers was needed in normal UDP based configuration, but say now there is a need for 5X-10X to handle the same amount of traffic.

Although we should aim to privacy, we should not jump in to a solution where operators actively will disable it due to resource and cost limits.

For me this kind of sounds like a way to promote Google DNS resolver than thinking for all other potential problematic scenarios that can happen when this is introduced.

BR,
Bjorn Hellqvist
Senior System Specialist (Internet & DNS)
Telia Company
Solna, Sweden


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20180628/39abc488/attachment.html>

More information about the dns-operations mailing list