An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come?

Chaoyi Lu, Baojun Liu, Zhou Li, S. Hao, Haixin Duan, Mingming Zhang, Chunying Leng, Y. Liu, Zaifeng Zhang, Jianping Wu
{"title":"An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come?","authors":"Chaoyi Lu, Baojun Liu, Zhou Li, S. Hao, Haixin Duan, Mingming Zhang, Chunying Leng, Y. Liu, Zaifeng Zhang, Jianping Wu","doi":"10.1145/3355369.3355580","DOIUrl":null,"url":null,"abstract":"DNS packets are designed to travel in unencrypted form through the Internet based on its initial standard. Recent discoveries show that real-world adversaries are actively exploiting this design vulnerability to compromise Internet users' security and privacy. To mitigate such threats, several protocols have been proposed to encrypt DNS queries between DNS clients and servers, which we jointly term as DNS-over-Encryption. While some proposals have been standardized and are gaining strong support from the industry, little has been done to understand their status from the view of global users. This paper performs by far the first end-to-end and large-scale analysis on DNS-over-Encryption. By collecting data from Internet scanning, user-end measurement and passive monitoring logs, we have gained several unique insights. In general, the service quality of DNS-over-Encryption is satisfying, in terms of accessibility and latency. For DNS clients, DNS-over-Encryption queries are less likely to be disrupted by in-path interception compared to traditional DNS, and the extra overhead is tolerable. However, we also discover several issues regarding how the services are operated. As an example, we find 25% DNS-over-TLS service providers use invalid SSL certificates. Compared to traditional DNS, DNS-over-Encryption is used by far fewer users but we have witnessed a growing trend. As such, we believe the community should push broader adoption of DNS-over-Encryption and we also suggest the service providers carefully review their implementations.","PeriodicalId":20640,"journal":{"name":"Proceedings of the Internet Measurement Conference 2018","volume":"130 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2019-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"66","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the Internet Measurement Conference 2018","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3355369.3355580","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 66

Abstract

DNS packets are designed to travel in unencrypted form through the Internet based on its initial standard. Recent discoveries show that real-world adversaries are actively exploiting this design vulnerability to compromise Internet users' security and privacy. To mitigate such threats, several protocols have been proposed to encrypt DNS queries between DNS clients and servers, which we jointly term as DNS-over-Encryption. While some proposals have been standardized and are gaining strong support from the industry, little has been done to understand their status from the view of global users. This paper performs by far the first end-to-end and large-scale analysis on DNS-over-Encryption. By collecting data from Internet scanning, user-end measurement and passive monitoring logs, we have gained several unique insights. In general, the service quality of DNS-over-Encryption is satisfying, in terms of accessibility and latency. For DNS clients, DNS-over-Encryption queries are less likely to be disrupted by in-path interception compared to traditional DNS, and the extra overhead is tolerable. However, we also discover several issues regarding how the services are operated. As an example, we find 25% DNS-over-TLS service providers use invalid SSL certificates. Compared to traditional DNS, DNS-over-Encryption is used by far fewer users but we have witnessed a growing trend. As such, we believe the community should push broader adoption of DNS-over-Encryption and we also suggest the service providers carefully review their implementations.
端到端大规模测量dns加密:我们已经走了多远?
根据初始标准,DNS数据包被设计成以未加密的形式通过Internet传输。最近的发现表明,现实世界的对手正在积极利用这种设计漏洞来损害互联网用户的安全和隐私。为了减轻这种威胁,已经提出了几种协议来加密DNS客户端和服务器之间的DNS查询,我们将其统称为DNS over- encryption。虽然一些建议已经标准化,并得到了业界的大力支持,但从全球用户的角度来理解它们的现状却做得很少。本文首次对dns over- encryption进行了端到端的大规模分析。通过收集来自互联网扫描、用户端测量和被动监控日志的数据,我们获得了一些独特的见解。一般来说,从可访问性和延迟方面来看,DNS-over-Encryption的服务质量是令人满意的。对于DNS客户端,与传统DNS相比,DNS over- encryption查询不太可能被路径内拦截中断,并且额外的开销是可以忍受的。然而,我们也发现了一些关于如何操作服务的问题。例如,我们发现25%的DNS-over-TLS服务提供商使用无效的SSL证书。与传统的DNS相比,使用DNS over- encryption的用户要少得多,但我们目睹了这种趋势的增长。因此,我们认为社区应该推动更广泛地采用DNS-over-Encryption,我们也建议服务提供商仔细审查他们的实现。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信