An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come?

Proceedings of the Internet Measurement Conference 2018 Pub Date : 2019-10-21 DOI:10.1145/3355369.3355580

Chaoyi Lu, Baojun Liu, Zhou Li, S. Hao, Haixin Duan, Mingming Zhang, Chunying Leng, Y. Liu, Zaifeng Zhang, Jianping Wu

{"title":"An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come?","authors":"Chaoyi Lu, Baojun Liu, Zhou Li, S. Hao, Haixin Duan, Mingming Zhang, Chunying Leng, Y. Liu, Zaifeng Zhang, Jianping Wu","doi":"10.1145/3355369.3355580","DOIUrl":null,"url":null,"abstract":"DNS packets are designed to travel in unencrypted form through the Internet based on its initial standard. Recent discoveries show that real-world adversaries are actively exploiting this design vulnerability to compromise Internet users' security and privacy. To mitigate such threats, several protocols have been proposed to encrypt DNS queries between DNS clients and servers, which we jointly term as DNS-over-Encryption. While some proposals have been standardized and are gaining strong support from the industry, little has been done to understand their status from the view of global users. This paper performs by far the first end-to-end and large-scale analysis on DNS-over-Encryption. By collecting data from Internet scanning, user-end measurement and passive monitoring logs, we have gained several unique insights. In general, the service quality of DNS-over-Encryption is satisfying, in terms of accessibility and latency. For DNS clients, DNS-over-Encryption queries are less likely to be disrupted by in-path interception compared to traditional DNS, and the extra overhead is tolerable. However, we also discover several issues regarding how the services are operated. As an example, we find 25% DNS-over-TLS service providers use invalid SSL certificates. Compared to traditional DNS, DNS-over-Encryption is used by far fewer users but we have witnessed a growing trend. As such, we believe the community should push broader adoption of DNS-over-Encryption and we also suggest the service providers carefully review their implementations.","PeriodicalId":20640,"journal":{"name":"Proceedings of the Internet Measurement Conference 2018","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2019-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"66","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the Internet Measurement Conference 2018","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3355369.3355580","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 66

Abstract

DNS packets are designed to travel in unencrypted form through the Internet based on its initial standard. Recent discoveries show that real-world adversaries are actively exploiting this design vulnerability to compromise Internet users' security and privacy. To mitigate such threats, several protocols have been proposed to encrypt DNS queries between DNS clients and servers, which we jointly term as DNS-over-Encryption. While some proposals have been standardized and are gaining strong support from the industry, little has been done to understand their status from the view of global users. This paper performs by far the first end-to-end and large-scale analysis on DNS-over-Encryption. By collecting data from Internet scanning, user-end measurement and passive monitoring logs, we have gained several unique insights. In general, the service quality of DNS-over-Encryption is satisfying, in terms of accessibility and latency. For DNS clients, DNS-over-Encryption queries are less likely to be disrupted by in-path interception compared to traditional DNS, and the extra overhead is tolerable. However, we also discover several issues regarding how the services are operated. As an example, we find 25% DNS-over-TLS service providers use invalid SSL certificates. Compared to traditional DNS, DNS-over-Encryption is used by far fewer users but we have witnessed a growing trend. As such, we believe the community should push broader adoption of DNS-over-Encryption and we also suggest the service providers carefully review their implementations.

查看原文本刊更多论文

端到端大规模测量dns加密:我们已经走了多远?

根据初始标准，DNS数据包被设计成以未加密的形式通过Internet传输。最近的发现表明，现实世界的对手正在积极利用这种设计漏洞来损害互联网用户的安全和隐私。为了减轻这种威胁，已经提出了几种协议来加密DNS客户端和服务器之间的DNS查询，我们将其统称为DNS over- encryption。虽然一些建议已经标准化，并得到了业界的大力支持，但从全球用户的角度来理解它们的现状却做得很少。本文首次对dns over- encryption进行了端到端的大规模分析。通过收集来自互联网扫描、用户端测量和被动监控日志的数据，我们获得了一些独特的见解。一般来说，从可访问性和延迟方面来看，DNS-over-Encryption的服务质量是令人满意的。对于DNS客户端，与传统DNS相比，DNS over- encryption查询不太可能被路径内拦截中断，并且额外的开销是可以忍受的。然而，我们也发现了一些关于如何操作服务的问题。例如，我们发现25%的DNS-over-TLS服务提供商使用无效的SSL证书。与传统的DNS相比，使用DNS over- encryption的用户要少得多，但我们目睹了这种趋势的增长。因此，我们认为社区应该推动更广泛地采用DNS-over-Encryption，我们也建议服务提供商仔细审查他们的实现。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the Internet Measurement Conference 2018

自引率

0.00%

发文量

文献相关原料

公司名称	产品信息	采购帮参考价格