A Measurement Study of Open Resolvers and DNS Server Version
An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on...
Transcript of An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on...
![Page 1: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/1.jpg)
An End-to-End, Large-Scale Measurement of DNS-over-Encryption:
How Far Have We Come?
Chaoyi Lu, Baojun Liu, Zhou Li, Shuang Hao, Haixin Duan,Mingming Zhang, Chunying Leng, Ying Liu, Zaifeng Zhang, Jianping Wu
![Page 2: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/2.jpg)
The start of Internet activities....which says a lot about you.
Domain Name System
2
DNS Client Resolver
Authoritativeserver
conferences.sigcomm.org?
162.249.4.107
conference
s.sigcomm.org?
conferences.sigcomm.org?
conferences.sigcomm.org?
![Page 3: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/3.jpg)
Where are the risks?
DNS Privacy
3
DNS Client Resolver
Authoritativeserver
Eavesdropper
MITMinterception
Rogueserver
![Page 4: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/4.jpg)
People could be watching our queries.
DNS Privacy
4
RFC 7626 on DNS privacy
The MORECOWBELLsurveillance program
of NSA
![Page 5: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/5.jpg)
People could be watching our queries.And do stuff like:
DNS Privacy
5
Device Fingerprinting[Chang ’15]
User behaviorAnalysis [Kim ’15]
UserTracking[Kirchler ’16]
![Page 6: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/6.jpg)
DNS Privacy: What Has Been Done?Two IETF WGs.Three standardized protocols.More implementations and tests coming...
6
IETF DPRIVE WG
Sept. ’14
Aug. ’09
DNSCurvedraft
Dec. ’11
DNSCrypt
May. ’14
RFC 7258Pervasive Monitoring
Is an Attack
Jan. ’15
NSA’sMORECOWBELLrevealed
RFC 7626DNS PrivacyConsiderations
Aug. ’15
RFC 7858DNS-over-TLS(DoT)
May. ’16
Feb. ’17
RFC 8094DNS-over-DTLS
Sept. ’17
IETF DoH WG
RFC 8310Usage Profile of DoT
Mar. ’18
RFC 8484DNS-over-HTTPS
(DoH)
Oct ’18
Jun. ’18
Mozilla’s test of DoH
Mar. ’16
RFC 7816QNAME
Minimization
DNS-over-QUICdraft
Apr. ’17
Mar. ’19
Drafts on DoH implementation
![Page 7: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/7.jpg)
DNS-over-TLS (DoT, RFC 7858, May 2016)Uses TLS to wrap DNS messages.Dedicated port 853.Stub resolver update needed.
DNS-over-HTTPS (DoH, RFC 8484, Oct 2018)Embeds DNS packets into HTTP messages.
Shared port 443.More user-space friendly.
DNS-over-Encryption: Standard Protocols
7
![Page 8: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/8.jpg)
Issuing DNS-over-TLS queries with kdig.
Issuing DNS-over-HTTPS queries in a browser.
DNS-over-Encryption: Standard Protocols
8
$ kdig @1.1.1.1 +tls example.com;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-128-GCM);; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 24012;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
https://dns.google.com/resolve?name=example.com&type=A
![Page 9: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/9.jpg)
Widely getting support from the industry.
The Rapid Development of DoE
9
Public DNS resolvers
DNS server software
Operating Systems
Web Browsers
![Page 10: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/10.jpg)
Recent updates from service providers & vendors.
The Rapid Development of DoE
10
Firefox:Plans on defaulting DoH
Google:Chrome DoH experimenton its way
Cloudflare:8% queries are using DoT or DoH
![Page 11: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/11.jpg)
Questions: from Users’ PerspectiveHow many DoE servers are there?
Methodology: Internet-wide scanning.
How are the reachability and performance of DoE servers?Methodology: Large-scale client-side measurement.
What does the real-world usage of DoE look like?Methodology: Analysis on passive traffic.
11
![Page 12: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/12.jpg)
Q1:How many servers
are there?
![Page 13: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/13.jpg)
DoE Server Discovery
13
DNS-over-TLS (DoT) DNS-over-HTTPS (DoH)
Runs over dedicated port 853.
Uses common URI templates.(/dns-query, /resolve)
Internet-wideScan
URL databaseInspection
![Page 14: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/14.jpg)
DNS-over-TLS ResolversInternet-wide probing with ZMap, getdns & OpenSSL.
14
ZmapInternet-wide scan
Port 853
getdnsDoT query
OpenSSLVerify SSL
certificate chain
![Page 15: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/15.jpg)
DNS-over-TLS Resolvers~2K open DoT resolvers in the wild.Several big players dominate in the count of servers.
15
(As of May 1)
IE 951 46%
US 531 26%
DE 86 4%
FR 56 3%
![Page 16: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/16.jpg)
DNS-over-TLS ProvidersSmall providers: ~70% only operate on one single address.Security: ~25% providers use invalid TLS certificates.
16
Expired cert
Self-signed cert
Broken cert chain
![Page 17: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/17.jpg)
DNS-over-HTTPS ProvidersLarge-scale URL dataset inspection.Scale: only 17 providers found, mostly known in lists.
17(DoH list maintained by the curl project)
Found 2 providers beyond the list:
dns.adguard.com
dns.233py.com
![Page 18: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/18.jpg)
Q2:Are popular services
reachable?
![Page 19: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/19.jpg)
Reachability to DoE Servers
19
Measurement platform built on SOCKS5 proxy network.
MeasurementClient
Super Proxy
DNS/TCP,DoT, DoH
Public DNSresolverExit
nodes
DNS/TCP,DoT, DoH
Proxy Network
forward
![Page 20: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/20.jpg)
Vantage PlatformCount of
IP Country AS
Global 29,622 166 2,597
China(Censored) 85,122 1 (CN) 5
Reachability to DoE Servers
20
Measurement platform built on SOCKS5 proxy network.Vantage point: 114K vantage points from 2 proxy networks.
![Page 21: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/21.jpg)
Reachability to DoE Servers
21
Measurement platform built on SOCKS5 proxy network.Vantage point: 114K vantage points from 2 proxy networks.Test items on each vantage:
Are public services reachable? Why do they fail?
Query a controlled domain
via DNS/TCP, DoT & DoH
SSL certificate
Open ports
Webpages
![Page 22: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/22.jpg)
Reachability Test ResultsDoE is currently less interrupted by in-path devices.~99% global reachability.
22
Vantage ResolverQuery Failure Rate
DNS/TCP DoT DoH
Global
Cloudflare 16.5% 1.2% 0.1%
Google 15.8% - 0.2%
Quad9 0.2% 0.2% 14.0%
China Google 1.1% - 99.9%
Address 1.1.1.1 conflicted, e.g.,by residential network devices.
![Page 23: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/23.jpg)
Reachability Test ResultsDoE is currently less interrupted by in-path devices.~99% global reachability.Examples of 1.1.1.1 address conflicting:
23
Port open # Client Example client AS
22 (SSH) 28 AS17488 Hatheway IP Over Cable Internet
23 (Telnet) 40 AS24835 Vodafone Data
67 (DHCP) 7 AS52532 Speednet Telecomunicacoes Ldta
161 (SNMP) 10 AS9870 Dong-eui University
179 (BGP) 23 AS3269 Telecom Italia S.p.a
![Page 24: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/24.jpg)
Reachability Test ResultsDoE is currently less interrupted by in-path devices.~99% global reachability.
24
Vantage ResolverQuery Failure Rate
DNS/TCP DoT DoH
Global
Cloudflare 16.5% 1.2% 0.1%
Google 15.8% - 0.2%
Quad9 0.2% 0.2% 14.0%
China Google 1.1% - 99.9%
Forward DoHqueries to DNS/53, with a small timeout.
Blocked by censorship.
![Page 25: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/25.jpg)
Q3:Is DoE query time
tolerable?
![Page 26: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/26.jpg)
DoE lookup performance
26
Aim: measure the relative query time of DNS and DoE.A major influence: connection reuse.
Specification Implementation
(RFC 7858, DNS-over-TLS)“Clients and servers SHOULD reuse existing connections for subsequent queries as long as they have sufficient resources.”
Stub: supported by dig, kdig, Stubby, etc.
Cloudflare resolver: “long-lived” connection supported (tens of seconds)
![Page 27: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/27.jpg)
Vantage point: 8,257 proxy nodes from ProxyRack.Connection reuse: only recording DNS transaction time.
DoE lookup performance
27
MeasurementClient
Proxy node
Public DNSresolver
TCP handshake TCP handshake
TLS handshakeTLS handshake
DNS query DNS query
DNS responseDNS response
![Page 28: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/28.jpg)
Performance Test Results
28
Tolerable query time overhead with reused connections.On average, extra latency on the order of milliseconds.
![Page 29: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/29.jpg)
Q4:What does DoE traffic
scale look like?
![Page 30: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/30.jpg)
DoE Traffic Observation
30
DNS-over-TLS (DoT) DNS-over-HTTPS (DoH)
Runs over dedicated port 853.
Resolver domain name(e.g., dns.google.com) In URI templates.
ISP NetFlow dataset
Passive DNSdataset
![Page 31: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/31.jpg)
DNS-over-TLS TrafficData: 18-month NetFlow dataset from a large Chinese ISP.Scale: still much less than traditional DNS, but growing.
31
DoT:2 to 3 orders of magnitudeless traffic
![Page 32: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/32.jpg)
DNS-over-TLS TrafficData: 18-month NetFlow dataset from a large Chinese ISP.Scale: still much less than traditional DNS, but growing.Clients: centralized clients + temp users.
32
222.90.*.*/24
58.213.*.*/24
139.199.*.*/24
60.206.*.*/24
110.81.*.*/24
123.244.*.*/24
42.203.*…
1.119.*…
60.190.*…
221.238…
123.206…
218.91…
218.91…
Top 20 netblocks: > 60% DoT traffic
> 95% netblocks:Active for < one week
![Page 33: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/33.jpg)
DNS-over-HTTPS TrafficData: Passive DNS dataset, monthly query volume.Big players dominate. Also a growing trend.
33
![Page 34: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/34.jpg)
LimitationsDoE server discoveryInternet-wide scan misses local resolvers.DoH discovery relies on data traces.
Reachability & performance testProxy networks only allows TCP traffic.
DoE traffic observationGeographic bias of dataset.Underestimation because of DNS cache.
34
![Page 35: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/35.jpg)
RecommendationProtocol designersReuse well-developed protocols.
Service providersCorrect misconfigurations.
Keep servers under regular maintenance.DNS clientsEducation on benefits of encryption.
Dataset & code releasePlease visit https://dnsencryption.info.
35
![Page 36: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/36.jpg)
Summary: Key ObservationsOpen DNS-over-Encryption resolversA number of small providers less-known.~25% providers use invalid TLS certificates.
Client-side usabilityCurrently good reachability (~99%).
Tolerable performance overhead with reused connections.
Real-world trafficStill much less than traditional DNS, but growing.
36
![Page 37: An End-to-End, Large-Scale Measurement of DNS-over-Encryption · Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver](https://reader031.fdocuments.in/reader031/viewer/2022040211/5e7b87ffcd903e0d36419eea/html5/thumbnails/37.jpg)
An End-to-End, Large-Scale Measurement of DNS-over-Encryption:
How Far Have We Come?
Chaoyi Lu, Baojun Liu, Zhou Li, Shuang Hao, Haixin Duan,Mingming Zhang, Chunying Leng, Ying Liu, Zaifeng Zhang, Jianping Wu