Abstract:

"Virtually every device on the Internet relies on the Domain Name System (DNS) to translate human-readable names to IP addresses. Originally, the DNS was designed without security and privacy concerns in mind. This has left users’ DNS traffic subject to eavesdropping, tampering, and censorship. In response, encrypted DNS protocols and DNS Security Extensions (DNSSEC) have seen increased deployment.

Although these technologies are designed to improve users’ security and privacy, two key questions remain unanswered. First, it is unclear whether encrypted DNS protocols yield acceptable performance for popular applications, such as web browsers. Second, it is unclear whether users can reliably retrieve the DNS records that are necessary for client-side DNSSEC validation. Without answers to these questions, popular application developers are unable to determine the feasibility and value of deploying these technologies.

This thesis studies the feasibility and value of deploying DNS security and privacy technologies through various Internet measurements. We first present performance measurements of encrypted DNS protocols from data centers and home networks. We not only measure query response times, but also web page load times to understand how these protocols might impact popular applications that issue numerous queries. We find that although encrypted DNS protocols generally result in longer query response times than traditional, unencrypted DNS, these protocols can result in faster page load times. Our work suggests that users don’t need to trade DNS performance for privacy.

On the other hand, we also find that the security value of implementing client-side DNSSEC validation is questionable. We present a collaboration with a major browser vendor to measure how often browser users can successfully retrieve DNS records that are necessary for client-side DNSSEC validation. To do so, we deploy a measurement add-on to a global distribution of 5% of the browser’s beta users. The add-on issues queries for various DNS records under a domain name that we control using the browser's locally configured recursive resolver. We find that users were unable to retrieve the correct DNS records they needed to perform client-side DNSSEC validation across approximately 1/3rd of the measurements. Thus, applications may not obtain additional security from DNSSEC beyond querying a recursive resolver that supports it."