Austin Hounsel will present his FPO "Measuring the Feasibility of DNS Privacy and Security" on Tuesday, 5/3/2022 at 1:00pm via Zoom.
His committee is as follows: Nick Feamster (adviser); Readers: Prateek Mittal and Kyle Jamieson; Examiners: Nick Feamster, Jennifer Rexford, Ravi Netravali.
All are welcome to attend.
Nearly every service on the Internet relies on the Domain Name System (DNS), which translates humanreadable names to IP addresses. Originally, the DNS was designed without security and privacy concerns
in mind. This has left users’ DNS trac subject to eavesdropping, tampering, and censorship. In response,
encrypted DNS protocols and DNS Security Extensions (DNSSEC) have seen increased deployment.
Although these developments stand to improve users’ security and privacy, two questions remain unanswered. First, it is unclear whether encrypted DNS protocols yield acceptable performance for popular
applications, such as web browsers. Second, it is unclear whether users can reliably retrieve and validate
DNS records that are supposedly protected by DNSSEC. Without answers to these questions, popular applications may choose to not utilize these technologies, compromising the security and privacy of their users.
This thesis studies the feasibility of deploying DNS security and privacy technologies for everyday use
through various Internet measurements. We first measure the performance of encrypted DNS protocols from
data centers and home networks through query response times and page load times. We find that although
encrypted DNS protocols generally result in longer query response times than traditional, unencrypted DNS,
these protocols can perform comparably with well-chosen connection timeouts, connection reuse, and the
usage of popular recursive resolvers. We also find that despite generally higher query response times, web
pages can load faster with encrypted DNS protocols.
We then collaborate with a major browser vendor to measure how often users can successfully retrieve
and validate records with DNSSEC. To do so, we deploy a measurement add-on to a globally-distributed
random sample of the browser’s release users. The add-on issues requests for various records types for a
domain name that we control using the browser’s locally configured recursive resolver. We find that many
users were unable to retrieve the correct DNSSEC records they needed to perform validation. Such failure
prevents users from being able to reliably determine whether their DNS trac is under attack or not.