DNS over TLS: Encrypting DNS end-to-end

As a first step toward encrypting the last portion of internet traffic that has historically been cleartext, we have partnered with Cloudflare DNS on a pilot project. This pilot takes advantage of …

Manu Bretelle
6 min readintermediate
--
View Original

Overview

The article discusses the implementation of DNS over TLS (DoT) as a means to encrypt DNS queries and enhance online privacy. It details the collaboration between Facebook and Cloudflare to pilot this technology, the historical context of DNS security, and the results of the pilot project, including performance metrics and future steps.

What You'll Learn

1

How to implement DNS over TLS for enhanced security

2

Why DNS over TLS is important for user privacy

3

When to consider transitioning from UDP to TLS for DNS queries

Key Questions Answered

What is DNS over TLS and how does it enhance security?
DNS over TLS (DoT) is a protocol that encrypts DNS queries between the client and the DNS resolver, providing confidentiality and authentication. This prevents eavesdropping and tampering with DNS requests, thus enhancing online privacy.
What were the results of the pilot project for DNS over TLS?
The pilot project demonstrated that DNS over TLS could operate at scale without negatively impacting user experience. Initial connection latency was noted, but subsequent requests over the same TLS connection showed comparable latency to traditional UDP, indicating effective session reuse.
How does DNS over TLS compare to traditional DNS protocols?
Unlike traditional DNS protocols that transmit queries in cleartext, DNS over TLS encrypts the traffic, making it secure against interception. The pilot showed that while there is some initial latency, the overall performance can match that of UDP once connections are established.
What challenges were identified during the pilot of DNS over TLS?
The pilot highlighted challenges such as the initial latency due to connection setup and the need for session resumption to mitigate overhead. These issues are critical to address for optimizing the performance of DNS over TLS in production environments.

Key Statistics & Figures

p99 DNS latency
On par with the UDP baseline
This indicates that after the initial connection setup, the performance of DNS over TLS is comparable to traditional methods.

Technologies & Tools

Protocol
DNS Over TLS
Used to encrypt DNS queries for enhanced security.
Service
Cloudflare DNS
Partnered with Facebook to pilot DNS over TLS.

Key Actionable Insights

1
Implementing DNS over TLS can significantly enhance user privacy and security in DNS queries.
As online threats increase, adopting DoT can protect sensitive data from eavesdropping, making it a crucial step for organizations prioritizing user security.
2
Utilizing TLS session resumption can help reduce latency in DNS over TLS implementations.
By reusing existing TLS connections, organizations can minimize the performance impact typically associated with establishing new connections, thus improving user experience.
3
Engaging with the IETF and contributing to the DPRIVE Working Group can help shape the future of DNS security protocols.
Organizations running DNS services can provide valuable feedback based on real-world implementations, influencing best practices and standards in the industry.

Common Pitfalls

1
Failing to implement session resumption can lead to increased latency in DNS queries.
Without session resumption, each DNS query may require a new TLS connection, which adds overhead and can degrade performance.

Related Concepts

DNS Security Extensions (dnssec)
Transport Layer Security (tls)
Internet Engineering Task Force (ietf) Protocols