Traditionally, DNS packets are transmitted in clear-text. However, adversaries are actively exploiting this design to compromise Internet users' security and privacy. To mitigate such threats, several protocols have been proposed to encrypt DNS queries between DNS clients and servers, which we jointly term as DNS-over-Encryption. We aim to understand the current status of DNS-over-Encryption, by analyzing several large-scale datasets. We find that in general, the service quality of DNS-over-Encryption is satisfying, in terms of accessibility and latency. However, we also discover several issues regarding how the services are operated. As an example, we find 25% DNS-over-TLS service providers use invalid SSL certificates. Compared to traditional DNS, DNS-over-Encryption is currently used by far fewer users but we have witnessed a growing trend. As such, we believe the community should push its broader adoption and we also suggest the service providers carefully review their implementations.
We make the following datasets and source code publicly available.
We scan the IPv4 address space for hosts with TCP port 853 open, and then probe them with DoT queries. Also, we verify their SSL certificate paths using OpenSSL. The following lists show our scan results. open_dot_resovler_190201 open_dot_resovler_190401 open_dot_resovler_190211 open_dot_resovler_190411 open_dot_resovler_190221 open_dot_resovler_190421 open_dot_resovler_190301 open_dot_resovler_190501 open_dot_resovler_190311 open_dot_resovler_190701 open_dot_resovler_190321 open_dot_resovler_200701
We use ProxyRack to test the reachability and performance of three public DNS-over-Encryption services: Cloudflare, Google and Quad9. Our source code can be found here.
We use passive DNS datasets of Farsight Security and Qihoo 360 to measure DoH usage.
Copyright (c) 2019 NISL @ Tsinghua University. All rights reserved.