Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
133 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
46 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Evaluating DNS Resiliency and Responsiveness with Truncation, Fragmentation & DoTCP Fallback (2307.06131v1)

Published 12 Jul 2023 in cs.NI

Abstract: Since its introduction in 1987, the DNS has become one of the core components of the Internet. While it was designed to work with both TCP and UDP, DNS-over-UDP (DoUDP) has become the default option due to its low overhead. As new Resource Records were introduced, the sizes of DNS responses increased considerably. This expansion of message body has led to truncation and IP fragmentation more often in recent years where large UDP responses make DNS an easy vector for amplifying denial-of-service attacks which can reduce the resiliency of DNS services. This paper investigates the resiliency, responsiveness, and usage of DoTCP and DoUDP over IPv4 and IPv6 for 10 widely used public DNS resolvers. In these experiments, these aspects are investigated from the edge and from the core of the Internet to represent the communication of the resolvers with DNS clients and authoritative name servers. Overall, more than 14M individual measurements from 2527 RIPE Atlas Probes have been analyzed, highlighting that most resolvers show similar resiliency for both DoTCP and DoUDP. While DNS Flag Day 2020 recommended 1232 bytes of buffer sizes yet we find out that 3 out of 10 resolvers mainly announce very large EDNS(0) buffer sizes both from the edge as well as from the core, which potentially causes fragmentation. In reaction to large response sizes from authoritative name servers, we find that resolvers do not fall back to the usage of DoTCP in many cases, bearing the risk of fragmented responses. As the message sizes in the DNS are expected to grow further, this problem will become more urgent in the future.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (49)
  1. Development of the domain name system. In Vinton G. Cerf, editor, Proceedings of the ACM Symposium on Communications Architectures and Protocols, SIGCOMM 1988, Stanford, CA, USA, August 16-18, 1988, pages 123–133. ACM, 1988.
  2. Paul V. Mockapetris. Domain names - concepts and facilities. RFC, 1034:1–55, 1987.
  3. Jon Postel. Transmission control protocol. RFC, 793:1–91, 1981.
  4. Jon Postel. User datagram protocol. RFC, 768:1–3, 1980.
  5. Paul V. Mockapetris. Domain names - implementation and specification. RFC, 1035:1–55, 1987.
  6. DNS transport over TCP - implementation requirements. RFC, 7766:1–19, 2016.
  7. Ray Bellis. DNS transport over TCP - implementation requirements. RFC, 5966:1–7, 2010.
  8. Paul Vixie. Extension mechanisms for DNS (EDNS0). RFC, 2671:1–7, 1999.
  9. Ivica Stipovic. Analysis of an extension dynamic name service - A discussion on DNS compliance with RFC 6891. CoRR, abs/2003.13319, 2020.
  10. Defragmenting DNS: Determining the Optimal Maximum UDP Response Size for DNS, 2020. [Last Accessed: 19.April.2023]: https://bit.ly/3Ag6Mck.
  11. Measuring DNS over TCP in the Era of increasing DNS Response Sizes: A View from the Edge. Computer Communication Review, 2022.
  12. A Longitudinal View of Dual-Stacked Websites - Failures, Latency and Happy Eyeballs. IEEE/ACM Trans. Netw., 27(2):577–590, 2019.
  13. Evaluating dns resiliency with truncation, fragmentation and dotcp fallback. In IFIP Networking Conference, 2023.
  14. Fragmentation, Truncation, and Timeouts: Are Large DNS Messages Falling to Bits? In Passive and Active Measurement Conference (PAM), 2021.
  15. IP fragmentation considered fragile. RFC, 8900:1–23, 2020.
  16. Fragmentation considered poisonous, or: One-domain-to-rule-them-all.org. In IEEE Conference on Communications and Network Security (CNS) 2013. IEEE, 2013.
  17. Fragmentation Considered Leaking: Port Inference for DNS Poisoning. In Applied Cryptography and Network Security Conference, (ACNS). Springer, 2014.
  18. The hitchhiker’s guide to DNS cache poisoning. In Sushil Jajodia and Jianying Zhou, editors, Security and Privacy in Communication Networks - 6th Iternational ICST Conference, SecureComm 2010, Singapore, September 7-9, 2010. Proceedings, volume 50 of Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, pages 466–483. Springer, 2010.
  19. A wrinkle in time: A case study in DNS poisoning. International Journal of Information Security, 20(3):313–329, 2021.
  20. Chad R Dougherty. Multiple dns implementations vulnerable to cache poisoning, https://www.kb.cert.org/vuls/id/800113, 2008.
  21. Matt Crawford. Transmission of IPv6 Packets over Ethernet Networks. RFC, 2464:1–7, 1998.
  22. A selective re-query case sensitive encoding scheme against DNS cache poisoning attacks. Wireless Personal Communications, 94(3):1263–1279, 2017.
  23. Dns-over-tcp considered vulnerable. In ANRW ’21: Applied Networking Research Workshop, Virtual Event, USA, July 24-30, 2021, pages 76–81. ACM, 2021.
  24. Implications of netalyzr’s dns measurements. In Proceedings of the First Workshop on Securing and Trusting Internet Names (SATIN), Teddington, United Kingdom, 2011.
  25. Specification for DNS over transport layer security (TLS). RFC, 7858:1–19, 2016.
  26. DNS queries over HTTPS (doh). RFC, 8484:1–21, 2018.
  27. Recent trends on privacy-preserving technologies under standardization at the IETF. CoRR, abs/2301.01124, 2023.
  28. An end-to-end, large-scale measurement of dns-over-encryption: How far have we come? In Proceedings of the Internet Measurement Conference, IMC 2019, Amsterdam, The Netherlands, October 21-23, 2019, pages 22–35. ACM, 2019.
  29. DNS privacy in practice and preparation. In Aziz Mohaisen and Zhi-Li Zhang, editors, Proceedings of the 15th International Conference on Emerging Networking Experiments And Technologies, CoNEXT 2019, Orlando, FL, USA, December 09-12, 2019, pages 138–143. ACM, 2019.
  30. Measuring DNS over TLS from the edge: Adoption, reliability, and response times. In Oliver Hohlfeld, Andra Lutu, and Dave Levin, editors, Passive and Active Measurement - 22nd International Conference, PAM 2021, Virtual Event, March 29 - April 1, 2021, Proceedings, volume 12671 of Lecture Notes in Computer Science, pages 192–209. Springer, 2021.
  31. An analysis of wide-area name server traffic: A study of the internet domain name system. In Deepinder P. Sidhu and David Oran, editors, Proceedings of the Conference on Communications Architecture & Protocols, SIGCOMM 1992, Baltimore, Maryland, USA, August 17-20, 1992, pages 281–292. ACM, 1992.
  32. DNS performance and the effectiveness of caching. In Vern Paxson, editor, Proceedings of the 1st ACM SIGCOMM Internet Measurement Workshop, IMW 2001, San Francisco, California, USA, November 1-2, 2001, pages 153–167. ACM, 2001.
  33. Comparing DNS resolvers in the wild. In Mark Allman, editor, Proceedings of the 10th ACM SIGCOMM Internet Measurement Conference, IMC 2010, Melbourne, Australia - November 1-3, 2010, pages 15–21. ACM, 2010.
  34. Content delivery and the natural evolution of DNS: remote dns trends, performance issues and alternative solutions. In John W. Byers, Jim Kurose, Ratul Mahajan, and Alex C. Snoeren, editors, Proceedings of the 12th ACM SIGCOMM Internet Measurement Conference, IMC ’12, Boston, MA, USA, November 14-16, 2012, pages 523–536. ACM, 2012.
  35. Proactive caching of DNS records: addressing a performance bottleneck. Comput. Networks, 41(6):707–726, 2003.
  36. Codns: Improving DNS performance and reliability via cooperative lookups. In Eric A. Brewer and Peter Chen, editors, 6th Symposium on Operating System Design and Implementation (OSDI 2004), San Francisco, California, USA, December 6-8, 2004, pages 199–214. USENIX Association, 2004.
  37. Evaluating public DNS services in the wake of increasing centralization of DNS. In Zheng Yan, Gareth Tyson, and Dimitrios Koutsonikolas, editors, IFIP Networking Conference, IFIP Networking 2021, Espoo and Helsinki, Finland, June 21-24, 2021, pages 1–9. IEEE, 2021.
  38. DNSSEC meets real world: Dealing with unreachability caused by fragmentation. IEEE Communications Magazine, 2014.
  39. Lessons Learned From Using the RIPE Atlas Platform for Measurement Research. Computer Communications Review, 45(3):35–42, 2015.
  40. Quantifying interference between measurements on the RIPE atlas platform. In Kenjiro Cho, Kensuke Fukuda, Vivek S. Pai, and Neil Spring, editors, Proceedings of the 2015 ACM Internet Measurement Conference, IMC 2015, Tokyo, Japan, October 28-30, 2015, pages 437–443. ACM, 2015.
  41. Vaibhav Bajpai et al. Vantage point selection for IPv6 measurements: Benefits and limitations of RIPE Atlas tags. In IFIP/IEEE Symposium on Integrated Network and Service Management (IM), 2017.
  42. Client subnet in DNS queries. RFC, 7871:1–30, 2016.
  43. Assessing Support for DNS-over-TCP in the Wild. In Passive and Active Measurement Conference (PAM), pages 487–517. Springer, 2022.
  44. DNS over dedicated QUIC connections. RFC, 9250:1–27, 2022.
  45. DNS Privacy with Speed?: Evaluating DNS over QUIC and its Impact on Web Performance. In IMC, pages 44–50. ACM, 2022.
  46. Web Privacy By Design: Evaluating Cross-layer Interactions of QUIC, DNS and H/3. In 2023 IFIP Networking Conference [To Appear], pages 1–9, 2023.
  47. On cross-layer interactions of quic, encrypted DNS and HTTP/3: design, evaluation and dataset. CoRR, abs/2306.11643, 2023.
  48. QUIC: A UDP-Based Multiplexed and Secure Transport. RFC, 9000:1–151, 2021.
  49. One to Rule Them All? A First Look at DNS over QUIC. In Passive and Active Measurement Conference, 2022.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now