Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
143 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
46 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Exploring the Ecosystem of DNS HTTPS Resource Records: An End-to-End Perspective (2403.15672v2)

Published 23 Mar 2024 in cs.NI

Abstract: The DNS HTTPS resource record is a new DNS record type designed for the delivery of configuration information and parameters required to initiate connections to HTTPS network services. In addition, it is a key enabler for TLS Encrypted ClientHello (ECH) by providing the cryptographic keying material needed to encrypt the initial exchange. To understand the adoption of this new DNS HTTPS record, we perform a longitudinal study on the server-side deployment of DNS HTTPS for Tranco top million domains, as well as an analysis of the client-side support for DNS HTTPS through snapshots from major browsers. To the best of our knowledge, our work is the first longitudinal study on DNS HTTPS server deployment, and the first known study on client-side support for DNS HTTPS. Despite the rapidly growing trend of DNS HTTPS adoption, our study highlights challenges and concerns in the deployment by both servers and clients, such as the complexity in properly maintaining HTTPS records and connection failure in browsers when the HTTPS record is not properly configured.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (45)
  1. Let’s Encrypt: an automated certificate authority to encrypt the entire web. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pages 2473–2487, 2019.
  2. Akamai. New SVCB & HTTPS Resource Records in the wild, 2020. https://community.akamai.com/customers/s/article/NetworkOperatorCommunityNewSVCBHTTPSResourceRecordsinthewild20201128135350?language=en_US (accessed Feb 8, 2024).
  3. D. Belson and L. Pardue. Examining HTTP/3 usage one year on. https://blog.cloudflare.com/http3-usage-one-year-on (accessed Feb 4, 2024).
  4. A symbolic analysis of privacy for tls 1.3 with encrypted client hello. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, pages 365–379, 2022.
  5. BIND9. v9.16.21 Release notes, 2021. https://bind9.readthedocs.io/en/v9_16_21/notes.html#new-features (accessed Feb 8, 2024).
  6. Bugzilla. Implement HTTPSSVC, 2020. https://bugzilla.mozilla.org/show_bug.cgi?id=1623126 (accessed Feb 8, 2024).
  7. On the importance of {{\{{Encrypted-SNI}}\}}({{\{{{{\{{{{\{{{{\{{{{\{{ESNI}}\}}}}\}}}}\}}}}\}}}}\}}) to censorship circumvention. In 9th USENIX Workshop on Free and Open Communications on the Internet (FOCI 19), 2019.
  8. ChromePlatformStatus. Feature: TLS Encrypted Client Hello (ECH), 2020. https://chromestatus.com/feature/6196703843581952 (accessed Feb 8, 2024).
  9. ChromePlatformStatus. Feature: HTTP->HTTPS redirect for HTTPS DNS records, 2021. https://chromestatus.com/feature/5485544526053376 (accessed Feb 8, 2024).
  10. A Longitudinal,{{\{{End-to-End}}\}} View of the {{\{{DNSSEC}}\}} Ecosystem. In 26th USENIX Security Symposium (USENIX Security 17), pages 1307–1322, 2017.
  11. Understanding the role of registrars in dnssec deployment. In Proceedings of the 2017 Internet Measurement Conference, pages 369–383, 2017.
  12. Cloudflare-Community. Early Hints and Encrypted Client Hello (ECH) are currently disabled globally. https://community.cloudflare.com/t/early-hints-and-encrypted-client-hello-ech-are-currently-disabled-globally/567730 (accessed Feb 8, 2024).
  13. Cloudflare-Radar. Browser Market Share Report for 2023 Q3. https://radar.cloudflare.com/reports/browser-market-share-2023-q3 (accessed Feb 8, 2024).
  14. CloudflareDocs. Proxy status. https://developers.cloudflare.com/dns/manage-dns-records/reference/proxied-dns-records/ (accessed Feb 8, 2024).
  15. I. S. Consortium. BIND 9, Versatile, classic, complete name server software. https://www.isc.org/bind/ (accessed Feb 8, 2024).
  16. DEfO. Nginx, ECH-draft-13c branch. https://github.com/sftcd/nginx/tree/ECH-experimental (accessed Feb 5, 2024).
  17. DEfO. OpenSSL, ECH-draft-13c branch. https://github.com/sftcd/openssl/tree/ECH-draft-13c (accessed Feb 5, 2024).
  18. The menlo report: Ethical principles guiding information and communication technology research. Technical report, US Department of Homeland Security, 2012.
  19. P. R. Donahue. Upgrading the Cloudflare China Network: better performance and security through product innovation and partnership. https://blog.cloudflare.com/upgrading-the-cloudflare-china-network (accessed Feb 8, 2024).
  20. A. Ghedini. Speeding up HTTPS and HTTP/3 negotiation with… DNS, 2020. https://blog.cloudflare.com/speeding-up-https-and-http-3-negotiation-with-dns (accessed Feb 8, 2024).
  21. B. Halley. DNSPython. https://www.dnspython.org/ (accessed Feb 8, 2024).
  22. HTTP Strict Transport Security (HSTS). RFC 6797, Nov. 2012.
  23. KnotDNS. Knot DNS Version 3.1.0, 2021. https://www.knot-dns.cz/2021-08-02-version-310.html (accessed Feb 8, 2024).
  24. TRANCO: A Research-Oriented Top Sites Ranking Hardened Against Manipulation. In Network and Distributed Systems Security (NDSS) Symposium 2019, 2019.
  25. Under the Hood of DANE Mismanagement in SMTP. In 31st USENIX Security Symposium (USENIX Security 22), pages 1–16, 2022.
  26. Encrypted Client Hello - the last puzzle piece to privacy, 2023. https://blog.cloudflare.com/announcing-encrypted-client-hello (accessed Feb 8, 2024).
  27. MozillaWiki. Security/Encrypted Client Hello, 2022. https://wiki.mozilla.org/Security/Encrypted_Client_Hello (accessed Feb 8, 2024).
  28. NLnetLabs. Unbound. https://nlnetlabs.nl/projects/unbound/about/ (accessed Feb 8, 2024).
  29. HTTP Alternative Services. RFC 7838, Apr. 2016.
  30. C. Partridge and M. Allman. Ethical considerations in network measurement papers. Communications of the ACM, 59(10):58–64, 2016.
  31. T. Pauly. DNS HTTPS/SVCB record type support in iOS 14, 2020. https://mailarchive.ietf.org/arch/msg/quic/sFgifP9vOY9xsmogVqiq-qtxPiQ/ (accessed Feb 8, 2024).
  32. PowerDNS. Using SVCB and derived records. https://doc.powerdns.com/authoritative/guides/svcb.html (accessed Feb 8, 2024).
  33. TLS Encrypted Client Hello. Internet-Draft draft-ietf-tls-esni-17, Internet Engineering Task Force, Oct. 2023. Work in Progress.
  34. DNS Security Introduction and Requirements. RFC 4033, Mar. 2005.
  35. Protocol Modifications for the DNS Security Extensions. RFC 4035, Mar. 2005.
  36. Resource Records for the DNS Security Extensions. RFC 4034, Mar. 2005.
  37. J. Schaumann. Use of HTTPS Resource Records, 2023. https://www.netmeister.org/blog/https-rrs.html?utm_source=pocket_saves (accessed Feb 8, 2024).
  38. Service Binding and Parameter Specification via the DNS (SVCB and HTTPS Resource Records). RFC 9460, Nov. 2023.
  39. A usability evaluation of Let’s Encrypt and Certbot: usable security done right. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pages 1971–1988, 2019.
  40. Tranco. Methodology. https://tranco-list.eu/methodology (accessed Feb 8, 2024).
  41. Measuring the Adoption of TLS Encrypted Client Hello Extension and Its Forebear in the Wild. In European Symposium on Research in Computer Security, pages 177–190. Springer, 2022.
  42. Measuring adoption of DNS security mechanisms with cross-sectional approach. In 2021 IEEE Global Communications Conference (GLOBECOM), pages 1–6. IEEE, 2021.
  43. It’s over 9000: Analyzing Early QUIC Deployments with the Standardization on the Horizon. In Proceedings of the 21st ACM Internet Measurement Conference, pages 261–275, 2021.
  44. A First Look at SVCB and HTTPS DNS Resource Records in the Wild. In International Workshop on Traffic Measurements for Cybersecurity 2023, 2023.
  45. Ólafur Guðmundsson and B. Wellington. Redefinition of DNS Authenticated Data (AD) bit. RFC 3655, Nov. 2003.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now