SlideShare a Scribd company logo

Encrypted DNS research @ nic.at

A
Alex Mayrhofer

The talk presents fomr of the nic.at R&D work in the fields of Encrypted DNS. The main topics are standardization efforts (and reasoning) about EDNS(0) padding, and a cost estimation of DNS over TLS. This talk was giving in July 2017 at JSCA, an event of the .fr ccTLD operator AFNIC:

Internet
1 of 27
Download to read offline
1 · www.nic.at Encrypted DNS Research @ nic.at EDNS Padding, Experiments, Cost Simulation #JCSA17 · public 2017-07-06 · Alexander Mayrhofer · Head of R&D
2 · www.nic.at Agenda • About nic.at • ENDS Padding is required for Privacy!  Motivation / History  RFC7830  Padding Size Considerations • Practical experiments @ nic.at  Stubby  Knot Resolver • TLS/TCP Cost Simulation  Current UDP-based volume  Client Behaviour - Assumptions  TLS/TCP Traffic Simulation #JCSA17 · public
3 · www.nic.at About nic.at .at 1.3M domains gTLDs Backend + Registry RcodeZero DNS Services R&D 4 FTEs
4 · www.nic.at EDNS(0) Padding It‘s required for privacy – but, why?
5 · www.nic.at EDNS(0) Padding – why? • Encryption removes „direct“ access to the information  What‘s left for the Attacker? • „Pretty Bad Privacy – Pitfalls of DNS Encryption“*  Haya Shulman @ IETF 93  Applied Networking Research Price – IRTF • Side Channel information is key!  Countermeasures *https://www.ietf.org/proceedings/93/slides/slides-93-irtfopen-1.pdf
6 · www.nic.at Application Queries – it‘s a stream • A Pattern - Not just a single query/response pair
7 · www.nic.at Encrypted DNS • Streams still create size/timing „patterns“
8 · www.nic.at Size based Correlation • Compare with known clear text patterns • Even works with a subset of message sizes
9 · www.nic.at Introducing Padding • Obfuscates the size pattern -> Hampers correlation • More „hits“ -> less likely that identification is possible
10 · www.nic.at RFC 7830 – EDNS(0) Padding Option • EDNS Option code 12 https://tools.ietf.org/html/rfc7830
11 · www.nic.at Size of Padding? • Block? Random? Power of 2? Maximum?  Tradeoff resources vs. Identifcation potential • Empirical Research Work by Daniel K. Gillmor*  Evaluates strategies against Attacker / Defender Costs • IETF: Padding Policy Draft** (wip) *https://dns.cmrg.net/ndss2017-dprive-empirical-DNS-traffic-size.pdf **https://tools.ietf.org/id/draft-ietf-dprive-padding-policy
12 · www.nic.at Experiments with encrypted DNS
13 · www.nic.at Stubby + Knot Resolver Pssst… nothing new here… move on…
14 · www.nic.at Encrypted DNS Cost Simulation There‘s no Free Lunch in Security
15 · www.nic.at Basic Question & Idea • „What if 100% of all DNS queries would reach us via TCP/TLS?“ • Let‘s simulate it! Assumption of client behaviour + Real world packet traces = --------------------------------- Simulated TLS/TCP Traffic/events * Estimated cost factors --------------------------------- „Guesstimated“ TLS/TCP Costs
16 · www.nic.at Simulation „Rules“ / Assumptions • Sessions & Queries:  First query from an IP starts TLS session  Subsequent queries use existing session  One session per client IP  Assumes pipelining etc.. • Session will terminate after:  N seconds idle time  M seconds max session length (M > N)  X number of max. queries
17 · www.nic.at Simulated Events / data • Queries (Responses) • Concurrent session count  at a given time  Idle vs active  Session duration (Etc. etc. etc) • Session Setup • Session Teardown  Idle timeout  Max. session duration  Max. session queries
18 · www.nic.at Input Data • .at PCAP data  Authoritative!  Single server  78M queries (~1000qps)  IPv4 / UDP only • Traffic properties  „normal“ day (20170620)  Few spikes / no DDoS  Biggest spike: 11k qps  ~7% of .at total traffic
19 · www.nic.at Simulation Results: Session setups Idle = 60s; maxduration=3600s; maxqueries=10.000
20 · www.nic.at Sessions: Established vs. Active Idle = 60s; maxduration=3600s; maxqueries=10.000
21 · www.nic.at Session Teardown Details • Reasons:  Idle Timeout: 13.8M sessions (99.98%)  Maximum Duration: 16222 session (0.12%)  Maximum Queries: 1339 sessions (0.0097%) • Idle Timeout – by „usage intensity“:  Short sessions (d < 2*idle): 12.6M (91.3%)  „Burst“ sessions (active < 3s): 10.6M (77,0%) • # of Queries: 38.25 per session (avg.) -> Idle Timeout has the biggest impact!
22 · www.nic.at Vary the Idle Timeout • Simulate for 5, 10, 20, (60), 120, 300s idle timeout  Retain other parameters (max duration, max queries)  Tradeoff Established Sessions vs. Session Setups  Where‘s the „Sweet Spot“?
23 · www.nic.at Cost Estimation • Packets per Second (pps – 600kpps capacity)  Query/Response: 2 packets / 3.3 ppm  TCP/TLS setup: 6 packets (…) / 10 ppm  Teardown: 3 packets / 5 ppm • CPU/IO/ …*  Query: 200k qps/server 5 ppm  TLS Setup: 3300 sps/server 300 ppm  Session Teardown: ? 20 ppm (guess!!) • Memory - 2GB capacity (for TLS)  TLS Session: 3kB/session** 1.5 ppm *https://cdn-1.wp.nginx.com/wp-content/files/nginx-pdfs/Sizing-Guide-for-Deploying-NGINX-on-Bare-Metal-Servers.pdf **https://www.wolfssl.com/wolfSSL/benchmarks-wolfssl.html
24 · www.nic.at Cost Comparison
25 · www.nic.at What‘s the „Magic Number“? • TLS vs. UDP Cost Ratio ~8 (60s idle timeout)
26 · www.nic.at Summary • ENDS Padding – required for Privacy!  RFC7830 - Size recommendations in progress • TLS-DNS Experiments  Use Stubby + Server of your choice • TLS Cost Simulation  The Magic Number is roughly 8.  And, it depends. TLS optimization, cost assumptions  Future work: Better simulation (vary client behaviour), more precise cost factor estimation
27 · www.nic.at nic.at GmbH Jakob-Haringer-Str. 8/V · 5020 Salzburg · Austria T +43 662 4669 -DW · F -29 alexander.mayrhofer@nic.at · www.nic.at

Recommended

Passive DNS Collection – Henry Stern, Cisco
Passive DNS Collection – Henry Stern, CiscoPassive DNS Collection – Henry Stern, Cisco
Passive DNS Collection – Henry Stern, CiscoHenry Stern
 
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...APNIC
 
opentsdb in a real enviroment
opentsdb in a real enviromentopentsdb in a real enviroment
opentsdb in a real enviromentChen Robert
 
HBaseCon 2013: OpenTSDB at Box
HBaseCon 2013: OpenTSDB at BoxHBaseCon 2013: OpenTSDB at Box
HBaseCon 2013: OpenTSDB at BoxCloudera, Inc.
 
Monitoring MySQL with OpenTSDB
Monitoring MySQL with OpenTSDBMonitoring MySQL with OpenTSDB
Monitoring MySQL with OpenTSDBGeoffrey Anderson
 
1404 app dev series - session 8 - monitoring & performance tuning
1404 app dev series - session 8 - monitoring & performance tuning1404 app dev series - session 8 - monitoring & performance tuning
1404 app dev series - session 8 - monitoring & performance tuningMongoDB
 
Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...
Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...
Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...Ruo Ando
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial Men and Mice
 

Recommended

Passive DNS Collection – Henry Stern, Cisco
Passive DNS Collection – Henry Stern, CiscoPassive DNS Collection – Henry Stern, Cisco
Passive DNS Collection – Henry Stern, CiscoHenry Stern
 
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...APNIC
 
opentsdb in a real enviroment
opentsdb in a real enviromentopentsdb in a real enviroment
opentsdb in a real enviromentChen Robert
 
HBaseCon 2013: OpenTSDB at Box
HBaseCon 2013: OpenTSDB at BoxHBaseCon 2013: OpenTSDB at Box
HBaseCon 2013: OpenTSDB at BoxCloudera, Inc.
 
Monitoring MySQL with OpenTSDB
Monitoring MySQL with OpenTSDBMonitoring MySQL with OpenTSDB
Monitoring MySQL with OpenTSDBGeoffrey Anderson
 
1404 app dev series - session 8 - monitoring & performance tuning
1404 app dev series - session 8 - monitoring & performance tuning1404 app dev series - session 8 - monitoring & performance tuning
1404 app dev series - session 8 - monitoring & performance tuningMongoDB
 
Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...
Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...
Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...Ruo Ando
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial Men and Mice
 
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...APNIC
 
Gnocchi Profiling 2.1.x
Gnocchi Profiling 2.1.xGnocchi Profiling 2.1.x
Gnocchi Profiling 2.1.xGordon Chung
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsMen and Mice
 
Gnocchi Profiling v2
Gnocchi Profiling v2Gnocchi Profiling v2
Gnocchi Profiling v2Gordon Chung
 
DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020APNIC
 
Linux Resource Management - Мариян Маринов (Siteground)
Linux Resource Management - Мариян Маринов (Siteground)Linux Resource Management - Мариян Маринов (Siteground)
Linux Resource Management - Мариян Маринов (Siteground)PlovDev Conference
 
Linux resource limits
Linux resource limitsLinux resource limits
Linux resource limitsMarian Marinov
 
Accelerating forensic and incident response workflow: the case for a new stan...
Accelerating forensic and incident response workflow: the case for a new stan...Accelerating forensic and incident response workflow: the case for a new stan...
Accelerating forensic and incident response workflow: the case for a new stan...Bradley Schatz
 
Accelerating forensic and incident response workflow: the case for a new stan...
Accelerating forensic and incident response workflow: the case for a new stan...Accelerating forensic and incident response workflow: the case for a new stan...
Accelerating forensic and incident response workflow: the case for a new stan...Bradley Schatz
 
OpenTSDB for monitoring @ Criteo
OpenTSDB for monitoring @ CriteoOpenTSDB for monitoring @ Criteo
OpenTSDB for monitoring @ CriteoNathaniel Braun
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and RiskSukbum Hong
 
AFF4: The new standard in forensic imaging and why you should care
AFF4: The new standard in forensic imaging and why you should careAFF4: The new standard in forensic imaging and why you should care
AFF4: The new standard in forensic imaging and why you should careBradley Schatz
 
Gnocchi v4 (preview)
Gnocchi v4 (preview)Gnocchi v4 (preview)
Gnocchi v4 (preview)Gordon Chung
 
mod_perl 2.0 For Speed Freaks!
mod_perl 2.0 For Speed Freaks!mod_perl 2.0 For Speed Freaks!
mod_perl 2.0 For Speed Freaks!Philippe M. Chiasson
 
Installation of application server 10g in red hat 4
Installation of application server 10g in red hat 4Installation of application server 10g in red hat 4
Installation of application server 10g in red hat 4uzzzle
 
zmq.rs - A brief history of concurrency in Rust
zmq.rs - A brief history of concurrency in Rustzmq.rs - A brief history of concurrency in Rust
zmq.rs - A brief history of concurrency in RustFantix King 王川
 
LMAX Disruptor as real-life example
LMAX Disruptor as real-life exampleLMAX Disruptor as real-life example
LMAX Disruptor as real-life exampleGuy Nir
 
Drilling Down Into DNS DDoS
Drilling Down Into DNS DDoSDrilling Down Into DNS DDoS
Drilling Down Into DNS DDoSAPNIC
 
Covert timing channels using HTTP cache headers
Covert timing channels using HTTP cache headersCovert timing channels using HTTP cache headers
Covert timing channels using HTTP cache headersyalegko
 
Gnocchi v3
Gnocchi v3Gnocchi v3
Gnocchi v3Gordon Chung
 
A curious case of broken dns responses - RIPE75
A curious case of broken dns responses - RIPE75A curious case of broken dns responses - RIPE75
A curious case of broken dns responses - RIPE75Babak Farrokhi
 
A curious case of broken DNS responses (Coloclue Presents - Nov 2019)
A curious case of broken DNS responses (Coloclue Presents - Nov 2019)A curious case of broken DNS responses (Coloclue Presents - Nov 2019)
A curious case of broken DNS responses (Coloclue Presents - Nov 2019)Babak Farrokhi
 

More Related Content

What's hot

Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...APNIC
 
Gnocchi Profiling 2.1.x
Gnocchi Profiling 2.1.xGnocchi Profiling 2.1.x
Gnocchi Profiling 2.1.xGordon Chung
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsMen and Mice
 
Gnocchi Profiling v2
Gnocchi Profiling v2Gnocchi Profiling v2
Gnocchi Profiling v2Gordon Chung
 
DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020APNIC
 
Linux Resource Management - Мариян Маринов (Siteground)
Linux Resource Management - Мариян Маринов (Siteground)Linux Resource Management - Мариян Маринов (Siteground)
Linux Resource Management - Мариян Маринов (Siteground)PlovDev Conference
 
Accelerating forensic and incident response workflow: the case for a new stan...
Accelerating forensic and incident response workflow: the case for a new stan...Accelerating forensic and incident response workflow: the case for a new stan...
Accelerating forensic and incident response workflow: the case for a new stan...Bradley Schatz
 
Accelerating forensic and incident response workflow: the case for a new stan...
Accelerating forensic and incident response workflow: the case for a new stan...Accelerating forensic and incident response workflow: the case for a new stan...
Accelerating forensic and incident response workflow: the case for a new stan...Bradley Schatz
 
OpenTSDB for monitoring @ Criteo
OpenTSDB for monitoring @ CriteoOpenTSDB for monitoring @ Criteo
OpenTSDB for monitoring @ CriteoNathaniel Braun
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and RiskSukbum Hong
 
AFF4: The new standard in forensic imaging and why you should care
AFF4: The new standard in forensic imaging and why you should careAFF4: The new standard in forensic imaging and why you should care
AFF4: The new standard in forensic imaging and why you should careBradley Schatz
 
Gnocchi v4 (preview)
Gnocchi v4 (preview)Gnocchi v4 (preview)
Gnocchi v4 (preview)Gordon Chung
 
Installation of application server 10g in red hat 4
Installation of application server 10g in red hat 4Installation of application server 10g in red hat 4
Installation of application server 10g in red hat 4uzzzle
 
zmq.rs - A brief history of concurrency in Rust
zmq.rs - A brief history of concurrency in Rustzmq.rs - A brief history of concurrency in Rust
zmq.rs - A brief history of concurrency in RustFantix King 王川
 
LMAX Disruptor as real-life example
LMAX Disruptor as real-life exampleLMAX Disruptor as real-life example
LMAX Disruptor as real-life exampleGuy Nir
 
Drilling Down Into DNS DDoS
Drilling Down Into DNS DDoSDrilling Down Into DNS DDoS
Drilling Down Into DNS DDoSAPNIC
 
Covert timing channels using HTTP cache headers
Covert timing channels using HTTP cache headersCovert timing channels using HTTP cache headers
Covert timing channels using HTTP cache headersyalegko
 

What's hot (20)

Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
 
Gnocchi Profiling 2.1.x
Gnocchi Profiling 2.1.xGnocchi Profiling 2.1.x
Gnocchi Profiling 2.1.x
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rolls
 
Gnocchi Profiling v2
Gnocchi Profiling v2Gnocchi Profiling v2
Gnocchi Profiling v2
 
DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020
 
Linux Resource Management - Мариян Маринов (Siteground)
Linux Resource Management - Мариян Маринов (Siteground)Linux Resource Management - Мариян Маринов (Siteground)
Linux Resource Management - Мариян Маринов (Siteground)
 
Linux resource limits
Linux resource limitsLinux resource limits
Linux resource limits
 
Accelerating forensic and incident response workflow: the case for a new stan...
Accelerating forensic and incident response workflow: the case for a new stan...Accelerating forensic and incident response workflow: the case for a new stan...
Accelerating forensic and incident response workflow: the case for a new stan...
 
Accelerating forensic and incident response workflow: the case for a new stan...
Accelerating forensic and incident response workflow: the case for a new stan...Accelerating forensic and incident response workflow: the case for a new stan...
Accelerating forensic and incident response workflow: the case for a new stan...
 
OpenTSDB for monitoring @ Criteo
OpenTSDB for monitoring @ CriteoOpenTSDB for monitoring @ Criteo
OpenTSDB for monitoring @ Criteo
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and Risk
 
AFF4: The new standard in forensic imaging and why you should care
AFF4: The new standard in forensic imaging and why you should careAFF4: The new standard in forensic imaging and why you should care
AFF4: The new standard in forensic imaging and why you should care
 
Gnocchi v4 (preview)
Gnocchi v4 (preview)Gnocchi v4 (preview)
Gnocchi v4 (preview)
 
mod_perl 2.0 For Speed Freaks!
mod_perl 2.0 For Speed Freaks!mod_perl 2.0 For Speed Freaks!
mod_perl 2.0 For Speed Freaks!
 
Installation of application server 10g in red hat 4
Installation of application server 10g in red hat 4Installation of application server 10g in red hat 4
Installation of application server 10g in red hat 4
 
zmq.rs - A brief history of concurrency in Rust
zmq.rs - A brief history of concurrency in Rustzmq.rs - A brief history of concurrency in Rust
zmq.rs - A brief history of concurrency in Rust
 
LMAX Disruptor as real-life example
LMAX Disruptor as real-life exampleLMAX Disruptor as real-life example
LMAX Disruptor as real-life example
 
Drilling Down Into DNS DDoS
Drilling Down Into DNS DDoSDrilling Down Into DNS DDoS
Drilling Down Into DNS DDoS
 
Covert timing channels using HTTP cache headers
Covert timing channels using HTTP cache headersCovert timing channels using HTTP cache headers
Covert timing channels using HTTP cache headers
 
Gnocchi v3
Gnocchi v3Gnocchi v3
Gnocchi v3
 

Similar to Encrypted DNS research @ nic.at

A curious case of broken dns responses - RIPE75
A curious case of broken dns responses - RIPE75A curious case of broken dns responses - RIPE75
A curious case of broken dns responses - RIPE75Babak Farrokhi
 
A curious case of broken DNS responses (Coloclue Presents - Nov 2019)
A curious case of broken DNS responses (Coloclue Presents - Nov 2019)A curious case of broken DNS responses (Coloclue Presents - Nov 2019)
A curious case of broken DNS responses (Coloclue Presents - Nov 2019)Babak Farrokhi
 
Large Infrastructure Monitoring At CERN by Matthias Braeger at Big Data Spain...
Large Infrastructure Monitoring At CERN by Matthias Braeger at Big Data Spain...Large Infrastructure Monitoring At CERN by Matthias Braeger at Big Data Spain...
Large Infrastructure Monitoring At CERN by Matthias Braeger at Big Data Spain...Big Data Spain
 
Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014bryan_call
 
Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Jim Clausing
 
Elastify Cloud-Native Spark Application with Persistent Memory
Elastify Cloud-Native Spark Application with Persistent MemoryElastify Cloud-Native Spark Application with Persistent Memory
Elastify Cloud-Native Spark Application with Persistent MemoryDatabricks
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encryptedMen and Mice
 
Advertising Fraud Detection at Scale at T-Mobile
Advertising Fraud Detection at Scale at T-MobileAdvertising Fraud Detection at Scale at T-Mobile
Advertising Fraud Detection at Scale at T-MobileDatabricks
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
 
Cloudflare lower network latency = faster website loads
Cloudflare lower network latency = faster website loadsCloudflare lower network latency = faster website loads
Cloudflare lower network latency = faster website loadsVu Long Tran
 
Business Model Concepts for Dynamically Provisioned Optical Networks
Business Model Concepts for Dynamically Provisioned Optical NetworksBusiness Model Concepts for Dynamically Provisioned Optical Networks
Business Model Concepts for Dynamically Provisioned Optical NetworksTal Lavian Ph.D.
 
VISUG - Approaches for application request throttling
VISUG - Approaches for application request throttlingVISUG - Approaches for application request throttling
VISUG - Approaches for application request throttlingMaarten Balliauw
 
ECS19 - Ingo Gegenwarth - Running Exchange in large environment
ECS19 - Ingo Gegenwarth - Running Exchange in large environmentECS19 - Ingo Gegenwarth - Running Exchange in large environment
ECS19 - Ingo Gegenwarth - Running Exchange in large environmentEuropean Collaboration Summit
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 
(WEB401) Optimizing Your Web Server on AWS | AWS re:Invent 2014
(WEB401) Optimizing Your Web Server on AWS | AWS re:Invent 2014(WEB401) Optimizing Your Web Server on AWS | AWS re:Invent 2014
(WEB401) Optimizing Your Web Server on AWS | AWS re:Invent 2014Amazon Web Services
 
EVCache: Lowering Costs for a Low Latency Cache with RocksDB
EVCache: Lowering Costs for a Low Latency Cache with RocksDBEVCache: Lowering Costs for a Low Latency Cache with RocksDB
EVCache: Lowering Costs for a Low Latency Cache with RocksDBScott Mansfield
 
TLD Anycast DNS servers to ISPs
TLD Anycast DNS servers to ISPsTLD Anycast DNS servers to ISPs
TLD Anycast DNS servers to ISPsAPNIC
 
Druid at naver.com - part 1
Druid at naver.com - part 1Druid at naver.com - part 1
Druid at naver.com - part 1Jungsu Heo
 

Similar to Encrypted DNS research @ nic.at (20)

A curious case of broken dns responses - RIPE75
A curious case of broken dns responses - RIPE75A curious case of broken dns responses - RIPE75
A curious case of broken dns responses - RIPE75
 
A curious case of broken DNS responses (Coloclue Presents - Nov 2019)
A curious case of broken DNS responses (Coloclue Presents - Nov 2019)A curious case of broken DNS responses (Coloclue Presents - Nov 2019)
A curious case of broken DNS responses (Coloclue Presents - Nov 2019)
 
Large Infrastructure Monitoring At CERN by Matthias Braeger at Big Data Spain...
Large Infrastructure Monitoring At CERN by Matthias Braeger at Big Data Spain...Large Infrastructure Monitoring At CERN by Matthias Braeger at Big Data Spain...
Large Infrastructure Monitoring At CERN by Matthias Braeger at Big Data Spain...
 
SFMap (TMA 2015)
SFMap (TMA 2015)SFMap (TMA 2015)
SFMap (TMA 2015)
 
Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014
 
Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...
 
Elastify Cloud-Native Spark Application with Persistent Memory
Elastify Cloud-Native Spark Application with Persistent MemoryElastify Cloud-Native Spark Application with Persistent Memory
Elastify Cloud-Native Spark Application with Persistent Memory
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encrypted
 
Advertising Fraud Detection at Scale at T-Mobile
Advertising Fraud Detection at Scale at T-MobileAdvertising Fraud Detection at Scale at T-Mobile
Advertising Fraud Detection at Scale at T-Mobile
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
 
Cloudflare lower network latency = faster website loads
Cloudflare lower network latency = faster website loadsCloudflare lower network latency = faster website loads
Cloudflare lower network latency = faster website loads
 
Business Model Concepts for Dynamically Provisioned Optical Networks
Business Model Concepts for Dynamically Provisioned Optical NetworksBusiness Model Concepts for Dynamically Provisioned Optical Networks
Business Model Concepts for Dynamically Provisioned Optical Networks
 
VISUG - Approaches for application request throttling
VISUG - Approaches for application request throttlingVISUG - Approaches for application request throttling
VISUG - Approaches for application request throttling
 
ECS19 - Ingo Gegenwarth - Running Exchange in large environment
ECS19 - Ingo Gegenwarth - Running Exchange in large environmentECS19 - Ingo Gegenwarth - Running Exchange in large environment
ECS19 - Ingo Gegenwarth - Running Exchange in large environment
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
 
NFS and Oracle
NFS and OracleNFS and Oracle
NFS and Oracle
 
(WEB401) Optimizing Your Web Server on AWS | AWS re:Invent 2014
(WEB401) Optimizing Your Web Server on AWS | AWS re:Invent 2014(WEB401) Optimizing Your Web Server on AWS | AWS re:Invent 2014
(WEB401) Optimizing Your Web Server on AWS | AWS re:Invent 2014
 
EVCache: Lowering Costs for a Low Latency Cache with RocksDB
EVCache: Lowering Costs for a Low Latency Cache with RocksDBEVCache: Lowering Costs for a Low Latency Cache with RocksDB
EVCache: Lowering Costs for a Low Latency Cache with RocksDB
 
TLD Anycast DNS servers to ISPs
TLD Anycast DNS servers to ISPsTLD Anycast DNS servers to ISPs
TLD Anycast DNS servers to ISPs
 
Druid at naver.com - part 1
Druid at naver.com - part 1Druid at naver.com - part 1
Druid at naver.com - part 1
 

More from Alex Mayrhofer

Die Registry als Kristallkugel - verrät uns das DNS etwas über die Zukunft?
Die Registry als Kristallkugel - verrät uns das DNS etwas über die Zukunft?Die Registry als Kristallkugel - verrät uns das DNS etwas über die Zukunft?
Die Registry als Kristallkugel - verrät uns das DNS etwas über die Zukunft?Alex Mayrhofer
 
RRDG Data Sharing Specifications
RRDG Data Sharing SpecificationsRRDG Data Sharing Specifications
RRDG Data Sharing SpecificationsAlex Mayrhofer
 
DNS Magnitude - DNSheads Vienna #6
DNS Magnitude - DNSheads Vienna #6DNS Magnitude - DNSheads Vienna #6
DNS Magnitude - DNSheads Vienna #6Alex Mayrhofer
 

More from Alex Mayrhofer (6)

RDAP @ .at
RDAP @ .at RDAP @ .at
RDAP @ .at
 
Die Registry als Kristallkugel - verrät uns das DNS etwas über die Zukunft?
Die Registry als Kristallkugel - verrät uns das DNS etwas über die Zukunft?Die Registry als Kristallkugel - verrät uns das DNS etwas über die Zukunft?
Die Registry als Kristallkugel - verrät uns das DNS etwas über die Zukunft?
 
RRDG Data Sharing Specifications
RRDG Data Sharing SpecificationsRRDG Data Sharing Specifications
RRDG Data Sharing Specifications
 
DNS Magnitude - DNSheads Vienna #6
DNS Magnitude - DNSheads Vienna #6DNS Magnitude - DNSheads Vienna #6
DNS Magnitude - DNSheads Vienna #6
 
DNSheads Vienna #6
DNSheads Vienna #6DNSheads Vienna #6
DNSheads Vienna #6
 
DNSheads Vienna #5
DNSheads Vienna #5DNSheads Vienna #5
DNSheads Vienna #5
 

Recently uploaded

VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Servicegwenoracqe6
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirtrahman018755
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Standkumarajju5765
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceDelhi Call girls
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 

Recently uploaded (20)

VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 

Encrypted DNS research @ nic.at

  • 1. 1 · www.nic.at Encrypted DNS Research @ nic.at EDNS Padding, Experiments, Cost Simulation #JCSA17 · public 2017-07-06 · Alexander Mayrhofer · Head of R&D
  • 2. 2 · www.nic.at Agenda • About nic.at • ENDS Padding is required for Privacy!  Motivation / History  RFC7830  Padding Size Considerations • Practical experiments @ nic.at  Stubby  Knot Resolver • TLS/TCP Cost Simulation  Current UDP-based volume  Client Behaviour - Assumptions  TLS/TCP Traffic Simulation #JCSA17 · public
  • 3. 3 · www.nic.at About nic.at .at 1.3M domains gTLDs Backend + Registry RcodeZero DNS Services R&D 4 FTEs
  • 4. 4 · www.nic.at EDNS(0) Padding It‘s required for privacy – but, why?
  • 5. 5 · www.nic.at EDNS(0) Padding – why? • Encryption removes „direct“ access to the information  What‘s left for the Attacker? • „Pretty Bad Privacy – Pitfalls of DNS Encryption“*  Haya Shulman @ IETF 93  Applied Networking Research Price – IRTF • Side Channel information is key!  Countermeasures *https://www.ietf.org/proceedings/93/slides/slides-93-irtfopen-1.pdf
  • 6. 6 · www.nic.at Application Queries – it‘s a stream • A Pattern - Not just a single query/response pair
  • 7. 7 · www.nic.at Encrypted DNS • Streams still create size/timing „patterns“
  • 8. 8 · www.nic.at Size based Correlation • Compare with known clear text patterns • Even works with a subset of message sizes
  • 9. 9 · www.nic.at Introducing Padding • Obfuscates the size pattern -> Hampers correlation • More „hits“ -> less likely that identification is possible
  • 10. 10 · www.nic.at RFC 7830 – EDNS(0) Padding Option • EDNS Option code 12 https://tools.ietf.org/html/rfc7830
  • 11. 11 · www.nic.at Size of Padding? • Block? Random? Power of 2? Maximum?  Tradeoff resources vs. Identifcation potential • Empirical Research Work by Daniel K. Gillmor*  Evaluates strategies against Attacker / Defender Costs • IETF: Padding Policy Draft** (wip) *https://dns.cmrg.net/ndss2017-dprive-empirical-DNS-traffic-size.pdf **https://tools.ietf.org/id/draft-ietf-dprive-padding-policy
  • 12. 12 · www.nic.at Experiments with encrypted DNS
  • 13. 13 · www.nic.at Stubby + Knot Resolver Pssst… nothing new here… move on…
  • 14. 14 · www.nic.at Encrypted DNS Cost Simulation There‘s no Free Lunch in Security
  • 15. 15 · www.nic.at Basic Question & Idea • „What if 100% of all DNS queries would reach us via TCP/TLS?“ • Let‘s simulate it! Assumption of client behaviour + Real world packet traces = --------------------------------- Simulated TLS/TCP Traffic/events * Estimated cost factors --------------------------------- „Guesstimated“ TLS/TCP Costs
  • 16. 16 · www.nic.at Simulation „Rules“ / Assumptions • Sessions & Queries:  First query from an IP starts TLS session  Subsequent queries use existing session  One session per client IP  Assumes pipelining etc.. • Session will terminate after:  N seconds idle time  M seconds max session length (M > N)  X number of max. queries
  • 17. 17 · www.nic.at Simulated Events / data • Queries (Responses) • Concurrent session count  at a given time  Idle vs active  Session duration (Etc. etc. etc) • Session Setup • Session Teardown  Idle timeout  Max. session duration  Max. session queries
  • 18. 18 · www.nic.at Input Data • .at PCAP data  Authoritative!  Single server  78M queries (~1000qps)  IPv4 / UDP only • Traffic properties  „normal“ day (20170620)  Few spikes / no DDoS  Biggest spike: 11k qps  ~7% of .at total traffic
  • 19. 19 · www.nic.at Simulation Results: Session setups Idle = 60s; maxduration=3600s; maxqueries=10.000
  • 20. 20 · www.nic.at Sessions: Established vs. Active Idle = 60s; maxduration=3600s; maxqueries=10.000
  • 21. 21 · www.nic.at Session Teardown Details • Reasons:  Idle Timeout: 13.8M sessions (99.98%)  Maximum Duration: 16222 session (0.12%)  Maximum Queries: 1339 sessions (0.0097%) • Idle Timeout – by „usage intensity“:  Short sessions (d < 2*idle): 12.6M (91.3%)  „Burst“ sessions (active < 3s): 10.6M (77,0%) • # of Queries: 38.25 per session (avg.) -> Idle Timeout has the biggest impact!
  • 22. 22 · www.nic.at Vary the Idle Timeout • Simulate for 5, 10, 20, (60), 120, 300s idle timeout  Retain other parameters (max duration, max queries)  Tradeoff Established Sessions vs. Session Setups  Where‘s the „Sweet Spot“?
  • 23. 23 · www.nic.at Cost Estimation • Packets per Second (pps – 600kpps capacity)  Query/Response: 2 packets / 3.3 ppm  TCP/TLS setup: 6 packets (…) / 10 ppm  Teardown: 3 packets / 5 ppm • CPU/IO/ …*  Query: 200k qps/server 5 ppm  TLS Setup: 3300 sps/server 300 ppm  Session Teardown: ? 20 ppm (guess!!) • Memory - 2GB capacity (for TLS)  TLS Session: 3kB/session** 1.5 ppm *https://cdn-1.wp.nginx.com/wp-content/files/nginx-pdfs/Sizing-Guide-for-Deploying-NGINX-on-Bare-Metal-Servers.pdf **https://www.wolfssl.com/wolfSSL/benchmarks-wolfssl.html
  • 24. 24 · www.nic.at Cost Comparison
  • 25. 25 · www.nic.at What‘s the „Magic Number“? • TLS vs. UDP Cost Ratio ~8 (60s idle timeout)
  • 26. 26 · www.nic.at Summary • ENDS Padding – required for Privacy!  RFC7830 - Size recommendations in progress • TLS-DNS Experiments  Use Stubby + Server of your choice • TLS Cost Simulation  The Magic Number is roughly 8.  And, it depends. TLS optimization, cost assumptions  Future work: Better simulation (vary client behaviour), more precise cost factor estimation
  • 27. 27 · www.nic.at nic.at GmbH Jakob-Haringer-Str. 8/V · 5020 Salzburg · Austria T +43 662 4669 -DW · F -29 alexander.mayrhofer@nic.at · www.nic.at