DNS MTTRS: HTTPS and SVCB Resource Records and their Importance to Communications Service Providers

Share On Facebook
Share On Twitter
Share On Linkedin

In the fast-evolving realm of communication services, the Domain Name System (DNS) is indispensable, acting as the foundation for smooth operation of online services. For communications service providers (CSPs), a strong DNS infrastructure is important to maintain seamless and dependable connectivity. This blog explores the importance of DNS records for CSPs, highlights key types essential for their operations, and evaluates the influence of encrypted traffic on DNS. It analyzes the advantages and potential concerns linked with two emerging technologies: HTTPS Resource Records and SVCB Resource Records.

The Importance of DNS Records for CSPs:

DNS records are the linchpin of the Internet, essential for translating user-friendly domain names into machine-readable IP addresses and enabling CSPs to provide seamless access to their services. These records ensure requests are directed to the correct servers, forming the backbone of communication networks.

There are common DNS record types for CSPs that most DNS operations and network architects probably know by heart, including:

  • A Record: Stores IPv4 address for a domain name, enabling clients to access the website via domain name instead of IP address.
  • AAAA Record: Stores IPv6 address for a domain name, allowing access using newer IP protocol with enhanced address space and security.
  • CNAME Record: Creates alias for another domain name, simplifying DNS record management and enabling access to the website using multiple names.
  • MX Record: Specifies mail server handling email for a domain name, helping with email services and communication for CSPs.
  • NS Record: Indicates authoritative name server for a domain name, enabling clients to query the correct name server for DNS information and helping CSPs in managing DNS zones.
  • PTR Record: Reverses IP address mapping to domain name, aiding in reverse DNS lookups for troubleshooting, security, and spam prevention.
  • SOA Record: Stores meta information about a DNS zone, including primary name server, administrator’s email, and refresh intervals.

Encryption Adds a Slight Twist

The rise of encrypted traffic, driven by protocols like HTTPS, significantly affects DNS operations. Did you know that over 80% of all Internet traffic is encrypted, and about 95% of all web traffic is encrypted?

Encrypted data obscures DNS requests, posing challenges for CSPs to inspect and filter malicious content. To address this, CSPs must embrace advanced DNS security measures such as DNS over HTTPS (DoH) and DNS over TLS (DoT).

  • DNS over HTTPS (DoH) sends DNS data through HTTPS connections, leveraging its encryption to enhance privacy and security. It benefits from HTTPS’s widespread adoption and can use standard ports, making it difficult to block.
  • DNS over TLS (DoT) encrypts DNS data via TLS connections. Unlike DoH, it operates on separate ports, simplifying identification and troubleshooting.

So, what is the twist?  More operating systems, browsers and apps are using encryption. Whether it is HTTPS, DoH, or DoT, creating these secure connections requires more steps and back-and-forth communication between the client and server. Let’s break it down a bit. At first, the client asks DNS for the server’s IP address. After getting the IP, the client then must set up a secure connection by engaging in a series of interactions with the server, known as the TLS handshake. During this handshake, both sides negotiate encryption settings and exchange certificates to ensure secure communication.

That adds time. And for impatient subscribers, can create a false perception that the network is slow. 

DNS MTTRS: HTTPS and SVCB Shake Up Secure Traffic!

HTTPS and SVCB are two new DNS record types standardized by the Internet Engineering Task Force (IETF) in November 2023 to improve DNS functionality, particularly for encrypted traffic.

  • HTTPS Resource Records (HTTPS RRs; also known as Type 65) enhance secure connection performance by offering more server details beyond just IP addresses. They include information like cryptographic algorithms, certificate details, and other parameters important for secure connections, unlike traditional DNS records.
  • Service Binding (SVCB RRs; also known as Type 64) Resource Records extend HTTPS RRs, providing more flexibility in configuring secure connections. SVCB RRs let servers convey multiple sets of preferences to clients, including alternate certificates and supported protocols, enhancing efficiency in secure connection setups.

HTTPS and SVCB Resource Records offer significant benefits for DNS functionality.

  • HTTPS Resource Records enhance security by embedding SSL/TLS certificates in DNS responses, ensuring secure domain resolution, and protecting against potential attacks. Additionally, they contribute to improved performance by reducing the number of roundtrips required to establish secure connections, resulting in lower latency and a better user experience.
  • But SVCB Resource Records provide flexibility and efficiency by letting CSPs specify multiple alternative services and endpoints for a domain. This enhances service delivery flexibility and resource utilization while also reducing latency by enabling efficient service selection and decreasing connection establishment time, ultimately enhancing overall network responsiveness.

Without HTTPS and SVCB Resource Records, the client may need to make more requests to fetch necessary security information or certificates. This can lead to increased latency and a longer time to establish a secure connection, negatively affecting the user experience, especially in scenarios where low latency is important, such as loading web pages quickly or streaming media seamlessly. And I mentioned earlier, this can lead to a false subscriber perception of slow network speeds.

HTTPS and SVCB Resource Records provide benefits, but CSPs should weigh potential drawbacks:

  • Increased Processing Overhead: HTTPS encryption and decryption could strain server performance.
  • Compatibility Concerns: Legacy systems may struggle with or lack support for these advanced DNS records, causing connectivity issues for some users.

Interact with our experts!

DNS MTTRS! And these new records play an important role in enabling CSPs to deliver smooth communication services. With the increasing prevalence of encrypted traffic and the emergence of technologies like HTTPS and SVCB Resource Records, CSPs must remain proactive. By embracing advanced DNS solutions that focus on both security and performance, CSPs can effectively adapt to the evolving digital landscape. Considering these factors will empower CSPs to offer users reliable and secure communication services. To dig deeper into this topic, I recommend watching our recent webinar, which provided detailed insights into HTTPS and SVCB Resource Records. And as always, if you’d like to talk to one of our local experts on the topic, please contact me and I will be happy to make the connection!

Labels:

David Ayers

Senior Product Marketing Manager, Global Telecom Service Providers at Infoblox

David is an expert in business technology and marketing, residing in Frankfurt am Main. Throughout his career, he has successfully sold, constructed, and communicated important cloud and hosted solutions within a dynamic industry. With a deep understanding of cloud and managed application hosting, David possesses a distinct combination of product management, product marketing, and sales skills. Before joining Infoblox, he held a prominent role in product marketing at Dell Technologies for their healthcare and public sector clouds. Additionally, David has gained valuable experience serving in Senior Product Management positions at Verizon Business, Terremark, and SunGard Availability Services.

View All Posts

You might also be interested in

You might also be interested in

×