DNS (short for Domain Name System) is an extremely vital function for any telecommunications provider. It acts like the Internet’s phonebook, converting human-readable domain names into machine-readable IP addresses. It functions as a vast tree structure, starting from the root domain indicated by a single dot (.). This hierarchical database spreads into top-level domains (TLDs), including Generic TLDs (such as .COM or .EDU) and Country Code TLDs (like .UK or .DE). Below TLDs are Second-Level Domains (SLDs), the main domains individuals or organizations register, such as google.com or Infoblox.com. Each domain contains hostnames for network equipment and further subdivisions called Subdomains. When subscribers enter a URL into their browser (or an app makes a request to a URL), a DNS query is initiated to find the associated IP address. This query moves through DNS servers, starting from the ISP’s server and progressing through root name servers and TLD servers until it reaches the DNS server hosting the desired domain. The browser or app can access the intended webpage or service with this data.
Authoritative and Recursive DNS
In DNS, two types of servers play essential roles: Caching/Recursive servers and Authoritative servers. Caching/Recursive servers fetch data by making multiple requests to other servers, a process known as recursion. These servers retrieve information from Authoritative servers entrusted with publishing data. Unlike Caching/Recursive servers, Authoritative servers do not engage in recursion but rather maintain data locally. This clear division of labor ensures efficient data retrieval and dissemination within the DNS ecosystem.
What About Security and Privacy?
Security and privacy are crucial in DNS operations. Preventing threats like DNS cache poisoning is vital for security while ensuring privacy thwarts eavesdropping. Meanwhile, DNSSEC (introduced in 2005) authenticates and secures DNS data but doesn’t address privacy concerns. Additional security measures like Response Policy Zones (RPZ) and Response Rate Limiting (RRL) help block malicious domains and limit query rates. For privacy, the shift towards encryption, exemplified by HTTPS adoption, safeguards web traffic. That helps – but additional measures were needed. Encrypted DNS solutions have emerged (and are evolving) to protect DNS traffic and enhance privacy, as traditional DNS lacks encryption.
Evolution of Encrypted DNS: DoT & DoH – TLS
Encrypted DNS, utilizing Transport Layer Security (TLS), offers two main options: DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH). DoT operates on TCP port 853, separating DNS traffic and potentially boosting security. In contrast, DoH hides DNS queries within HTTPS traffic on TCP port 443, providing privacy advantages. However, both introduce challenges compared to traditional DNS:
- Connection Overhead: Unlike UDP-based DNS, DoT and DoH require TCP+TLS handshakes. That raises the potential to increase resource consumption.
- Head-of-Line Blocking: While HTTP/2 multiplexing optimizes bandwidth, it can cause delays due to head-of-line blocking, where all requests within a TCP connection wait for retransmission in case of packet loss. Head-of-line blocking is when a lost or delayed packet in a TCP connection causes subsequent packets, including DNS queries or HTTP requests, to be held up until the lost packet is retransmitted.
- This delay can significantly slow down the processing of DNS queries or the loading of web pages, as all requests within the same TCP connection must wait for retransmission, even if they are unrelated to the lost packet.
Despite challenges, encrypted DNS enhances security and privacy online. However, these hurdles must be addressed to realize its potential for complete user protection.
QUIC: Solving DNS Encryption Challenges
In response to the challenges posed by traditional encrypted DNS solutions, a new protocol emerged: Quick UDP Internet Connections (QUIC). Unlike conventional solutions, QUIC operates over UDP and integrates TLS 1.3 encryption, promising improved performance for web applications by establishing multiple multiplexed connections between endpoints. And for encrypted DNS, QUIC offers two options: DNS-over-QUIC (DoQ) and DNS-over-HTTP/3 (DoH3), each with unique advantages and port assignments.
QUIC helps to reduce connection overhead by making the setup process faster and more efficient. It does this by exchanging setup keys and protocols during the initial handshake rather than repeatedly negotiating with each connection. This allows for seamless encryption of subsequent packets. Additionally, QUIC’s multi-stream approach makes it more resilient to packet loss and reduces head-of-line blocking compared to traditional TCP-based solutions like DoT and DoH. By providing independent flow control and retransmission for each stream, QUIC ensures robustness and reliability in encrypted DNS transactions, leading to a smoother and more efficient browsing experience.
Interact with our experts!
DNS MTTRS! The discussion around encrypted DNS is constantly evolving. Want to learn more? Check out this in-depth technical discussion led by one of our leading Solution Architects in the field on DNS encryption technologies. And – feel free to contact me in the comments section with any questions you may have.