DNS Encryption at DNS OARC 32

The DNS DNS Operations, Analysis, and Research Center (DNS OARC) is an organization that, in their own words, works to “improve the security, stability, and understanding of the Internet’s DNS infrastructure.”  They hold regular workshops where deployment experts, software developers, researchers, and DNS operators at service providers and top level domains (TLDs) from everywhere in the world get together to discuss the latest trends.  DNS OARC 32 was held in San Francisco in early February 2020.  

ISPs and network operators have a lot of questions about how DNS over HTTPS and DNS over TLS will change their DNS infrastructure.  Akamai Senior Product Manager Mark Dokter and Principal Architect Ralf Weber have been working with providers on early trials of Akamai CacheServe resolvers that support the new protocols to better understand their behavior.  They presented the results of these interactions, and additional work in the lab at the recent OARC meeting. Their presentation: DNS Encryption Operational Experience and Insights can be found on the OARC website here:

One of their key findings was the impact of DoT/DoH on DNS infrastructure will be heavily dependent on how clients behave.  They tested several of the available clients and discussed new variables that need to be considered with the introduction of TCP/DoT/DoH: 

  • How many connections can be supported?
  • How long do connections live?
  • How many queries are sent per connection?
  • How CPU intensive is connection setup vs established state queries?

It’s important to note these early clients require configuration and a degree of technical confidence to connect to a resolver. They’re not yet well-suited for mainstream users.  

The conclusion was well-behaved clients will be critical to successfully scaling resolver

operations.  Operators will need to tune for TCP workloads and the volume of active connections will need lots more memory.  Server side multithreading is important and ensuring there are sufficient CPU cores to handle the combined workload will be critical.  All of the details are in their presentation:

There’s obviously a lot more work to make these new protocols suitable for widespread deployment at service providers.  Additional standards are needed to define mechanisms for discovering resolvers that support DNS encryption so providers can provision services at scale, and client behaviors need to be optimized so servers perform and scale economically.  These early findings can help inform development and guide deployment processes to ensure success.  

ISPs and network operators interested in learning more about what’s happening with the new DNS Encryption protocols and how to think about your future DNS infrastructure can reach out to your local account teams and request a meeting.  

Bruce Van Nice is a Senior Carrier Product Marketing Manager at Akamai.

*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Bruce Van Nice. Read the original post at: