Simplifying the ISP Transition to DNS Encryption

by Bruce Van Nice on March 24, 2020

New protocols to encrypt DNS traffic, DNS over HTTPS (DoH) and DNS over TLS (DoT), have been a visible Internet topic for the past two years. Akamai participated in the definition of DoH/DoT standards and recently released support in the high-performance CacheServe resolver. Major features include:

Integration of DoH/DoT in CacheServe, alongside legacy UDP and TCP protocols
Initial performance tests show scaling up to 500,000 active DoH/DoT sessions at 1.5 million QPS
CacheServe telemetry and logging now include comprehensive DoH/DoT statistics to enable visibility and troubleshooting for DoH/DoT traffic
Simple configuration: Add certificate files and specify “listen-on” ports
Availability of cloud and managed resolvers that support DoH and DoT

Major benefits include:

ISPs can deploy resolvers that support DNS encryption without appliances or other systems to terminate HTTPS/TLS, avoiding the expense of procuring, installing, and operating additional network equipment to scale resolution infrastructure for DNS encryption
CacheServe telemetry provides essential visibility into UDP, TCP, TLS, and HTTPS traffic; operations staff get all the data they need in one place (vs. multiple interfaces and limited visibility with non-integrated, multi-platform solutions)

Akamai QA tested CacheServe compatibility with a number of released DoH/DoT clients in browsers, mobile apps, mobile OS, and stub resolvers. The results are tabulated on the DNS PrivacyProject website. Some of the test results were presented at DNS OARC 32 in February 2020.

Implementing DoH and DoT in CacheServe resolvers does not impact Akamai Security and Personalization Services (SPS) that protect families and small businesses from malicious activity and unwanted content. DoH/DoT encrypts the transport between a client (stub resolver) and a resolver to prevent third parties from eavesdropping or intercepting DNS traffic in transit. Encrypted sessions are terminated natively within CacheServe, and DNS policies can still be applied throughout the resolution process to support SPS.

CacheServe integrated support for DNS encryption — coupled with scalability, performance, and manageability — make it an especially attractive alternative to proprietary DNS appliances. DNS appliance vendors are all dependent on third-party DNS releases, which do not yet support DNS encryption natively. Instead, they require external equipment, which will increase CapEx and OpEx, and complicate operations and troubleshooting.

Sponsorships Available

Use Cases for DNS Encryption

Use cases for DNS encryption will be influenced by the availability of client implementations and standardized provisioning mechanisms that allow clients/devices to automatically discover and connect to provider resolvers that support encryption. As subscribers conclude DNS encryption offers tangible benefits, CacheServe allows providers to accommodate growth in demand and equips them to deliver value-added services that:

Connect subscribers to encrypted DNS resolvers when they’re off a provider’s network, roaming, or at Wi-Fi hot spots or other untrusted venues
Provide families “follow me” parental controls to protect children even when they roam or access different networks like Wi-Fi hot spots
Offer encrypted DNS connections for small businesses who use resolvers and/or DNS-based protections hosted in the cloud

Over time, more use cases will emerge as DNS encryption protocols become more widely implemented and mainstream Internet users acknowledge their value.

Call to Action

Recursive DNS is a strategic resource, and even before deploying the new encryption protocols there are actions providers can take to maintain their trusted position and help ensure subscribers prefer their resolvers:

Educate subscribers about how provider networks are secured. Take the opportunity to communicate about network protections that prevent intruders from intercepting subscriber data of any kind, and privacy policies that govern how personal data is handled.

Maximize the built-in advantage of proximity to subscribers. Ensure resolvers are situated at the network edge, and offer great performance, always-on reliability, and superior security. Delivering high-performance, low-latency DNS is a high ROI proposition, and a relatively modest investment can improve overall network responsiveness. Proximity and performance contribute to faster delivery of Internet content. Make the effort to publicize strengths and advantages.

Deploy value-added services that visibly improve subscriber security and privacy. Consumers and many small businesses are not well equipped to protect themselves — and phishing and malware that steal personal information are a far greater and more tangible invasion of privacy than DNS interception on a highly secure provider network. Offering security services validates a provider’s commitment to safe Internet access.

Participate in the industry. Akamai participates in the IETF to guide DNS encryption standards. Akamai is also contributing to the Encrypted DNS Deployment Initiative (EDDI), a multi-disciplinary group of technical professionals collaborating to ensure smooth global deployment and reliable operation at scale of DNS encryption. We’re happy to arrange meetings at venues to coordinate efforts.

Akamai’s objective is to simplify the transition to DNS encryption for ISPs so they can continue to offer the best possible user experience, while their infrastructure grows and evolves to accommodate new demands that the new protocols place on it.