Bachelor thesis Computing Science Radboud University Performance comparison of DNS over HTTPS to unencrypted DNS Author: First supervisor/assessor: Jeroen Wijenbergh Dr. Veelasha Moonsamy s4792459 [email protected] Daily supervisor: Dr. Roland van Rijsdijk-Deij [email protected] Second assessor: ir. D.W.C. Dani¨elKuijsters [email protected] October 3, 2019 Abstract To encrypt DNS, DNS over HTTPS has been proposed. This protocol has additional overhead that can not be found in DNS over UDP. In this study, we will analyze the performance impact of this extra overhead. To do this, we have extended the established DNS measurement tool Flamethrower with DNS over HTTPS capability. This imple- mentation is used to query a server that we have set up. This server runs Dnsdist and Unbound to provide DNS and DNS over HTTPS on a single host. We will query two of these servers with a different number of concurrent TCP and HTTP/2 streams and analyze the results. These results will help us in answering what performance impact DNS over HTTPS has as compared to unencrypted DNS. The results that we will obtain in this research is that for all of our tests DNS over HTTPS has worse performance as compared to UDP. The performance difference is less noticeable when caching is disabled. Contents 1 Introduction 4 1.1 Motivation . .5 1.2 Overview of thesis . .6 2 Preliminaries 7 2.1 Network Stack . .7 2.1.1 Application layer . .8 2.1.2 Transport layer . .8 2.1.3 Network layer . .8 2.1.4 Data Link layer . .8 2.1.5 Physical layer . .9 2.1.6 Layer encapsulation/decapsulation . .9 2.1.6.1 Importance of encapsulation/decapsulation . .9 2.2 Transport layer protocols . .9 2.2.1 Transmission Control Protocol (TCP) . 10 2.2.1.1 Structure . 10 2.2.1.2 Handshake . 12 2.2.1.3 Message exchange . 12 2.2.1.4 Positives and drawbacks . 13 2.2.2 User Datagram Protocol (UDP) . 13 2.2.2.1 Structure . 13 2.2.2.2 Differences between UDP and TCP . 14 2.3 Application Layer protocols . 14 2.3.1 Hypertext Transfer Protocol (HTTP) . 14 2.3.1.1 Structure . 15 2.3.1.2 Encryption . 16 2.3.1.3 HTTP standards . 16 2.3.2 Transport Layer Security (TLS) . 16 2.3.2.1 Goals of TLS . 16 2.3.2.2 Encryption . 17 2.3.2.3 Authentication . 17 2.4 DNS . 19 1 2.4.1 Distributed system . 19 2.4.1.1 Stub resolver . 19 2.4.1.2 Recursive resolver . 20 2.4.1.3 Authoritative servers . 20 2.4.2 Structure . 20 2.4.3 Recent work in encrypting DNS . 24 2.4.3.1 DNS over HTTPS (DoH) . 24 3 Research 28 3.1 Scope . 28 3.2 Methodology . 29 3.2.1 Software . 29 3.2.1.1 Client . 29 3.2.1.2 Resolver . 40 3.2.2 Hardware . 44 3.2.2.1 Client . 44 3.2.2.2 Server . 44 3.2.3 Performance measurement . 45 3.2.3.1 Dataset . 45 3.2.3.2 Tests . 45 3.2.3.3 Running the tests . 46 3.2.3.4 Analyzing the output . 48 3.2.3.5 Overview . 49 3.3 Results . 50 3.3.1 TCP connection delay . 50 3.3.1.1 Caching enabled . 50 3.3.1.2 Caching disabled . 51 3.3.2 TLS connection delay . 51 3.3.2.1 Caching enabled . 52 3.3.2.2 Caching disabled . 53 3.3.3 Round-trip time of DNS and DoH . 53 3.3.3.1 Caching enabled . 54 3.3.3.2 Caching disabled . 59 3.4 Reflecting on the results and limitations . 65 4 Related Work 66 4.1 DNS Caching . 66 4.2 Mozilla DoH measurements . 67 4.3 DNS, DoT and DoH page load time and resolution times . 68 4.4 Methodology for testing DNS in a lab environment . 69 5 Conclusions 70 5.1 Future work . 70 2 Bibliography 71 A Appendix 75 A.1 TCP connection delay measurements . 76 A.1.1 Caching enabled . 76 A.1.2 Caching disabled . 78 A.2 TLS connection delay measurements . 80 A.2.1 Caching enabled . 80 A.2.2 Caching disabled . 81 A.3 Round-trip time measurements . 82 A.3.1 Caching enabled . 82 A.3.2 Caching disabled . 88 3 Chapter 1 Introduction When you want to visit a website on the internet, your browser needs to know the IP address of that website. These IP addresses are hard to remember. To address this prob- lem, two researchers (Paul Mockapetris and Jon Postel) introduced the Domain Name System (DNS). This architecture maps hostnames (e.g. google.com) to an IP address (e.g. 216.58.211.110 ), which makes it so that you only have to enter the hostname into your browser to gain access to the website. This is the main benefit of DNS, but there are more; an important one is that DNS also allows a website to easily transfer their hostname to another server by changing the DNS settings. Furthermore, while we gave the example of using DNS to obtain the IP address for a website, DNS is also used for email. The DNS architecture was introduced in 1983 [41] [43] and has seen little change since then. As a result, this architecture has a few problems. One of these problems is that the DNS messages are unencrypted. To add encryption to DNS, extensions have been proposed, for example: • DNS over HTTPS (DoH) [35] • DNS over TLS (DoT) [38] • DNSCURVE [16] • DNSCrypt [4] In this thesis, we want to focus on the DNS over HTTPS protocol and how it compares to regular DNS. The reason why we chose to study this protocol will be discussed in section 1.1. As the title of this thesis already suggests, we want to explicitly focus on the per- formance impact of using DNS over HTTPS. What we exactly mean with performance will be discussed in chapter 3. 4 The following will be our research question: How much performance impact does DNS over HTTPS have as compared to using unencrypted DNS? We also have the following sub-research questions: • How do the HTTP methods POST and GET compare with regards to perfor- mance? • To what extent do TCP connections impact the performance of DNS over HTTPS? • To what extent do HTTP/2 streams impact the performance of DNS over HTTPS? • To what extent does caching impact the performance of DNS over HTTPS? To get help with this thesis, we have interned at the NLnet Labs foundation. They helped us with deciding on a scope for this thesis. This scope will be defined in section 3.1 and there we will discuss our research questions in more detail. The methodology we used for testing this performance has also been discussed with NLnet Labs and can be found in section 3.2. To get a better idea of why we chose to research this topic, we will now discuss our motivation. 1.1 Motivation As stated before, DNS messages are still unencrypted. To understand why this is a problem, we need to look at a possible attack scenario. DNS messages (on top of the hostname) provide information about the client that is sending the message (e.g. your browser). A third-party that listens for traffic between you and the DNS server can see any DNS message. This means that this third-party can see what websites you are visiting on the internet. This problem not only exists in theory, it is actively abused in practice [34]. When you encrypt these DNS messages, the content of them can not be seen by parties that are not involved in the DNS hierarchy. This includes eavesdroppers on a network. One of the most popular and newest protocols to achieve this encryption is the DNS over HTTPS protocol. The protocol was first published in May 2017 [36], and was subse- quently standardized by the Internet Engineering Task Force in August 2018 [35]. Even though this protocol is new, it is already being used in the DNS resolvers from Cloud- flare [26] and Google [33]. Firefox, a popular internet browser, is also testing DNS over HTTPS support [44] [45] [46]. Because the adoption of this protocol moves quicker than the other protocols that were mentioned (DNS over TLS, DNSCURVE, DNSCrypt), we have decided to focus this thesis on this protocol. Due to the recency of this protocol, we must investigate if it can replace unencrypted DNS. To achieve this, as we have pre- 5 viously alluded to in our research questions, we will investigate the performance of DNS over HTTPS as compared to unencrypted DNS. See the next subsection for an overview of the thesis. 1.2 Overview of thesis In this thesis, we will first describe the different topics that are needed to follow this thesis. This is defined in the Preliminaries section (chapter 2). After this we will describe our Research and the results (chapter 3). We will also discuss Related Work (chapter 4) and finally give a Conclusion (chapter 5). 6 Chapter 2 Preliminaries In this section we will give a brief overview of the preliminaries that are needed to read this thesis. We will first give a broad overview of the network stack. Understanding this network stack helps in understanding the basics of networking. After this, we will go into more detail of the protocols that are important to know. At last, we will describe DNS and DNS encryption.