Exploring the Ecosystem of DNS HTTPS Resource Records: An End-to-End Perspective
Pages 423 - 440
Abstract
The DNS HTTPS resource record is a new DNS record type designed for the delivery of configuration information and parameters required to initiate connections to HTTPS network services. In addition, it is a key enabler for TLS Encrypted ClientHello (ECH) by providing the cryptographic keying material needed to encrypt the initial exchange. To understand the adoption of this new DNS HTTPS record, we perform a longitudinal study on the server-side deployment of DNS HTTPS for Tranco top million domains, as well as an analysis of the client-side support for DNS HTTPS through snapshots from major browsers. To the best of our knowledge, our work is the first longitudinal study on DNS HTTPS server deployment, and the first known study on client-side support for DNS HTTPS. Despite the rapidly growing trend of DNS HTTPS adoption, our study highlights challenges and concerns in the deployment by both servers and clients, such as the complexity in properly maintaining HTTPS records and connection failure in browsers when the HTTPS record is not properly configured.
References
[1]
Josh Aas, Richard Barnes, Benton Case, Zakir Durumeric, Peter Eckersley, Alan Flores-López, J Alex Halderman, Jacob Hoffman-Andrews, James Kasten, Eric Rescorla, et al. 2019. Let's Encrypt: an automated certificate authority to encrypt the entire web. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 2473--2487.
[2]
Akamai. 2020. New SVCB & HTTPS Resource Records in the wild. https://community.akamai.com/customers/s/article/NetworkOperatorCommunityNewSVCBHTTPSResourceRecordsinthewild20201128135350?language=en_US (accessed Aug 26, 2024).
[3]
David Barr. 1996. Common DNS Operational and Configuration Errors. RFC 1912. https://doi.org/10.17487/RFC1912
[4]
David Belson and Lucas Pardue. [n.,d.]. Examining HTTP/3 usage one year on. https://blog.cloudflare.com/http3-usage-one-year-on (accessed Aug 26, 2024).
[5]
Karthikeyan Bhargavan, Vincent Cheval, and Christopher Wood. 2022. A symbolic analysis of privacy for tls 1.3 with encrypted client hello. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 365--379.
[6]
BIND9. 2021. BIND9 v9.16.21 Release notes. https://bind9.readthedocs.io/en/v9_16_21/notes.html#new-features (accessed Aug 26, 2024).
[7]
Bugzilla. 2020. Implement HTTPSSVC. https://bugzilla.mozilla.org/show_bug.cgi?id=1623126 (accessed Aug 26, 2024).
[8]
Bugzilla. 2023. Allow resolving HTTPS RR with native DNS. https://bugzilla.mozilla.org/show_bug.cgi?id=1852752 (accessed Aug 26, 2024).
[9]
Zimo Chai, Amirhossein Ghafari, and Amir Houmansadr. 2019. On the Importance of Encrypted-SNI (ESNI) to Censorship Circumvention. In 9th USENIX Workshop on Free and Open Communications on the Internet (FOCI 19).
[10]
Chrome Platform Status. 2020. Feature: TLS Encrypted Client Hello (ECH). https://chromestatus.com/feature/6196703843581952 (accessed Aug 26, 2024).
[11]
Chrome Platform Status. 2021. Feature: HTTP->HTTPS redirect for HTTPS DNS records. https://chromestatus.com/feature/5485544526053376 (accessed Aug 26, 2024).
[12]
Chromium. 2024. The Chromium Projects. https://www.chromium.org/chromium-projects/ (accessed Aug 26, 2024).
[13]
Taejoong Chung, Roland van Rijswijk-Deij, Balakrishnan Chandrasekaran, David Choffnes, Dave Levin, Bruce M Maggs, Alan Mislove, and Christo Wilson. 2017. A Longitudinal, End-to-End View of the DNSSEC Ecosystem. In 26th USENIX Security Symposium (USENIX Security 17). 1307--1322.
[14]
Taejoong Chung, Roland van Rijswijk-Deij, David Choffnes, Dave Levin, Bruce M Maggs, Alan Mislove, and Christo Wilson. 2017. Understanding the role of registrars in DNSSEC deployment. In Proceedings of the 2017 Internet Measurement Conference. 369--383.
[15]
Cloudflare Community. 2023. Early Hints and Encrypted Client Hello (ECH) are currently disabled globally. https://community.cloudflare.com/t/early-hints-and-encrypted-client-hello-ech-are-currently-disabled-globally/567730 (accessed Aug 26, 2024).
[16]
Cloudflare Docs. 2024. Proxy status. https://developers.cloudflare.com/dns/manage-dns-records/reference/proxied-dns-records/ (accessed Aug 26, 2024).
[17]
Cloudflare Radar. 2023. Browser Market Share Report for 2023 Q3. https://radar.cloudflare.com/reports/browser-market-share-2023-q3 (accessed Aug 26, 2024).
[18]
DEfO. 2024. Nginx, ECH-draft-13c branch. https://github.com/sftcd/nginx/tree/ECH-experimental (accessed Aug 26, 2024).
[19]
DEfO. 2024. OpenSSL, ECH-draft-13c branch. https://github.com/sftcd/openssl/tree/ECH-draft-13c (accessed Aug 26, 2024).
[20]
David Dittrich, Erin Kenneally, et al. 2012. The Menlo Report: Ethical principles guiding information and communication technology research. Technical Report. US Department of Homeland Security.
[21]
Patrick R. Donahue. 2021. Upgrading the Cloudflare China Network: better performance and security through product innovation and partnership. https://blog.cloudflare.com/upgrading-the-cloudflare-china-network (accessed Aug 26, 2024).
[22]
Alessandro Ghedini. 2020. Speeding up HTTPS and HTTP/3 negotiation with... DNS. https://blog.cloudflare.com/speeding-up-https-and-http-3-negotiation-with-dns (accessed Aug 26, 2024).
[23]
Arnt Gulbrandsen and Dr. Levon Esibov. 2000. A DNS RR for specifying the location of services (DNS SRV). RFC 2782. https://doi.org/10.17487/RFC2782
[24]
Bob Halley. 2020. DNSPython. https://www.dnspython.org/ (accessed Aug 26, 2024).
[25]
Philip Hane. 2015. Ipwhois. Retrieve and Parse WHOIS Data for IPv4 and IPv6 Addresses. https://pypi.org/project/ipwhois/ (accessed Aug 26, 2024).
[26]
Jeff Hodges, Collin Jackson, and Adam Barth. 2012. HTTP Strict Transport Security (HSTS). RFC 6797. https://doi.org/10.17487/RFC6797
[27]
ISC. 2024. BIND9, Versatile, classic, complete name server software. https://www.isc.org/bind/ (accessed Aug 26, 2024).
[28]
Knot DNS. 2021. Knot DNS Version 3.1.0. https://www.knot-dns.cz/2021-08-02-version-310.html (accessed Aug 26, 2024).
[29]
Victor Le Pochat, Tom Van Goethem, S Tajalizadehkhoob, and Wouter Joosen. 2019. TRANCO: A Research-Oriented Top Sites Ranking Hardened Against Manipulation. In Network and Distributed Systems Security (NDSS) Symposium 2019.
[30]
Hyeonmin Lee, Md Ishtiaq Ashiq, Moritz Müller, Roland van Rijswijk-Deij, Taejoong Chung, et al. 2022. Under the Hood of DANE Mismanagement in SMTP. In 31st USENIX Security Symposium (USENIX Security 22). 1--16.
[31]
Achiel van der Mandele, Alessandro Ghedin, Christopher Wood, and Rushil Mehra. 2023. Encrypted Client Hello - the last puzzle piece to privacy. https://blog.cloudflare.com/announcing-encrypted-client-hello (accessed Aug 26, 2024).
[32]
Mozilla Wiki. 2022. Security/Encrypted Client Hello. https://wiki.mozilla.org/Security/Encrypted_Client_Hello (accessed Aug 26, 2024).
[33]
NLnet Labs. 2024. Unbound. https://nlnetlabs.nl/projects/unbound/about/ (accessed Aug 26, 2024).
[34]
Mark Nottingham, Patrick McManus, and Julian Reschke. 2016. HTTP Alternative Services. RFC 7838. https://doi.org/10.17487/RFC7838
[35]
Craig Partridge and Mark Allman. 2016. Ethical considerations in network measurement papers. Commun. ACM, Vol. 59, 10 (2016), 58--64.
[36]
Tommy Pauly. 2020. DNS HTTPS/SVCB record type support in iOS 14. https://mailarchive.ietf.org/arch/msg/quic/sFgifP9vOY9xsmogVqiq-qtxPiQ/ (accessed Aug 26, 2024).
[37]
PowerDNS. 2024. Using SVCB and derived records. https://doc.powerdns.com/authoritative/guides/svcb.html (accessed Aug 26, 2024).
[38]
Sam Preston. 2022. Akamai Blog. Edge DNS and the Top-Level Domain Hosting. https://www.akamai.com/blog/edge/edge-dns-and-the-top-level-domain-hosting (accessed Aug 26, 2024).
[39]
Eric Rescorla, Kazuho Oku, Nick Sullivan, and Christopher A. Wood. 2023. TLS Encrypted Client Hello. Internet-Draft draft-ietf-tls-esni-17. Internet Engineering Task Force. https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ Work in Progress.
[40]
Scott Rose, Matt Larson, Dan Massey, Rob Austein, and Roy Arends. 2005 a. DNS Security Introduction and Requirements. RFC 4033. https://doi.org/10.17487/RFC4033
[41]
Scott Rose, Matt Larson, Dan Massey, Rob Austein, and Roy Arends. 2005 b. Protocol Modifications for the DNS Security Extensions. RFC 4035. https://doi.org/10.17487/RFC4035
[42]
Scott Rose, Matt Larson, Dan Massey, Rob Austein, and Roy Arends. 2005 c. Resource Records for the DNS Security Extensions. RFC 4034. https://doi.org/10.17487/RFC4034
[43]
Scott Rose and Wouter Wijngaards. 2012. DNAME Redirection in the DNS. RFC 6672. https://doi.org/10.17487/RFC6672
[44]
Jan Schaumann. 2023. Use of HTTPS Resource Records. https://www.netmeister.org/blog/https-rrs.html?utm_source=pocket_saves (accessed Aug 26, 2024).
[45]
Benjamin M. Schwartz, Mike Bishop, and Erik Nygren. 2023. Service Binding and Parameter Specification via the DNS (SVCB and HTTPS Resource Records). RFC 9460. https://doi.org/10.17487/RFC9460
[46]
Christian Tiefenau, Emanuel von Zezschwitz, Maximilian Häring, Katharina Krombholz, and Matthew Smith. 2019. A usability evaluation of Let's Encrypt and Certbot: usable security done right. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 1971--1988.
[47]
Tranco. 2024. Methodology. https://tranco-list.eu/methodology (accessed Aug 26, 2024).
[48]
Zisis Tsiatsikas, Georgios Karopoulos, and Georgios Kambourakis. 2022. Measuring the Adoption of TLS Encrypted Client Hello Extension and Its Forebear in the Wild. In European Symposium on Research in Computer Security. Springer, 177--190.
[49]
Masanori Yajima, Daiki Chiba, Yoshiro Yoneya, and Tatsuya Mori. 2021. Measuring adoption of DNS security mechanisms with cross-sectional approach. In 2021 IEEE Global Communications Conference (GLOBECOM). IEEE, 1--6.
[50]
Johannes Zirngibl, Philippe Buschmann, Patrick Sattler, Benedikt Jaeger, Juliane Aulbach, and Georg Carle. 2021. It's over 9000: Analyzing Early QUIC Deployments with the Standardization on the Horizon. In Proceedings of the 21st ACM Internet Measurement Conference. 261--275.
[51]
Johannes Zirngibl, Patrick Sattler, and Georg Carle. 2023. A First Look at SVCB and HTTPS DNS Resource Records in the Wild. In International Workshop on Traffic Measurements for Cybersecurity 2023.
[52]
Ólafur Guðmundsson and Brian Wellington. 2003. Redefinition of DNS Authenticated Data (AD) bit. RFC 3655. https://doi.org/10.17487/RFC3655
Index Terms
- Exploring the Ecosystem of DNS HTTPS Resource Records: An End-to-End Perspective
Recommendations
Practical Challenge-Response for DNS
ANRW '18: Proceedings of the 2018 Applied Networking Research WorkshopAuthoritative DNS nameservers are vulnerable to being used in denial of service attacks whereby an attacker sends DNS queries while masquerading as a victim---hence coaxing the DNS server to send the responses to the victim. Reflecting off innocent DNS ...
Securing DNS: Extending DNS Servers with a DNSSEC Validator
DNS Security Extensions (DNSSEC) is a proposed standard for securely authenticating information in the Domain Name System. DNSSEC validators check the digital signatures on DNS data. However, designing a validator worth the operational costs is a ...
Comparing DNS resolvers in the wild
IMC '10: Proceedings of the 10th ACM SIGCOMM conference on Internet measurementThe Domain Name System (DNS) is a fundamental building block of the Internet. Today, the performance of more and more applications depend not only on the responsiveness of DNS, but also the exact answer returned by the queried DNS resolver, e.g., for ...
Comments
Information & Contributors
Information
Published In
November 2024
812 pages
ISBN:9798400705922
DOI:10.1145/3646547
- General Chairs:
- Narseo Vallina-Rodríguez,
- Guillermo Suarez-Tángil,
- Program Chairs:
- Dave Levin,
- Cristel Pelsser
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 04 November 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
Conference
IMC '24
Sponsor:
Acceptance Rates
Overall Acceptance Rate 277 of 1,083 submissions, 26%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 54Total Downloads
- Downloads (Last 12 months)54
- Downloads (Last 6 weeks)54
Reflects downloads up to 09 Nov 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in