What Technologies Can Improve DNS Security?
In recent years we have observed a growing interest from the region’s technical community to introduce improvements to the privacy of the Domain Name System, particularly the encryption of queries and responses in the communication between clients and resolvers.
Among the technologies that have emerged to improve DNS privacy – which were not available in its original architecture – are DoT (DNS over TLS), DoH (DNS over HTTPS), DoQ (DNS over QUIC) and other independent projects such as DNSCrypt and Oblivious DNS, each with their respective strengths and weaknesses.
Specifically in the case of DoT, the technical community considers that it is the most natural evolution of DNS and that it is a free and already standardized technology.
Last year, LACNIC conducted a study to measure the use of DoT in resolvers in Latin America and the Caribbean by analyzing open data sources. Measuring the availability of DoT technology through resolvers allows us to visualize the region’s landscape for customers to start using DNS privacy.
In addition to obtaining preliminary measurements, the objective was to perform the measurement during 2023 and thus to be able to verify the evolution of the use of encrypted DNS traffic.
Firstly, we focused on three sources: a list of 33 public resolver services to study the possibility of sending DoT queries from clients in the region. Secondly, we gathered information from resolvers that allow classic DNS queries from anywhere on the Internet and attempted a DNS-over-TLS query on the same IP addresses as the normal DNS server. Finally, we used RIPE Atlas, a global, open, distributed Internet measurement platform that collects data produced by probes in different countries of the region and allows to send queries to resolvers in their internal networks. Through this measurement, we identified more than 300 active probes, which provided us with information.
The first results of this study show a timid start to the use of DoT in Latin America and the Caribbean, with open resolvers offering DoT at a rate of 7.9% in IPv6, and 1.2% in IPv4.
We also obtained between 3.5% and 13.3% of query failures of probes within the LAC region to known resolvers offering DoT. This may indicate that there are network obstacles that would prevent the service from reaching 100% of the customers.
We concluded that it is already possible to detect the availability of the DoT service in our region, despite the newness of the technology and the limitations in obtaining data sources. Although currently there is a low adoption rate, we will be able to measure its evolution in the future thanks to this platform.
We invite you to read the full article here.