DNS Encryption: Exposure or Opportunity? (2020)

By Mark Dokter & Bruce Van Nice, Akamai

Encrypting DNS traffic has been a focus of the IETF for several years, and in late 2018 two standards were formalized for use between clients (stub resolvers) and resolvers: DNS over TLS and DNS over HTTPS. Numerous implementations have appeared, and DNS encryption has become a visible topic in industry media.

It’s a testament to the original design that the way the DNS operates has remained largely unchanged for more than 30 years since the protocol was originally specified. Stub resolvers on clients (typically configured from a local network with a protocol like DHCP) send queries to a caching resolver which, in turn, talks to authoritative DNS servers that provide answers to queries.

DNS encryption changes the transport protocols and, due to some design choices, opens up the possibility of significant changes in the way client devices behave. This paper discusses these changes and their potential impact on service providers. It also offers guidance about how to address encrypted DNS deployments, summarized below:

  • Communicate about privacy and security practices so subscribers are aware of how their service is protected and privacy is preserved
  • Implement Best Practices for DNS resolution to ensure services are performant, resilient, and always available
  • Understand the new DNS encryption protocols and how they can be deployed, and participate in formulation of standards to ensure they can be scaled and operationalized
  • Consider additional services that protect subscribers and further enhance their privacy by preventing loss of personal data
By clicking the "Download Paper" button, you are agreeing to our terms and conditions.

Similar Papers

Creating Confidence Among Subscribers Faced with Growing Cyberthreats
By Bruce Van Nice, Akamai
Building a Business Service in the Cloud
By Adrian Beaudin & Bruce Van Nice, Akamai
Encrypted DNS From Pilot To Production
By Joe Crowe, Janardhan Bollineni, Charlie Helfinstine, Thomas Modayil Jacob; Comcast
BGP Info Over DNS
By Tony Tauber, Comcast; Charlie Helfinstine, Comcast; Mark Feldman, Comcast
DNS Cowboys, On the Edge of a New Frontier
By Charlie Helfinstine, Comcast; De Fu Li, Comcast; Eric Stonfer, Comcast; Joe Crowe, Comcast
When Security and Privacy Collide: New Approaches are Needed
By Sandy Wilbourn & Craig Sprosts, Akamai
Conditional Access And Encryption Options For Digital Compression Systems
By Tony Wechselberger, TV/COM International
Encryption Fundamentals - A Non-Technical Overview
By Anthony Wechselberger, Oak Communications, Inc.
Encryption-Based Security Systems What Makes Them Different And How Well Are They Working?
By Anthony J. Wechselberger Vice President, Engineering , OAK Communications Inc.
Enabling Encryption and Algorithm Revocation for Post-Quantum DOCSIS Certificates
By Dr. Massimiliano Pala, Cable Television Laboratories, Inc.
More Results >>