The Evolution of Domain Name Service (DNS) Security and Privacy (2024)

By Jeff Van Dyke, Akamai; Ralf Weber, Akamai; Mark Dokter, Akamai; Bruce Van Nice, Akamai

Encrypted Domain Name Service (DNS) ensures confidentiality, integrity and authentication for a critical internet protocol. There are no technical obstacles to implementation; recent standardization efforts have addressed operational gaps in connecting clients with encrypted resolvers. And there are notable success stories, yet overall usage remains low, less than 20% by our estimates. By comparison, Hypertext Transfer Protocol Secure (HTTPS) is the default protocol for 86% of web sites (W3Techs, 2024). End users have direct interaction with browsers and more familiarity with HTTP(S) than DNS which operates “under the hood”. They expect encrypted protocols to be used, even if a technical comparison of both use cases is nuanced.

Growing tracking concerns have led to privacy focused approaches like oblivious DNS. It builds on encrypted DNS to prevent anyone, including network providers, from associating user identities with queries and answers. These services have been driven by device and operating system (OS) providers, such as Apple, who are using privacy to differentiate their ecosystems. Google has proposed a similar service; others may follow (Google, 2024).

These over-the-top services completely bypass the network provider’s DNS. That poses challenges for operators who rely on their DNS as a control plane, for troubleshooting, compliance, and as a foundation for value-added services such as security.

Oblivious DNS services are new, and adoption is still low. Now’s the time for ISPs to evaluate DNS strategies to minimize the impact and disruption these services may cause to their business and operations.

This paper will provide a technical overview of oblivious DNS and give perspective on its adoption and direction. It will explain the recent standards for connecting clients with encrypted resolvers and what they mean to network providers. Finally, it will present best practices and recommendations, based on deployment experience, for implementing DNS encryption to maximize subscribers’ confidence in network-based services. Service providers have an opportunity to innovate and demonstrate their commitment to subscriber security and privacy while preserving DNS visibility to meet regulatory requirements or enable subscriber facing services.

By clicking the "Download Paper" button, you are agreeing to our terms and conditions.

Similar Papers

DNS Encryption: Exposure or Opportunity?
By Mark Dokter & Bruce Van Nice, Akamai
2020
Building a Business Service in the Cloud
By Adrian Beaudin & Bruce Van Nice, Akamai
2020
Creating Confidence Among Subscribers Faced with Growing Cyberthreats
By Bruce Van Nice, Akamai
2021
When Security and Privacy Collide: New Approaches are Needed
By Sandy Wilbourn & Craig Sprosts, Akamai
2018
Internet Scale Blockchain Architecture
By Michael Fay, Akamai Technologies, LLC
2018
The Evolution of Cable Network Security
By Matt Tooley, NCTA, Matt Carothers, Cox Communications, Michael Glenn, CableLabs, Michael O’Reirdan, Comcast, Chris Roosenraad, Time-Warner Cable, and Bill Sweeney, Comcast
2015
Predicting the Evolution of Distributed Denial of Service Attacks on Carrier Networks
By Kyle Haefner, Cable Television Laboratories Inc.
2019
Security and Privacy IoT Vulnerabilities: The Danger of Too Many Entry Points
By Mangesh Bhamre, Plume Design, Inc.
2022
Encrypted DNS From Pilot To Production
By Joe Crowe, Janardhan Bollineni, Charlie Helfinstine, Thomas Modayil Jacob; Comcast
2022
BGP Info Over DNS
By Tony Tauber, Comcast; Charlie Helfinstine, Comcast; Mark Feldman, Comcast
2023
More Results >>