Analyzing the Costs and Benefits of DNS, DoT, and DoH for the Modern Web

Austin Hounsel* Kevin Borgolte* Paul Schmitt*Jordan Holland* Nick Feamster†

Princeton University* University of Chicago†1

DNS Privacy Has Become a Significant Concern

● On-path observers can spy on traditional DNS (Do53)

● Two protocols have been proposed to encrypt DNS traffico DNS-over-TLS (DoT)

o DNS-over-HTTPS (DoH)

2

Contributions

● Extensive performance study of Do53, DoT, and DoHo Query response times

o Page load times

o Emulated network conditions

● Measurements from five global vantage points

3

Unexpected Finding

● Despite higher response times, page load times with

encrypted DNS transports can be faster than Do53

4

DNS Responses from Cloudflare at Ohio

5

0 100 200D1S 5HsSRnsH 7iPH (Ps)

0.00

0.25

0.50

0.75

1.00

3rRb

Dbili

ty

ClRudflDrH DR53ClRudflDrH DRH

ClRudflDrH DR7DHfDult DR53

0 15000

1

DoH catches up to Do53 in tailDoH outperforms

25% of DoT queries

DNS Responses from Google at Ohio

6

0 100 200D1S 5HsSRnsH 7iPH (Ps)

0.00

0.25

0.50

0.75

1.00

3rRb

Dbili

ty

DHfDult DR53GRRglH DR53

GRRglH DRHGRRglH DR7

0 15000

1DoH catches up

to Do53/DoT

DNS Responses from Quad9 at Ohio

7

0 100 200D1S 5HsSRQsH 7iPH (Ps)

0.00

0.25

0.50

0.75

1.00

3rRb

Dbili

ty

DHfDult DR53QuDd9 DR53

QuDd9 DRHQuDd9 DR7

0 15000

1

DoH outperforms DoT for almost

all queries

DoH catches up to Do53 in the

tail

Takeaway: DoH Can Outperform Do53

● DoH has a higher mean but lower variance

● Several possible explanationso HTTP caching at the edge

o Wire format caching

8

Emulated Cellular Conditions

● We emulated 4G, lossy 4G, and 3G network conditionso DoH and DoT are starting to be offered on phones

o Performance may be significantly different

9

Page Loads with Cloudflare at Ohio

10

Diff ≥ 1s 0.1s ≤ Diff < 1s 0.03s ≤ Diff < 0.1s -0.03s < Diff < 0.03s -0.1s < Diff ≤ -0.03s -1s < Diff ≤ -0.1s Diff ≤ -1s

-10 -1 0 1 103DgH LoDd TLPH DLffHrHncH (sHconds)

0.0

0.2

0.4

0.6

0.8

1.0

3rob

DbLlL

ty

CloudflDrH DoH - CloudflDrH Do53

-10 -1 0 1 103Dge LoDd TLPe DLfference (seconds)

0.0

0.2

0.4

0.6

0.8

1.0

3rob

DbLlL

ty

CloudflDre DoT - CloudflDre Do53

DoT was 1ms slower than Do53

DoH was 19ms slower than Do53

Page Loads with Cloudflare at Ohio (4G)

11

Diff ≥ 1s 0.1s ≤ Diff < 1s 0.03s ≤ Diff < 0.1s -0.03s < Diff < 0.03s -0.1s < Diff ≤ -0.03s -1s < Diff ≤ -0.1s Diff ≤ -1s

-10 -1 0 1 103DgH LoDd TLPH DLffHrHncH (sHconds)

0.00.20.40.60.81.0

3rob

DbLlL

ty

CloudflDrH DoH - CloudflDrH Do53

-10 -1 0 1 103Dge LoDd TLPe DLfference (seconds)

0.0

0.2

0.4

0.6

0.8

1.0

3rob

DbLlL

ty

CloudflDre DoT - CloudflDre Do53

DoT was 1ms faster than Do53

DoH was 70ms slower than Do53

Page Loads with Cloudflare at Ohio (Lossy 4G)

12

Diff ≥ 1s 0.1s ≤ Diff < 1s 0.03s ≤ Diff < 0.1s -0.03s < Diff < 0.03s -0.1s < Diff ≤ -0.03s -1s < Diff ≤ -0.1s Diff ≤ -1s

-10 -1 0 1 103DgH LoDd TLPH DLffHrHncH (sHconds)

0.0

0.2

0.4

0.6

0.8

1.0

3rob

DbLlL

ty

CloudflDrH DoH - CloudflDrH Do53

-10 -1 0 1 103Dge LoDd TLPe DLfference (seconds)

0.0

0.2

0.4

0.6

0.8

1.0

3rob

DbLlL

ty

CloudflDre DoT - CloudflDre Do53

DoT was 62ms faster than Do53

DoH was 20ms faster than Do53

Page Loads with Cloudflare at Ohio (3G)

13

Diff ≥ 1s 0.1s ≤ Diff < 1s 0.03s ≤ Diff < 0.1s -0.03s < Diff < 0.03s -0.1s < Diff ≤ -0.03s -1s < Diff ≤ -0.1s Diff ≤ -1s

-10 -1 0 1 103DgH LoDd TLPH DLffHrHncH (sHconds)

0.00.20.40.60.81.0

3rob

DbLlL

ty

CloudflDrH DoH - CloudflDrH Do53

-10 -1 0 1 103Dge LoDd TLPe DLfference (seconds)

0.00.20.40.60.81.0

3rob

DbLlL

ty

CloudflDre DoT - CloudflDre Do53

DoT was 197ms slower than Do53

DoH was 260ms slower than Do53

Takeaway: TCP Helps Page Load Times

● TCP packets can be retransmitted after 2x RTT

● Timeout of Do53 is set to 5 seconds by default in Linux

14

Summary

● Extensive performance study of Do53, DoT, and DoHo Query response times

o Page load times

o Emulated network conditions

● Future work: performance analyses over diverse networks

15