D-DNS: Towards Re-Decentralizing the DNS
share
Nearly all Internet services rely on the Domain Name System (DNS) to resolve human-readable names to IP addresses. However, the content of DNS queries and responses can reveal private information, from the websites that a user visits to the types of devices on a network. Industry and researchers have responded in recent years to the inherent privacy risks of DNS information, focusing on tunneling DNS traffic over encrypted transport and application protocols. One such mechanism, DNS-over-HTTPS (DoH) places DNS functionality directly in the web browser itself to direct DNS queries to a trusted recursive resolver (resolver) over encrypted HTTPS connections. The DoH architecture solves privacy risks (e.g., eavesdropping) but introduces new concerns, including those associated with the centralization of DNS queries to the operator of a single recursive resolver that is selected by the browser vendor. It also introduces potential performance problems: if a client's resolver is not proximal to the content delivery network that ultimately serves the content, the CDN may fail to optimally localize the client. In this paper, we revisit the trend towards centralized DNS and explore re-decentralizing the critical Internet protocol, such that clients might leverage multiple DNS resolvers when resolving domain names and retrieving content. We propose and evaluate several candidate decentralized architectures, laying the groundwork for future research to explore decentralized, encrypted DNS architectures that strike a balance between privacy and performance.
READ FULL TEXT