Measuring the Performance of Encrypted DNS Protocols from Broadband Access Networks
Until recently, DNS traffic was unencrypted, leaving users vulnerable to eavesdropping and tampering. In response to these privacy concerns, two protocols have been proposed: DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH). Previous work has demonstrated that, in general, response times with popular DoT and DoH resolvers are marginally slower than conventional DNS, but sometimes faster on emulated lossy networks. However, these measurements were not taken from home networks, nor at scale from many vantage points. Furthermore, they do not capture performance on real networks with low bandwidth or high latency and packet loss. In this paper, we study the performance of encrypted DNS protocols and DNS from thousands of home networks in the United States, over one month in 2020. We perform these measurements from the homes of 2,768 participating panelists in the Federal Communications Commission's (FCC) Measuring Broadband America program. We find that, across the aggregate dataset, median DoT and DoH response times are as much as 7 ms and 23.2 ms slower than conventional DNS. We study the effects of latency, bandwidth, and heterogeneity between Internet service providers on DNS performance and find that latency had the most significant effect on response times, particularly for DoH. We also find that there can be significant variation in DNS performance between resolvers, with median query response times differing by as much as 23.7 ms.
READ FULL TEXT