Enhanced Performance and Privacy via Resolver-Less DNS

TL;DR

This paper introduces a resolver-less DNS mechanism using an HTTP response header, reducing DNS lookup times and enhancing user privacy and censorship resistance without compromising security.

Contribution

It proposes a novel DNS approach that eliminates the need for recursive resolvers, improving performance and privacy while maintaining security guarantees.

Findings

Reduces DNS lookup time by at least 80ms for long round-trip users.

Decreases number of DNS lookups, enhancing privacy.

Maintains or improves security against tampering and censorship.

Abstract

The domain name resolution into IP addresses can significantly delay connection establishments on the web. Moreover, the common use of recursive DNS resolvers presents a privacy risk as they can closely monitor the user's browsing activities. In this paper, we present a novel HTTP response header allowing web server to provide their clients with relevant DNS records. Our results indicate, that this resolver-less DNS mechanism allows user agents to save the DNS lookup time for subsequent connection establishments. We find, that this proposal saves at least 80ms per DNS lookup for the one percent of users having the longest round-trip times towards their recursive resolver. Furthermore, our proposal decreases the number of DNS lookups and thus improves the privacy posture of the user towards the used recursive resolver. Comparing the security guarantees of the traditional DNS to our proposal, we find that resolver-less DNS achieves at least the same security properties. In detail, it even improves the user's resilience against censorship through tampered DNS resolvers.