An Empirical Study of the Cost of DNS-over-HTTPS

TL;DR

This paper analyzes the security benefits and performance costs of DNS-over-HTTPS, showing that it offers enhanced security with only minimal impact on web page load times.

Contribution

It provides a comprehensive survey of DoH, compares it with DoT, and quantifies the performance overhead, highlighting its practicality and security advantages.

Findings

DoH has higher adoption than DoT due to its features.

Overheads of DoH are limited and have minimal impact on page load times.

DoH provides improved security with marginal performance costs.

Abstract

DNS is a vital component for almost every networked application. Originally it was designed as an unencrypted protocol, making user security a concern. DNS-over-HTTPS (DoH) is the latest proposal to make name resolution more secure. In this paper we study the current DNS-over-HTTPS ecosystem, especially the cost of the additional security. We start by surveying the current DoH landscape by assessing standard compliance and supported features of public DoH servers. We then compare different transports for secure DNS, to highlight the improvements DoH makes over its predecessor, DNS-over-TLS (DoT). These improvements explain in part the significantly larger take-up of DoH in comparison to DoT. Finally, we quantify the overhead incurred by the additional layers of the DoH transport and their impact on web page load times. We find that these overheads only have limited impact on page load times, suggesting that it is possible to obtain the improved security of DoH with only marginal performance impact.