TL;DR
PDoT introduces a privacy-preserving DNS-over-TLS architecture leveraging Trusted Execution Environments to enhance trust and security, with a practical implementation demonstrating comparable performance to existing solutions.
Contribution
The paper presents a novel architecture for private DNS-over-TLS using TEE and remote attestation, addressing scalability and trust issues in DNS privacy.
Findings
Latency and throughput comparable to Unbound DNS-over-TLS
Secure client authentication via remote attestation within TEE
Open-source implementation demonstrating practical viability
Abstract
Security and privacy of the Internet Domain Name System (DNS) have been longstanding concerns. Recently, there is a trend to protect DNS traffic using Transport Layer Security (TLS). However, at least two major issues remain: (1) how do clients authenticate DNS-over-TLS endpoints in a scalable and extensible manner; and (2) how can clients trust endpoints to behave as expected? In this paper, we propose a novel Private DNS-over-TLS (PDoT ) architecture. PDoT includes a DNS Recursive Resolver (RecRes) that operates within a Trusted Execution Environment (TEE). Using Remote Attestation, DNS clients can authenticate, and receive strong assurance of trustworthiness of PDoT RecRes. We provide an open-source proof-of-concept implementation of PDoT and use it to experimentally demonstrate that its latency and throughput match that of the popular Unbound DNS-over-TLS resolver.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
