Measuring DNS over TCP in the Era of Increasing DNS Response Sizes: A View from the Edge

TL;DR

This study analyzes the use of DNS over TCP from the edge, revealing that while generally slower, DoTCP is increasingly necessary due to larger DNS responses, but support and reliability issues remain, especially with probe resolvers.

Contribution

It provides the first large-scale measurement of DoTCP performance from the edge, highlighting current limitations and future challenges for DNS over TCP adoption.

Findings

DoTCP is slower than DoUDP, with response times up to 37% longer.

Public resolvers support DoTCP but lack optimizations, indicating room for improvement.

Probe resolvers often fail DoTCP queries, violating standards and risking future reliability issues.

Abstract

The Domain Name System (DNS) is one of the most crucial parts of the Internet. Although the original standard defined the usage of DNS over UDP (DoUDP) as well as DNS over TCP (DoTCP), UDP has become the predominant protocol used in the DNS. With the introduction of new Resource Records (RRs), the sizes of DNS responses have increased considerably. Since this can lead to truncation or IP fragmentation, the fallback to DoTCP as required by the standard ensures successful DNS responses by overcoming the size limitations of DoUDP. However, the effects of the usage of DoTCP by stub resolvers are not extensively studied to this date. We close this gap by presenting a view at DoTCP from the Edge, issuing 12.1M DNS requests from 2,500 probes toward Public as well as Probe DNS recursive resolvers. In our measurement study, we observe that DoTCP is generally slower than DoUDP, where the relative increase in Response Time is less than 37% for most resolvers. While optimizations to DoTCP can be leveraged to further reduce the response times, we show that support on Public resolvers is still missing, hence leaving room for optimizations in the future. Moreover, we also find that Public resolvers generally have comparable reliability for DoTCP and DoUDP. However, Probe resolvers show a significantly different behavior: DoTCP queries targeting Probe resolvers fail in 3 out of 4 cases, and, therefore, do not comply with the standard. This problem will only aggravate in the future: As DNS response sizes will continue to grow, the need for DoTCP will solidify.