Measuring the Availability and Response Times of Public Encrypted DNS Resolvers

TL;DR

This paper addresses the privacy and performance implications of encrypted DNS by evaluating a broad set of DNS-over-HTTPS resolvers beyond the mainstream. It uses a global measurement framework with 91 resolvers and vantage points in home networks and cloud environments to compare availability and latency across regions. The findings show that while mainstream DoH providers are typically faster and more consistently available, many non-mainstream resolvers suffer from higher latency and variability, though some regions host non-mainstream resolvers that perform on par with mainstream options. The work demonstrates the need for greater resolver diversity and global distribution to improve privacy, resilience, and user choice, and releases an open-source measurement tool to enable replication and extension of the study.

Abstract

Unencrypted DNS traffic between users and DNS resolvers can lead to privacy and security concerns. In response to these privacy risks, many browser vendors have deployed DNS-over-HTTPS (DoH) to encrypt queries between users and DNS resolvers. Today, many client-side deployments of DoH, particularly in browsers, select between only a few resolvers, despite the fact that many more encrypted DNS resolvers are deployed in practice. Unfortunately, if users only have a few choices of encrypted resolver, and only a few perform well from any particular vantage point, then the privacy problems that DoH was deployed to help address merely shift to a different set of third parties. It is thus important to assess the performance characteristics of more encrypted DNS resolvers, to determine how many options for encrypted DNS resolvers users tend to have in practice. In this paper, we explore the performance of a large group of encrypted DNS resolvers supporting DoH by measuring DNS query response times from global vantage points in North America, Europe, and Asia. Our results show that many non-mainstream resolvers have higher response times than mainstream resolvers, particularly for non-mainstream resolvers that are queried from more distant vantage points -- suggesting that most encrypted DNS resolvers are not replicated or anycast. In some cases, however, certain non-mainstream resolvers perform at least as well as mainstream resolvers, suggesting that users may be able to use a broader set of encrypted DNS resolvers than those that are available in current browser configurations.

Figures (4)

• Figure 1: The DNS response time and ICMP ping time distributions for encrypted DNS resolvers located in North America, measured from an EC2 instance in Ohio. The plot shows distributions for both DNS response times and ICMP round-trip latency. Mainstream resolvers are shown in boldface. Results for other vantage points are shown in Figures \ref{['fig:dns-NA']}--\ref{['fig:dns-europe']} in the Appendix.
• Figure 2: The DNS response time and ICMP ping time distributions for encrypted DNS resolvers located in North America, measured from global vantage points. Mainstream resolvers are shown in boldface across all three sub-figures.
• Figure 3: The DNS response time and ICMP ping time distributions for encrypted DNS resolvers located in Europe, measured from global vantage points. Mainstream resolvers are shown in boldface across all three sub-figures.
• Figure 4: The DNS response time and ICMP ping time distributions for encrypted DNS resolvers located in Asia, measured from global vantage points. Mainstream resolvers are shown in boldface across all three sub-figures.