Exploring the Ecosystem of DNS HTTPS Resource Records: An End-to-End Perspective

TL;DR

This work performs a longitudinal study on the server-side deployment of DNS HTTPS for Tranco top million domains, as well as an analysis of the client-side support for DNS HTTPS through snapshots from major browsers.

Abstract

The DNS HTTPS resource record is a new DNS record type designed for the delivery of configuration information and parameters required to initiate connections to HTTPS network services. In addition, it is a key enabler for TLS Encrypted ClientHello (ECH) by providing the cryptographic keying material needed to encrypt the initial exchange. To understand the adoption of this new DNS HTTPS record, we perform a longitudinal study on the server-side deployment of DNS HTTPS for Tranco top million domains, as well as an analysis of the client-side support for DNS HTTPS through snapshots from major browsers. To the best of our knowledge, our work is the first longitudinal study on DNS HTTPS server deployment, and the first known study on client-side support for DNS HTTPS. Despite the rapidly growing trend of DNS HTTPS adoption, our study highlights challenges and concerns in the deployment by both servers and clients, such as the complexity in properly maintaining HTTPS records and connection failure in browsers when the HTTPS record is not properly configured.

Figures (14)

• Figure 1: An example of HTTPS records.
• Figure 2: Percentages of apex/www domains that publish HTTPS records. Vertical dashed line (on August 1st, 2023) denotes the source change of the Tranco list.
• Figure 3: Number of non-Cloudflare DNS providers employed by domains that activate HTTPS records.
• Figure 4: Percentage of domains based on the average duration of their ECH configuration.
• Figure 5: Percentages of HTTPS records with RRSIG (solid line), RRSIG and AD bit (dashed line). Vertical dashed line (on August 1st, 2023) denotes Tranco source change.