IETF Logo Mail Archive

Re: [dns-privacy] some DNS privacy implementation benchmark

Christian Huitema <huitema@huitema.net> Sun, 13 August 2017 00:37 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 154E0132380 for <dns-privacy@ietfa.amsl.com>; Sat, 12 Aug 2017 17:37:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BA-Rrx1eKSBM for <dns-privacy@ietfa.amsl.com>; Sat, 12 Aug 2017 17:37:07 -0700 (PDT)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E24F21323B4 for <dns-privacy@ietf.org>; Sat, 12 Aug 2017 17:37:06 -0700 (PDT)
Received: from xsmtp24.mail2web.com ([168.144.250.190] helo=xsmtp04.mail2web.com) by mx6.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.89) (envelope-from <huitema@huitema.net>) id 1dggtn-00061v-HZ for dns-privacy@ietf.org; Sun, 13 Aug 2017 02:37:05 +0200
Received: from [10.5.2.14] (helo=xmail04.myhosting.com) by xsmtp04.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1dggtF-0006lS-KJ for dns-privacy@ietf.org; Sat, 12 Aug 2017 20:36:56 -0400
Received: (qmail 11890 invoked from network); 13 Aug 2017 00:36:23 -0000
Received: from unknown (HELO [192.168.1.103]) (Authenticated-user:_huitema@huitema.net@[172.56.42.186]) (envelope-sender <huitema@huitema.net>) by xmail04.myhosting.com (qmail-ldap-1.03) with ESMTPA for <dns-privacy@ietf.org>; 13 Aug 2017 00:36:22 -0000
To: dns-privacy@ietf.org
References: <861sogika3.fsf@emacs.strotmann.de>
From: Christian Huitema <huitema@huitema.net>
Message-ID: <d0d2810a-dc88-675f-5364-36a89e11d351@huitema.net>
Date: Sat, 12 Aug 2017 17:36:21 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <861sogika3.fsf@emacs.strotmann.de>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
X-Originating-IP: 168.144.250.190
X-SpamExperts-Domain: xsmtpout.mail2web.com
X-SpamExperts-Username: 168.144.250.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com
X-SpamExperts-Outgoing-Class: unsure
X-SpamExperts-Outgoing-Evidence: Combined (0.17)
X-Recommended-Action: accept
X-Filter-ID: PqwsvolAWURa0gwxuN3S5YEa3T7JuZT23fGO2rGt3ZgTCGhDnudOJ80D1c8rffxrus7BTv7Ss8cH d2IQQuvdbtM+m4WpRRDP6YzwkAPgQJYoNzrMVvavOgy+9M5kGys4ND46yZLY9QyX+cRXmooQ3hum JwiT+2brWmQlzkLIcXivpIH4ag6BM/+u9ym+BA23bWROh6/H1+1tQLE5wSFWONSM4jd3ClxbkF2U h0iAyfJ95+flvWPOwEzJbaeY40EjYOEkjsX7F8KmpUaZQHV+ScWIfGf9Fu8q9UhMPe0GR5O2G5Pj 7iQJEmtNUzH3idZ6uMF2OhyCCCV83x+RZrKIj0QqMGQOSwmEPwP4wBzM77N8GvkYGGDFjg9NrmGY yNnXsSjdYwfRhjHqxQXDsBKLpKs+iZ7+uSas6Kaz0EAgJQD6lO4FGen962xgCFRckncKfg1XSK9P 1z/R6plfrFWGyTNwi+w0SChxHdK7tla39yzeNHk15VolAGHS5rCXQKDym+Gab6cuAPzLi/SdAxlO dgkraHgbbAuZgv0Q6mJ3vUcipz1IT62ZEk6+MmovaufbiR3bHfnMCIEU+nrglojKwMr3vOY18GvB wSXAfWcj236P3lKmWAnD6TmGOcphJKQyWezJa7xDQcOg5ET5/LmCvakjSWDcjZyDseb0cBFM1p7J 0ZI2Cud2W8ULqpclZpX6+ln3SmdyWNNJvR4I+Hp8ZcbZXx2HvjUnW6/hzaO3hBYd4k9BQeV6h8mU exU1wyIBe+fIXY1E4hLwh/WcmhlU3xklgDtVC2Xqa4QCRhTuoCmXPUJkXUk8tGhJsBnmMDbaKcNO SCytRyeT1c4b6jF7f/DKzfOCXnJQjcl9DhaIFtxx9jwrAA4q8w8yByBTCtrrNAiDYl3JQgId/2uR tInPuw==
X-Report-Abuse-To: spam@quarantine5.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/ZJS6mo-TWpm5D_L0fZ4AAQmi1TU>
Subject: Re: [dns-privacy] some DNS privacy implementation benchmark
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Aug 2017 00:37:09 -0000


On 8/12/2017 1:49 PM, Carsten Strotmann wrote:
> Hi,
>
> I did a simple (and naive) benchmark of different DNS privacy
> implementations available.
...
>
> The DNSCrypt resolver was randomly chosen by the software.
>
>  Protocol/Software                      Time (Sec)  Privacy  DNSSEC 
> --------------------------------------------------------------------
>  Google DNS (UDP)                               64  --       +      
>  DNS-over-TLS (dnsfwd+stunnel)                  67  ++       -      
>  local Unbound w/o DNSSEC                      146  -        -      
>  local Unbound w. DNSSEC                       163  -        +      
>  DNS-over-DNSCrypt (ns0.dnscrypt.is)           243  ++       +      
>  DNS-over-Tor                                  254  ++       -      
>  DNS-over-TLS (Unbound+dnsfwd+stunnel)         258  ++       +      
>  DNS-over-TLS (Unbound+stunnel)                444  ++       +      
>  DNS-over-TLS (Unbound buildin TLS)            647  ++       +      

These are interesting measurements, but they mix three variables: the
transport protocol, the RTT between stub and resolver, and the amount of
caching at the resolver.

In my simulations, the key variable is the Round Trip Time between stub
and resolver. The various transports differ in how they handle
connections, retransmission, and head of queue blocking, but these
effects are always expressed in terms of "number of additional RTT times
some probability", the probability generally being at most a few percents.

The other variable in a "stub to recursive" scenario is the amount of
caching done by the resolver. In standard stub to recursive scenarios,
the queries appear to be served from the cache 30% to 40% of the time --
with a better service at big resolvers such as large ISP or Google DNS.
This is because the cache is populated from requests of multiple
clients, plus probably some pre-fetching. Small resolvers typically have
lower cache rate. This matters, because the "recursive to authoritative"
part of the resolution is typically larger than the "stub to resolver" part.

In the unbound scenarios, were you using unbound as a local recursive
server?

> "Stubby" is missing, I having issues getting it to work, I will update
> this list once I've got "Stubby" working.
>
> As I have this setup now, is there an working implementation that is
> missing and should also be in the list?
>
> DNS-over-QUIC?
> DNS-over-HTTP(S)?
You probably need to wait until at least October for realistic
implementations of DNS over QUIC.

-- 
Christian Huitema

v2.23.0 | Report a Bug | By Email