35th Annual Computer Security Applications Conference (ACSAC 2019)

Full Program »
View File
View File

PDoT: Private DNS-over-TLS with TEE Support

Security and privacy of the Internet Domain Name System (DNS)have been longstanding concerns. Recently, there is a trend to protect DNS traffic using Transport Layer Security (TLS). However, at least two major issues remain: (1) how do clients authenticate DNS-over-TLS endpoints in a scalable and extensible manner; and (2) how can clients trust endpoints to behave as expected? In this paper, we propose a novel Private DNS-over-TLS (PDoT) architecture. PDoT includes a DNS Recursive Resolver (RecRes) that operates within a Trusted Execution Environment (TEE). Using Remote Attestation, DNS clients can authenticate, and receive strong assurance of trustworthiness of PDoT RecRes. We provide an open-source proof-of-concept implementation of PDoT and use it to experimentally demonstrate that its latency and throughput match that of the popular Unbound DNS-over-TLS resolver.

Yoshimichi Nakatsuka
UC Irvine

Andrew Paverd

Gene Tsudik
UC Irvine


Powered by OpenConf®
Copyright©2002-2020 Zakon Group LLC