an end-to-end, large-scale measurement of dns-over ...measurement platform built on socks5 proxy...
TRANSCRIPT
![Page 1: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/1.jpg)
An End-to-End, Large-Scale Measurement of DNS-over-Encryption:
How Far Have We Come?
Chaoyi Lu, Baojun Liu, Zhou Li, Shuang Hao, Haixin Duan,Mingming Zhang, Chunying Leng, Ying Liu, Zaifeng Zhang, Jianping Wu
![Page 2: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/2.jpg)
The start of Internet activities....which says a lot about you.
Domain Name System
2
DNS Client Resolver
Authoritativeserver
irtf.org?
4.31.198.44
irtf.org?
irtf.org?
irtf.org?
![Page 3: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/3.jpg)
Where are the risks?
DNS Privacy
3
DNS Client Resolver
Authoritativeserver
Eavesdropper
MITMinterception
Rogueserver
![Page 4: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/4.jpg)
People could be watching our queries.
DNS Privacy
4
RFC 7626 on DNS privacy
The MORECOWBELLsurveillance program
of NSA
![Page 5: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/5.jpg)
People could be watching our queries.And do stuff like:
DNS Privacy
5
Device Fingerprinting[Chang ’15]
User behaviorAnalysis [Kim ’15]
UserTracking[Kirchler ’16]
![Page 6: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/6.jpg)
DNS Privacy: What Has Been Done?Three IETF WGs.Three standardized protocols.More implementations and tests coming...
6
IETF DPRIVE WG
Sept. ’14Before ’14
DNSCurve &DNSCrypt
May. ’14
RFC 7258Pervasive Monitoring
Is an Attack
Jan. ’15
NSA’sMORECOWBELLrevealed
RFC 7626DNS PrivacyConsiderations
Aug. ’15
RFC 7858DNS-over-TLS(DoT)
May. ’16
Feb. ’17
RFC 8094DNS-over-DTLS
Sept. ’17
IETF DoH WG
RFC 8310Usage Profile of DoT
Mar. ’18
RFC 8484DNS-over-HTTPS
(DoH)
Oct ’18
Jun. ’18
Mozilla’s test of DoH
Mar. ’16
RFC 7816QNAME
Minimization
DNS-over-QUIC,initial draft
Apr. ’17
Mar. ’19
Drafts on DoH deployment
DNS zone transfersusing TLS, draft
Nov. ’19
Feb. ’20
IETF ADD WG
![Page 7: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/7.jpg)
DNS-over-TLS (DoT, RFC 7858, May 2016)Uses TLS to wrap DNS messages.Dedicated port 853.Stub resolver update needed.
DNS-over-HTTPS (DoH, RFC 8484, Oct 2018)Embeds DNS packets into HTTP messages.
Shared port 443.More user-space friendly.
DNS-over-Encryption: Standard Protocols
7
![Page 8: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/8.jpg)
Issuing DNS-over-TLS queries with kdig.
Issuing DNS-over-HTTPS queries in a browser.
DNS-over-Encryption: Standard Protocols
8
$ kdig @1.1.1.1 +tls example.com;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-128-GCM);; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 24012;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
https://dns.google.com/resolve?name=example.com&type=A
![Page 9: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/9.jpg)
Widely getting support from the industry.
The Rapid Development of DoE
9
Public DNS resolvers
DNS server software
Operating Systems
Web Browsers
![Page 10: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/10.jpg)
Recent updates from service providers & vendors.
The Rapid Development of DoE
10
Firefox: DoH by default for US users
Windows: DoH available for insiders
Chrome: DoH support
Apple: DoT and DoH support added recently
![Page 11: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/11.jpg)
Questions: from Users’ PerspectiveHow many DoE servers are there?
Methodology: Internet-wide scanning.
How are the reachability and performance of DoE servers?Methodology: Large-scale client-side measurement.
What does the real-world usage of DoE look like?Methodology: Analysis on passive traffic.
11
![Page 12: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/12.jpg)
Q1:How many servers
are there?
![Page 13: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/13.jpg)
DoE Server Discovery
13
DNS-over-TLS (DoT) DNS-over-HTTPS (DoH)
Runs over dedicated port 853.
Uses common URI templates.(e.g., /dns-query)
Internet-wideScan
URL databaseInspection
![Page 14: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/14.jpg)
DNS-over-TLS ResolversInternet-wide probing with ZMap, getdns & OpenSSL.
14
ZmapInternet-wide scan
Port 853
getdnsDoT query
OpenSSLVerify
certificate chain
![Page 15: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/15.jpg)
DNS-over-TLS ResolversFeb ~ May ’19: ~2K open DoT resolvers in the wild.Several big players dominate in the count of servers.
15
![Page 16: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/16.jpg)
DNS-over-TLS ResolversFeb ~ May ’19: ~2K open DoT resolvers in the wild.Several big players dominate in the count of servers.
Jul ’20: rises to 7.8k resolvers operated by 1.2K providers
16
![Page 17: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/17.jpg)
DoT Resolver CertificatesAuthentication relies on PKIX certificates [RFC 8310].Invalid certificates still poses as a problem.
17
Item Jul 01, 2019 Jul 01, 2020
Resolvers that use invalid certificate 230 / 2,179 (10.6%) 2,261 / 7,857 (28.8%)
Providers that have invalid certificate 61 / 234 (26.0%) 224 / 2,261 (9.9%)
![Page 18: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/18.jpg)
DoT Resolver CertificatesAuthentication relies on PKIX certificates [RFC 8310].Invalid certificates still poses as a problem.
18
Self-signed ExpiredBroken
certificate chains~70% ~15%
~15%Firewalls & TLS inspection devices
1/3 expiredbefore 2020
(As of Jul 01, 2020)
![Page 19: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/19.jpg)
DNS-over-HTTPS ProvidersLarge-scale URL dataset inspection.May ’19: 17 providers found, mostly known in lists.
19(DoH list maintained by the curl project)
Found 2 providers beyond the list:
dns.adguard.com
dns.233py.com
![Page 20: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/20.jpg)
DNS-over-HTTPS ProvidersLarge-scale URL dataset inspection.May ’19: 17 providers found, mostly known in lists.
Jul ’20: 50+ URIs operated by 37 providers.
20
https://1111.cloudflare-dns.com/dns-queryhttps://8888.google/dns-queryhttps://doh.defaultroutes.de/dns-queryhttps://ns-doh.licoho.de/dns-query
Examples: https://doh.360.cn/dns-queryhttps://dohtrial.att.net/dns-queryhttps://public.dns.iij.jp/dns-queryhttps://doh.xfinity.com/dns-query
![Page 21: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/21.jpg)
Q2:Are popular services
reachable?
![Page 22: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/22.jpg)
Reachability to DoE Servers
22
Measurement platform built on SOCKS5 proxy network.
MeasurementClient
Super Proxy
DNS/TCP,DoT, DoH
Public DNSresolverExit
nodes
DNS/TCP,DoT, DoH
Proxy Network
forward
![Page 23: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/23.jpg)
Vantage PlatformCount of
IP Country AS
Global 29,622 166 2,597
China(Censored) 85,122 1 (CN) 5
Reachability to DoE Servers
23
Measurement platform built on SOCKS5 proxy network.Vantage point: 114K vantage points from 2 proxy networks.
![Page 24: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/24.jpg)
Reachability to DoE Servers
24
Measurement platform built on SOCKS5 proxy network.Vantage point: 114K vantage points from 2 proxy networks.Test items on each vantage:
Are public services reachable? Why do they fail?
Query a controlled domain
via DNS/TCP, DoT & DoH
TLS certificate
Open ports
Webpages
![Page 25: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/25.jpg)
Reachability Test ResultsDoE is currently less interrupted by in-path devices.~99% global reachability.
25
Vantage ResolverQuery Failure Rate
DNS/TCP DoT DoH
Global
Cloudflare 16.5% 1.2% 0.1%
Google 15.8% - 0.2%
Quad9 0.2% 0.2% 14.0%
China Google 1.1% - 99.9%
Address 1.1.1.1 hijacked, e.g.,by residential network devices.
![Page 26: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/26.jpg)
Reachability Test ResultsDoE is currently less interrupted by in-path devices.~99% global reachability.Examples of 1.1.1.1 route hijacking:
26
Port open # Client Example client AS
22 (SSH) 28 AS17488 Hatheway IP Over Cable Internet
23 (Telnet) 40 AS24835 Vodafone Data
67 (DHCP) 7 AS52532 Speednet Telecomunicacoes Ldta
161 (SNMP) 10 AS9870 Dong-eui University
179 (BGP) 23 AS3269 Telecom Italia S.p.a
![Page 27: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/27.jpg)
Reachability Test ResultsDoE is currently less interrupted by in-path devices.~99% global reachability.
27
Vantage ResolverQuery Failure Rate
DNS/TCP DoT DoH
Global
Cloudflare 16.5% 1.2% 0.1%
Google 15.8% - 0.2%
Quad9 0.2% 0.2% 14.0%
China Google 1.1% - 99.9%
Forward DoHqueries to DNS/53, with a small timeout.
Blocked by censorship.
![Page 28: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/28.jpg)
Q3:Is DoE query time
tolerable?
![Page 29: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/29.jpg)
DoE lookup performance
29
Aim: measure the relative query time of DNS and DoE.A major influence: connection reuse.
Specification Implementation
(RFC 7858, DNS-over-TLS)“Clients and servers SHOULD reuse existing connections for subsequent queries as long as they have sufficient resources.”
Stub: supported by dig, kdig, Stubby, etc.
Cloudflare resolver: “long-lived” connection supported (tens of seconds)
![Page 30: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/30.jpg)
Vantage point: 8,257 proxy nodes from ProxyRack.Connection reuse: only recording DNS transaction time.
DoE lookup performance
30
MeasurementClient
Proxy node
Public DNSresolver
TCP handshake TCP handshake
TLS handshakeTLS handshake
DNS query DNS query
DNS responseDNS response
![Page 31: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/31.jpg)
Performance Test Results
31
Tolerable query time overhead with reused connections.On average, extra latency on the order of milliseconds.
![Page 32: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/32.jpg)
Q4:What does DoE traffic
scale look like?
![Page 33: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/33.jpg)
DoE Traffic Observation
33
DNS-over-TLS (DoT) DNS-over-HTTPS (DoH)
Runs over dedicated port 853.
Resolver domain name(e.g., dns.google) In URI templates.
ISP NetFlow dataset
Passive DNSdataset
![Page 34: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/34.jpg)
DNS-over-TLS TrafficData: 18-month NetFlow dataset from a large Chinese ISP.Scale: still less than traditional DNS, but growing.
34
DoT:2 to 3 orders of magnitudeless traffic(Early 2019)
![Page 35: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/35.jpg)
DNS-over-TLS TrafficData: 18-month NetFlow dataset from a large Chinese ISP.Scale: still less than traditional DNS, but growing.Clients: centralized clients + temp users.
35
222.90.*.*/24
58.213.*.*/24
139.199.*.*/24
60.206.*.*/24
110.81.*.*/24
123.244.*.*/24
42.203.*…
1.119.*…
60.190.*…
221.238…
123.206…
218.91…
218.91…
Top 20 netblocks: > 60% DoT traffic
> 95% netblocks:Active for < one week
![Page 36: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/36.jpg)
DNS-over-HTTPS TrafficData: Passive DNS dataset, monthly query volume.Big players dominate. Also a growing trend.
36
![Page 37: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/37.jpg)
Traffic Observed by DNS ProvidersDoT and DoH usage has grown significantly.
37
Cloudflare: 8% of its queries are encrypted (May 2019)
Qihoo 360: 360 DoH used by 1.2M clients
(July 2020)
![Page 38: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/38.jpg)
RecommendationProtocol designersReuse well-developed protocols.
Service providersCorrect misconfigurations.
Keep servers under regular maintenance.DNS clientsEducation on benefits of encryption.
Dataset & code releasePlease visit https://dnsencryption.info.
38
![Page 39: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/39.jpg)
Summary: Key ObservationsOpen DNS-over-Encryption resolversA number of small providers less-known.~28% resolvers use invalid TLS certificates.
Client-side usabilityCurrently good reachability (~99%).
Tolerable performance overhead with reused connections.
Real-world trafficHas been growing significantly.
39
![Page 40: An End-to-End, Large-Scale Measurement of DNS-over ...Measurement platform built on SOCKS5 proxy network. Measurement Client Super Proxy DNS/TCP, DoT, DoH PublicDNS resolver Exit nodes](https://reader033.vdocuments.mx/reader033/viewer/2022060809/608da427caff3c5cca46206d/html5/thumbnails/40.jpg)
An End-to-End, Large-Scale Measurement of DNS-over-Encryption:
How Far Have We Come?
Chaoyi Lu, Baojun Liu, Zhou Li, Shuang Hao, Haixin Duan,Mingming Zhang, Chunying Leng, Ying Liu, Zaifeng Zhang, Jianping Wu