English

PDoT: Private DNS-over-TLS with TEE Support

Cryptography and Security 2019-09-26 v1

Abstract

Security and privacy of the Internet Domain Name System (DNS) have been longstanding concerns. Recently, there is a trend to protect DNS traffic using Transport Layer Security (TLS). However, at least two major issues remain: (1) how do clients authenticate DNS-over-TLS endpoints in a scalable and extensible manner; and (2) how can clients trust endpoints to behave as expected? In this paper, we propose a novel Private DNS-over-TLS (PDoT ) architecture. PDoT includes a DNS Recursive Resolver (RecRes) that operates within a Trusted Execution Environment (TEE). Using Remote Attestation, DNS clients can authenticate, and receive strong assurance of trustworthiness of PDoT RecRes. We provide an open-source proof-of-concept implementation of PDoT and use it to experimentally demonstrate that its latency and throughput match that of the popular Unbound DNS-over-TLS resolver.

Keywords

Cite

@article{arxiv.1909.11601,
  title  = {PDoT: Private DNS-over-TLS with TEE Support},
  author = {Yoshimichi Nakatsuka and Andrew Paverd and Gene Tsudik},
  journal= {arXiv preprint arXiv:1909.11601},
  year   = {2019}
}

Comments

To appear: ACSAC 2019

R2 v1 2026-06-23T11:25:42.741Z