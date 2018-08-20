from the gotta-love-the-initialism dept.
As the DNS-over-HTTPS (DoH) secured domain querying draft creeps towards standardisation, Mozilla has run a test to see if applying encryption brings too heavy a performance penalty.
One somewhat-surprising outcome: for some queries, performance improved using DoH.
As Mozilla discusses here, run-of-the-mill DNS requests over DoH take a small performance hit.
However, the test team believes a six millisecond slowdown is acceptable, given that users get better security and privacy out of DoH.
The experiment found that from the billion DNS requests it gathered, “the slowest DNS transactions performed much better with the new DoH based system than the traditional one – sometimes hundreds of milliseconds better.”
[...] According to this paper, presented at Usenix earlier this month, interference with DNS is depressingly common.
That paper discovered 8.5 per cent of the networks the authors tested were intercepting DNS requests, and found a large number of networks using deprecated DNS software. Mozilla's Patrick McManus (one of DoH's two authors) hypothesised two possible reasons for the speed-up.
[...] Another Mozilla developer, Daniel Stenberg, posted a list of DoH endpoints here. There are now three “big names” in the list, with PowerDNS launching its server last week.
(Score: 0) by Anonymous Coward on Friday August 31, @09:24AM (4 children)
Now I just need a reliable server with this thing that won't sell me out…
(Score: 0) by Anonymous Coward on Friday August 31, @09:35AM
Yes, now only the certificate authorities can behave like the stasi.
(Score: 0) by Anonymous Coward on Friday August 31, @09:46AM (2 children)
How much do you want to pay for it?
You reckon an Amazon free-tier small Linux instance with a Apache logging to /dev/null and a simple PHP serverside would do?
(Score: 1, Touché) by Anonymous Coward on Friday August 31, @10:20AM
Which leaves a trail of money which is even worse, unless you have some bitcoin-like currency which doesn't connect to you with any transactions.
(Score: 0) by Anonymous Coward on Friday August 31, @11:26AM
It's only free the first year.
(Score: 0) by Anonymous Coward on Friday August 31, @10:12AM
Though there appears to be a performance hit in most cases, remember that it will only be once during the TTL of the local DNS entry. After that you'll be using your local DNS cache (until the TTL expires).
(Score: 1, Insightful) by Anonymous Coward on Friday August 31, @12:31PM (1 child)
Yeah, DNSCrypt has The Fatal Flaw: it wasn't made by shitzilla.
(Score: 0) by Anonymous Coward on Friday August 31, @01:02PM
Even if it were made by Mozule, it must also have been made by The Right People at Mozule to be acceptable. Otherwise it goes to the copping block like everything else they've cut out of their code base.