PDoT: Private DNS-over-TLS with TEE Support
This addresses security and privacy issues in DNS for internet users, but it is incremental as it builds on existing DNS-over-TLS with TEE integration.
The paper tackles the problem of authenticating and trusting DNS-over-TLS endpoints by proposing PDoT, a Private DNS-over-TLS architecture with a resolver in a Trusted Execution Environment, and demonstrates that its latency and throughput match the Unbound resolver.
Security and privacy of the Internet Domain Name System (DNS) have been longstanding concerns. Recently, there is a trend to protect DNS traffic using Transport Layer Security (TLS). However, at least two major issues remain: (1) how do clients authenticate DNS-over-TLS endpoints in a scalable and extensible manner; and (2) how can clients trust endpoints to behave as expected? In this paper, we propose a novel Private DNS-over-TLS (PDoT ) architecture. PDoT includes a DNS Recursive Resolver (RecRes) that operates within a Trusted Execution Environment (TEE). Using Remote Attestation, DNS clients can authenticate, and receive strong assurance of trustworthiness of PDoT RecRes. We provide an open-source proof-of-concept implementation of PDoT and use it to experimentally demonstrate that its latency and throughput match that of the popular Unbound DNS-over-TLS resolver.