Improve default padding of responses. (!247) · Merge requests · Knot projects / Knot Resolver

Daniel Kahn Gillmor requested to merge dkg/resolver:better-padding-default into master Mar 25, 2017

At NDSS 2017's DNS privacy workshop, I presented an empirical study of DNS padding policies:

https://www.internetsociety.org/events/ndss-symposium/ndss-symposium-2017/dns-privacy-workshop-2017-programme#session3

The slide deck is here: https://dns.cmrg.net/ndss2017-dprive-empirical-DNS-traffic-size.pdf

The resulting recommendation from the research is that a simple padding policy is relatively cheap and still protective of metadata when DNS traffic is encrypted:

queries should be padded to a multiple of 128 octets
responses should be padded to a multiple of 468 octets

This change adjusts the default policy to match these recommendations.

I recently proposed a similar change to libknot to define a standard policy in a centralized place:

https://gitlab.labs.nic.cz/labs/knot/merge_requests/692

I'll submit a followup request to make use of that centralized policy (once kresd is willing to depend on a newer version of libknot), but please consider this proposed change first.

Admin message

Admin message

Improve default padding of responses.

Merge request reports