Improve default padding of responses. (!247) · Merge requests · Knot projects / Knot Resolver · GitLab

Snippets Groups Projects

Self sign-up has been disabled due to increased spam activity. If you want to get access, please send an email to a project owner (preferred) or at gitlab(at)nic(dot)cz. We apologize for the inconvenience.

Merged Daniel Kahn Gillmor requested to merge dkg/resolver:better-padding-default into master 8 years ago

At NDSS 2017's DNS privacy workshop, I presented an empirical study of DNS padding policies:

https://www.internetsociety.org/events/ndss-symposium/ndss-symposium-2017/dns-privacy-workshop-2017-programme#session3

The slide deck is here: https://dns.cmrg.net/ndss2017-dprive-empirical-DNS-traffic-size.pdf

The resulting recommendation from the research is that a simple padding policy is relatively cheap and still protective of metadata when DNS traffic is encrypted:

queries should be padded to a multiple of 128 octets
responses should be padded to a multiple of 468 octets

This change adjusts the default policy to match these recommendations.

I recently proposed a similar change to libknot to define a standard policy in a centralized place:

https://gitlab.labs.nic.cz/labs/knot/merge_requests/692

I'll submit a followup request to make use of that centralized policy (once kresd is willing to depend on a newer version of libknot), but please consider this proposed change first.

Activity

Ondřej Surý mentioned in commit 2a1bc5cd 8 years ago

mentioned in commit 2a1bc5cd
Ondřej Surý merged 8 years ago

merged
Vladimír Čunát mentioned in issue #303 (closed) 7 years ago

mentioned in issue #303 (closed)

Please register or sign in to reply