Improve default padding of responses.
At NDSS 2017's DNS privacy workshop, I presented an empirical study of DNS padding policies:
The slide deck is here: https://dns.cmrg.net/ndss2017-dprive-empirical-DNS-traffic-size.pdf
The resulting recommendation from the research is that a simple padding policy is relatively cheap and still protective of metadata when DNS traffic is encrypted:
- queries should be padded to a multiple of 128 octets
- responses should be padded to a multiple of 468 octets
This change adjusts the default policy to match these recommendations.
I recently proposed a similar change to libknot to define a standard policy in a centralized place:
I'll submit a followup request to make use of that centralized policy (once kresd is willing to depend on a newer version of libknot), but please consider this proposed change first.