About the Speaker

Figure 1: Prof. Dr. Vaibhav Bajpai

Prof. Dr. Vaibhav Bajpai joined the HPI at the beginning of 2024. He and his research group are working on DIIC. Before joining the HPI, he led an independent research group at the CISPA Helmholtz Center for Information Security from 2022 to 2023. Between 2016 and 2021, he worked at the Technical University of Munich, first as a postdoctoral fellow and then as a senior researcher. He received his Master’s and PhD from Jacobs University, Bremen.

About the Lecture

This summary is based on the lecture “Data Intensive Internet Computing” by Prof. Dr. Vaibhav Bajpai from the HPI Lecture Series on HPI Research 2024

While most people equate the Internet with the World Wide Web, the Internet is actually a complex network system that uses various protocols for data communication and transfer between peers. The DIIC research group focuses on monitoring, benchmarking, and predicting Internet operations to improve performance, reliability, and security. Any Internet related research is difficult because it is highly technical, dynamic, and constantly evolving. The group aims to build scalable systems for large-scale Internet measurements, analyze longitudinal datasets to detect bottlenecks, and contribute to the design of new Internet protocols and architectures.

The research vision of Dr. Bajpai’s department is mainly driven by the space within the triangle of sustainability, sovereignty and hyper-connectivity. Each of these pillars has specific requirements, such as high bandwidth and resilient systems, low-latency remote interaction, and secure and private access to decentralized data and information. There are multiple specific measures to all the challenges, which require technology, society, and policy to participate to make them successful.

A brief look at some projects of the research portfolio helps to get a more in-depth understanding of the work done at the DIIC department.

• Internet Architecture [5]: During the study, TP-Link routers flashed with Wrt by SamKnows were used to measure and compare network performance for IPv4 and IPv6. From 2013 to 2018, IPv4 latency was reduced by 29 % and IPv6 latency by 57 %, resulting in nearly equal latencies for both.

• Content Delivery [11]: Using the same probes (SamKnows), they measured the effect of the Netflix caching system, which caches movies before they are watched. This caching reduced the IP paths by 1/2, while reducing the latency for IPv4 by 1/3 and for IPv6 by 1/2.

• Routing and Congestion [6]: Based on the collected data about content delivery, they measured the impact of congested versus uncongested networks. For YouTube on congested networks, throughput dropped by 1/4 and the startup delay increased by 1/5.

• Internet Infrastructure [3]: The last mile refers to the connection from your router (e.g., FritzBox) to the first hop in the ISP network. The paper shows that this last mile can account for more than 10 % of the end-to-end latency.

• Platforms [4]: To conduct valid and reproducible research, it is essential that the tools collecting the measurements can be trusted. It turns out that versions 1 and 2 of the RIPE Atlas probes have higher latency compared to version 3.

• Network Mobility [2]: This paper examines Germany’s current mobile network performance. In some regions, only EDGE connections were measured, and the median ICMP latency was greater than 55 ms.

• Digital Sovereignty [12]: This study indicates that hyper-giant penetration (e.g., Google, Amazon) nearly doubled from 2015 to 2020 and is higher among more popular domains.

Having briefly touched on the wide range of topics on which the DIIC focuses, let us take a closer look at one particular area of interest in the research of Dr Bajpai’s department.

DNS – Security and Privacy

Summary written by Felix Hoffmann, Jonas Baltruschat, and Raihanul Sourav

DNS is the most widely used naming system for communication on the Internet. It is a potential entry point for attack and manipulation of the communication in which it is used, as it typically runs unencrypted over UDP. Understanding the evolution of DNS in terms of security and privacy is an essential part of the research at the DIIC because of its prevalence and attack surface. The following is an outline of a number of key aspects of the research carried out.

Trends and Performance in DNS Centralization

The centralization of DNS services has led to a significant change in how DNS queries are resolved, with many users moving from local ISP resolvers to public DNS services. More than 7500 RIPE Atlas probes use local ISP resolvers, while 3000 use at least one public DNS service. Google is the most popular public DNS service, followed by Cloudflare and Quad9. Around 28 % of 10624 RIPE Atlas probes use public DNS services, with 9 % using only one public DNS service.

More than 80 % of the AS paths to Google DNS resolvers have lengths of 2, while Cloudflare and Quad9 have paths with lengths of 3. In South America, the paths to public DNS services are more inflated compared to other regions.

75 % of all samples show latency within 40 ms. Cloudflare and OpenDNS are faster than ISP resolvers for 50 % of the probes. Public DNS resolvers generally have inflated latencies in Africa and South America compared to Europe and North America. [9]

Role and Challenges of DNS over TCP

DoTCP is essential for handling larger DNS responses, providing a fallback mechanism when UDP cannot accommodate large packet sizes. The specifications mandate supporting both DoUDP and DoTCP, but DoUDP is predominantly used [7]. The trend of increasing DNS response sizes due to IPv6 and DNSSEC leads to truncation and IP fragmentation, requiring fallback to DoTCP. DoTCP is also the foundation for DoT providing the option to encrypt DNS requests.

Failure rates for DoTCP are comparable to DoUDP for public resolvers but significantly higher for ISP resolvers. ISP resolvers often fail to send large DNS responses over DoTCP, leading to higher failure rates. DoTCP generally has slower response times compared to DoUDP, with a 37 % increase in latency due to the reduced data-per-packet that can be transmitted over TCP. TCP optimizations like TFO and TCP keepalives are not widely supported, impacting latency reduction efforts. [15]

Enhancing Privacy with DNS over TLS

DoT encrypts DNS queries, addressing vulnerabilities in traditional DNS by preventing eavesdropping and on-path manipulation. The adoption of DoT is increasing, with support from major operating systems like Android since 2018 and iOS/MacOS since 2020. However, overall adoption remains low, with less than 1 % of open DNS resolvers supporting DoT.

Figure 2: Medians of the 5th percentile response times by continent and resolver for DoUDP (top) and DoT (bottom) [10]

DoT exhibits higher failure rates compared to traditional DNS, particularly in regions like Africa and South America. Failures are often due to timeouts and middle-box interference, with higher failures observed on local resolvers than on public ones. As shown in [fig:dotResponseTimes], DoT has higher response times compared to traditional DNS, with the median latencies for DoT being less than 150 ms for faster resolvers. Latencies are significantly higher in Africa and South America. [10]

Enhancing Performance with DNS over QUIC

What are the key advantages of QUIC over traditional TCP?

Figure 3: Handshake of QUIC compared to TCP with TLS 1.2 [1]

QUIC is a relatively new network protocol developed by Google and publicly available since 2013. It offers several technical advantages over traditional TCP, including solving head-of-line blocking, supporting multiplexing, reducing handshake times, and privacy by design. As shown in [fig:tcpVsQuicHandshake], TCP with TLS 1.2 requires seven interactions (TCP connection and TLS layer encryption) between client and server, while QUIC only needs one roundtrip (three interactions). When using DoT or DoTCP, multiple packets get bundled for transmission and acknowledgment. If parts of the bundle are lost or take a slower route, the other packages need to wait until all are acknowledged or retransmitted successfully due to the design of TCP. In comparison, QUIC utilizes UDP to extract the network protocol from the kernel space to the application layer. QUIC also allows for “connection migration”, which enables switching networks while maintaining the same QUIC connection. Due to the short lifetime of DNS connections, this feature is more useful for data-heavy and longer connections [8].

How does DoQ improve speed and privacy for DNS queries?

The natural evolution of QUIC results in DoQ because QUIC encrypts all data transmitted between client and server while reducing handshake time [13]. DoQ optimizes speed by lowering latency and removing packet blocking while also increasing privacy through encryption and additional encryption options. Although DoQ is not faster than unencrypted DNS, it remains the fastest method when encryption and privacy are desired. For more complex websites, measured by the number of resources such as images, CSS, and HTML, the initial encryption for DNS is amortized by using DoQ [14].

Adoption of DoQ is growing, with the highest adoption rates seen in Asia (over 45 %) and Europe (over 32 %) [16]. The first DNS resolver to adopt DoQ was AdGuard [8].

Streamlining Web Traffic with QUIC Coalescing

The concept of QUIC coalescing involves utilizing an established QUIC connection not only for DNS resolution but also for data transfer via HTTP/3, leveraging the advantages of 0-RTT (zero round-trip time) communication. This approach, as highlighted by [17], integrates DNS queries into the same connection used for actual data transmission, streamlining the communication process and reducing latency.

One of the significant benefits of QUIC coalescing would be the reduced PLT. Their study has shown that coalescing with QUIC can decrease PLT by approximately one-third over wired connections and by half over mobile connections under laboratory conditions. This substantial improvement is particularly advantageous for mobile users, where network conditions are often less stable and more prone to delays. By minimizing the number of round trips required for DNS resolution and data transfer, QUIC coalescing could enhance the overall efficiency and speed of web interactions.

Summary

The main goal of the DIIC research group is to make security effortless and intuitive by reducing bottlenecks and increasing speed. The emphasis is on ensuring that security measures do not compromise performance. As highlighted in the discussion, maintaining high performance is crucial because if security features degrade system performance, users are less likely to adopt them. This approach underscores the importance of seamless security integration that encourages widespread use without performance trade-offs.

One key takeaway is that DNS has evolved from an unencrypted protocol to one that supports multiple secure protocols (DoT and DoQ) to enhance user security and privacy. Furthermore, if you have read this far, we suggest you check your router or browser and enable either DoH or DoQ. It is as easy as flipping a switch and won’t affect the performance noticeably!

Summary written by Felix Hoffmann, Jonas Baltruschat, and Raihanul Sourav

References

[1]

2024. QUIC. Wikipedia.

[2]

Asrese, A.S. et al. 2019. Measuring web latency and rendering performance: Method, tools, and longitudinal dataset. IEEE Transactions on Network and Service Management. 16, 2 (2019), 535–549. DOI:https://doi.org/10.1109/TNSM.2019.2896710.

[3]

Bajpai, V. et al. 2017. Dissecting last-mile latency characteristics. SIGCOMM Comput. Commun. Rev. 47, 5 (Oct. 2017), 25–34. DOI:https://doi.org/10.1145/3155055.3155059.

[4]

Bajpai, V. et al. 2015. Lessons learned from using the RIPE atlas platform for measurement research. SIGCOMM Comput. Commun. Rev. 45, 3 (Jul. 2015), 35–42. DOI:https://doi.org/10.1145/2805789.2805796.

[5]

Bajpai, V. and Schönwälder, J. 2019. A longitudinal view of dual-stacked websites—failures, latency and happy eyeballs. IEEE/ACM Transactions on Networking. 27, 2 (2019), 577–590. DOI:https://doi.org/10.1109/TNET.2019.2895165.

[6]

Dhamdhere, A. et al. 2018. Inferring persistent interdomain congestion. Proceedings of the 2018 conference of the ACM special interest group on data communication (New York, NY, USA, 2018), 1–15.

[7]

Dickinson, J. et al. 2016. DNS Transport over TCP - Implementation Requirements. Technical Report #RFC 7766. Internet Engineering Task Force.

[8]

DNS-over-QUIC is now officially a proposed standard: 2023. https://adguard-dns.io/en/blog/dns-over-quic-official-standard.html. Accessed: 2024-06-06.

[9]

Doan, T. et al. 2021. Evaluating public DNS services in the wake of increasing centralization of DNS. (Jun. 2021), 1–9.

[10]

Doan, T. et al. 2021. Measuring DNS over TLS from the edge: Adoption, reliability, and response times. 192–209.

[11]

Doan, T.V. et al. 2020. A longitudinal view of netflix: Content delivery over IPv6 and content cache deployments. IEEE INFOCOM 2020 - IEEE conference on computer communications (2020), 1073–1082.

[12]

Doan, T.V. et al. 2022. An empirical view on consolidation of the web. ACM Trans. Internet Technol. 22, 3 (Feb. 2022). DOI:https://doi.org/10.1145/3503158.

[13]

Huitema, C. et al. 2022. DNS over Dedicated QUIC Connections. Technical Report #RFC 9250. Internet Engineering Task Force.

[14]

Kosek, M. et al. 2022. DNS Privacy with Speed? Evaluating DNS over QUIC and its Impact on Web Performance. Proceedings of the 22nd ACM Internet Measurement Conference (Oct. 2022), 44–50.

[15]

Kosek, M. et al. 2022. Measuring DNS over TCP in the era of increasing DNS response sizes: A view from the edge. SIGCOMM Comput. Commun. Rev. 52, 2 (Jun. 2022), 44–55. DOI:https://doi.org/10.1145/3544912.3544918.

[16]

One to Rule them All? A First Look at DNS over QUIC: 2022. http://arxiv.org/abs/2202.02987. Accessed: 2024-06-06.

[17]

Sengupta, J. et al. 2023. Web Privacy By Design: Evaluating Cross-layer Interactions of QUIC, DNS and H/3. 2023 IFIP Networking Conference (IFIP Networking) (Jun. 2023), 1–9.