No D'oh! DNS-over-HTTPS passes Mozilla performance test
Privacy-protecting domain name system standard closer
As the DNS-over-HTTPS (DoH) secured domain querying draft creeps towards standardisation, Mozilla has run a test to see if applying encryption brings too heavy a performance penalty.
One somewhat-surprising outcome: for some queries, performance improved using DoH.
As Mozilla discusses here, run-of-the-mill DNS requests over DoH take a small performance hit.
However, the test team believes a six millisecond slowdown is acceptable, given that users get better security and privacy out of DoH.
The experiment found that from the billion DNS requests it gathered, “the slowest DNS transactions performed much better with the new DoH based system than the traditional one – sometimes hundreds of milliseconds better.”
“First, is the consistency of the service operation – when dealing with thousands of different operating system defined resolvers there are surely some that are overloaded, unmaintained, or forwarded to strange locations," he said. "Second, HTTP’s use of modern loss recovery and congestion control allow it to better operate on very busy or low-quality networks.”
The post said Mozilla will continue its DoH experimentation in advance of a full-scale deployment, which will in part depend on the progress of the standard.
That's drawing closer, with the IETF putting the DoH draft into the RFC editing queue earlier this month (gaining “request for comment” status formalises a document becoming an Internet standard).
In parallel with the progress of the standard, a growing number of organisations are hosting endpoints to handle DoH queries.
Another Mozilla developer, Daniel Stenberg, posted a list of DoH endpoints here. There are now three “big names” in the list, with PowerDNS launching its server last week. ®
Sponsored: Becoming a Pragmatic Security Leader