Local and Public DNS Resolvers: do you trade off performance against security?

Abstract

The Domain Name System (DNS) is a vital component of the Internet, used for all the operations performed over the network and, recently, also for protecting users from malicious activities. In this work, we analyze the behavior of DNS resolvers provided by three main Italian ISPs and contrast them with open, public resolvers provided by Google and Cisco. We consider two aspects. The first one is the time spent to perform a query and obtain a response from the resolvers, which has a considerable impact on the performance of most applications on the Internet. The second one is the capability to recognize domains associated with malicious activities, blocking related requests to protect users. The DNS response time is generally shorter for local resolvers since they are closer to the users. On the other hand, public resolvers are typically considered more efficient in detecting malicious domains. We performed a large number of DNS queries towards the different resolvers, both local and public, using different sets of domain names and different Internet access networks from main Italian providers. Our results confirm that the response time of local resolvers is shorter than the public ones. However, they also show that, unexpectedly, the protection level of local resolvers is largely comparable with the one of public resolvers. Consequently, you do not have to trade off security against performance. In addition, we study the impact of DNS over HTTPs, we unveil the different mechanisms implemented to block users from accessing malicious domains and assess the impact of caching on the obtained results.