Securing Name Resolution in the IoT: DNS over CoAP

This repository contains code and documentation to reproduce the experimental results as well as the raw data results of the paper "Securing Name Resolution in the IoT: DNS over CoAP" published in Proceedings of the ACM on Networking (PACMNET).

• Martine S. Lenders, Christian Amsss, Cenk Gndogan, Marcin Nawrocki, Thomas C. Schmidt, Matthias Whlisch. 2023. Securing Name Resolution in the IoT: DNS over CoAP, Proceedings of the ACM on Networking (PACMNET) 1, CoNEXT2, Article 6 (September 2023), 25 pages. https://doi.org/10.1145/3609423

Abstract

In this paper, we present the design, implementation, and analysis of DNS over CoAP (DoC), a new proposal for secure and privacy-friendly name resolution of constrained IoT devices. We implement different design choices of DoC in RIOT, an open-source operating system for the IoT, evaluate performance measures in a testbed, compare with DNS over UDP and DNS over DTLS, and validate our protocol design based on empirical DNS IoT data. Our findings indicate that plain DoC is on par with common DNS solutions for the constrained IoT but significantly outperforms when additional standard features of CoAP are used such as caching. With OSCORE, we can save more than 10 kBytes of code memory compared to DTLS, when a CoAP application is already present, and retain the end-to-end trust chain with intermediate proxies, while leveraging features such as group communication or encrypted en-route caching. We also discuss a compression scheme for very restricted links that reduces data by up to 70%.

Repository structure & Usage

There are two directories of note in this repository: - 03-dns-empirical/, which contains the code we used and the results we gathered for Section 3 Empirical View on IoT DNS Traffic, and - 05-06-evaluation/, which contains the same for Sections 5 Comparison of Low-power DNS Transports as well as 6 Evaluation of Caching for DoC.

The third, .github/workflows/, configures the GitHub CI for regular testing of the RIOT applications and Python scripts of this repository

The following graphic gives a rough overview over the workflow of the artifact:

A virtual machine for VirtualBox which contains all dependencies of our scripts can be provided by running Vagrant:

sh vagrant plugin install vagrant-reload # This may take a few minutes vagrant up # This also may take a few minutes vagrant ssh

Then follow the instructions provided by

sh tshark

Re-login using exit and vagrant ssh again. After that the opened terminal can be used to run our artifacts. The artifacts themselves are already checked out in directory ~/Artifacts-CoNEXT23-DoC.

console (doc-eval-env) vagrant@ubuntu2204:~$ ls Artifacts-CoNEXT23-DoC doc-eval-env

03-dns-empirical/

This directory contains the code we used and the results we gathered for Section 3 Empirical View on IoT DNS Traffic. We recommend reading the documentation for this directory first. For the quickest start, however, given that all requirements are installed and you provided the base data sets we used in our experiments (see subdirectory collect for more details), run:

```sh

1. 03-dns-empirical

cd 03-dns-empirical

1.1. Gather DNS data sets (only runnable if you have access to IXP dumps)

LOGDIR=${YOURIXPDUMPS} TSSTART=${STARTISODATE} TSEND=${ENDISODATE} \ ./collect/runparallelixpdns.sh # generate ./results/ixp-data-sets/dnspacketsixp2022_week.csv.gz

1.2. Prepare DNS data sets

for iotdataset in ${IOTDATASETS}; do ./collect/scaniotdata.py ${iot_dataset} # Scan IoT Dataset PCAPs done

reformat to format corresponding the IoT Datasets

./collect/reformatdnsweek20222.py ./results/ixp-data-set/dnspacketsixp2022week.csv.gz

3. Analyze

Generate plots for all filters and dataset combinations

./plot/plotiotdata_all.sh ```

Attention: These scripts may run for a while.

The CSVs and results will be updated accordingly in 03-dns-empirical/results/.

05-06-evaluation/

This directory contains the code we used and the results we gathered for Sections 5 Comparison of Low-power DNS Transports as well as 6 Evaluation of Caching for DoC. We recommend reading the documentation for this directory first. For the quickest start, however, given that all requirements are installed, run:

```sh

2. 05-06-evaluation

cd 05-06-evaluation/scripts

Do experiments for Section 5

2.1 Prepare experiments

./expctrl/createcomp_descs.py # create descs.yaml for DNS transport comparison

2.2 Run experiments

./expctrl/setupexp.sh comp # run experiments for DNS transport comparison (opens a TMUX session)

2.3. Treat logs

./plots/parsecompresults.py # parse logs into easier to process CSVs

Do experiments for Section 6

2.1 Prepare experiments

./expctrl/createmaxagedescs.py # create descs.yaml for caching evaluation

2.2 Run experiments

./expctrl/setupexp.sh max_age # run experiments for caching evaluation (opens a TMUX session)

2.3. Treat logs

./plots/parsemaxage_results.py # parse logs into easier to process CSVs

(the graphic is simplified here, this step does not show up)

./plots/parsemaxagelinkutil.py # parse PCAPs into link utilization CSV (may run for a while)

2.5 Get memory profiles

Build requester app for IoT-LAB M3 in different configuration and collect object sizes

./plots/collectbuildsizes.py

Build requester app and Quant RIOT app for ESP32 in different configuration and collect object sizes

./plots/collectesp32build_sizes.py

3. Analyze

./plots/plot_all.sh ```

The logs, CSVs, and results will be updated accordingly in 05-06-evaluation/results/.

License

The program code in this repository is subject to the terms and conditions of the GNU Lesser General Public License v2.1. See the file LICENSE for more details.

The experiments result files and plots are licensed under a Creative Commons Attribution 4.0 International License. See the LICENSE files in 03-dns-empirical/results and 05-06-evaluation/results, respectively.