In distributed systems, the principle of cloud computing is now ubiquitous: rather than hosting their computer resources in their own premises, organisations delegate management of these resources partly or entirely to third party providers, which host them in one or more data centres. In the cloud model, the resources are organised in such a way as to abstract away the servers’ physical locations.
But this model is not always suitable: some applications require extremely low latency times, which the cloud cannot provide or guarantee. Examples include telemedecine, robotics, drone piloting, cloud gaming and so on.
This need has given rise to a new model of distributed computing known as ‘edge computing’. The edge referred to is that of a private network where it abuts the other networks forming the Internet and is therefore a strategic point for locating services for all users of the organisation’s network with minimal latency. Thanks to the trend towards containerisation, it is possible to deploy this same service in numerous edge networks, thus providing the service with very fast response times.
Furthermore, the emergence of IoT opens up numerous opportunities in industrial use cases. But their constraints mean that it is not always possible to embed much computing power in those devices; intensive computation tasks are therefore sent to less-constrained servers, with which the connected objects communicate.
It is in this precise context that 5G was conceived: one of the design goals of this new mobile telephony standard is to offer a medium suited to the new requirements of new terminals. These terminals are no longer necessarily telephones, but can be any connected object, and the network adjusts to the needs: very high bandwidths or very low latency times.
So what are the possible benefits of 5G in industrial use cases, and how DNS can contribute to enabling new applications? To provide answers to these questions, a project has been launched. ENE5AI, which stands for Edge Networking for Agile and Intelligent 5G Enterprises, coordinated by Gandi and bringing together 14 bodies including Afnic, is one of the five projects selected following the call for “Sovereign solutions for telecommunications networks” in the context of the national 5G acceleration strategy.
The ENE5AI project, for validating 5G use cases
The goal of the ENE5AI project was to design a sovereign digital infrastructure on an edge architecture and based on 5G, and then to test it on five different use cases: Industry 4.0, smart grids, civil defence with the example of firefighters’ intervention in a major fire, control of water management by a regional authority and smart management of a network of data centres.
Such a complex network, connecting so many and such diverse players clearly cannot function properly without a name resolution service such as the DNS. Domain names are a useful abstraction so that network users and administrators need no longer worry about the physical location of a service.
In fact, 4G already uses domain names to identify services. An example is access to WiFi calling: a mobile phone with an Orange plan is configured to connect to a machine identified by the domain name epdg.epc.mnc001.mcc208.pub.3gppnetwork.org.This domain name contains the Evolved Packet Data Gateway (EPDG) belonging to Orange, identified here by the Mobile Country Code (MCC) 208 and the Mobile Network Code (MNC) 01.
In the same way, all the functions forming a 5G backbone need a naming system, as opposed to being referenced by IP addresses: this is a necessary condition for a backbone to be able to adapt and evolve without the need to reconfigure millions of terminals every time there is a change. So in the functioning of a 5G network, the DNS is more relevant than ever.
Of course, we are no longer talking about the DNS as it was specified in 1983: the original specification of the protocol did not take security into consideration. A modern DNS resolver in edge computing must necessarily offer the security safeguards that have since been added to the DNS and that now form part of the state of the art: integrity, with DNSSEC, and confidentiality of exchanges between client and resolver, with encrypted transport.
The main forms of encrypted transport are DoT (DNS over TLS), DoH (DNS over HTTPS) and DoQ (DNS over QUIC). In fact, hidden among these three options is a fourth one, which combines the advantages of HTTPS and QUIC: DoH3, or DNS over HTTP/3.
Would DNS over HTTP/3 be the most suitable transport for 5G networks? I think so, for the following reasons.
First of all, HTTP/3 is based on the QUIC protocol, not TCP. With QUIC, connections are established in four packets including a TLS 1.3 handshake, killing two birds with one stone compared with TLS or the older versions of HTTPS. Several studies, such as Kosek et al., 2023 and Sengupta et al., 2023, show that DoQ is a more efficient and faster form of encrypted DNS than DoH (specified when the latest version of HTTP was HTTP/2), so DoH3 has the potential to be just as effective as DoQ.
Lastly, the HTTP protocol is already ubiquitous in 5G backbones, since the functions constituting its control plane communicate with one another using standardised REST APIs. Since the 5G standard does not stipulate any particular version of HTTP, it would be good to make HTTP/3 the norm. The choice of HTTP/3 as DNS transport would then follow automatically.
Afnic’s contribution: a DoH3 resolver for use in edge computing
Afnic has contributed to the ENE5AI project by designing a name resolution environment based on the DNS which would be suitable for edge networks and 5G.
In the past, Afnic Labs had already experimented with a public DoH and DoT resolver service but using HTTP/2. To migrate from HTTP/2 to HTTP/3, we had to adapt the architecture.
The resolver was also designed to be easily deployable in containerised environments. Container image size was reduced to the strict minimum, both to minimise the attack surface and to reduce the storage space needed to deploy it. It is thus possible to deploy numerous instances of this resolver close to end users.
The solution finally decided on is based on a number of components allowing the inclusion of both a resolution service and its accessibility via HTTP/3.
Conclusion
DNS over HTTP/3 is a promising development offering confidentiality of DNS requests by users of fixed and mobile networks while keeping the extra cost of establishing encrypted sessions between terminal and resolver under control.
A resolver that can handle DoH3 and be deployed as close as possible to users is an essential element of a modern network architecture. Meanwhile we are already being promised 6G, together with the new possibilities that will bring, such as vehicular networks. What would a name resolution service look like in such a network?