research-article

Pretty Bad Privacy: Pitfalls of DNS Encryption

Author:

Haya ShulmanAuthors Info & Claims

WPES '14: Proceedings of the 13th Workshop on Privacy in the Electronic Society

November 2014

Pages 191 - 200

https://doi.org/10.1145/2665943.2665959

Published: 03 November 2014 Publication History

Abstract

As awareness for privacy of Domain Name System (DNS) is increasing, a number of mechanisms for encryption of DNS packets were proposed. We study the prominent defences, focusing on the privacy guarantees, interoperability with the DNS infrastructure, and the efficiency overhead. In particular:

•We explore dependencies in DNS and show techniques that utilise side channel leaks, due to transitive trust, allowing to infer information about the target domain in an encrypted DNS packet.

•We examine common DNS servers configurations and show that the proposals are expected to encounter deployment obstacles with (at least) 38% of 50K-top Alexa domains and (at least) 12% of the top-level domains (TLDs), and will disrupt the DNS functionality and availability for clients.

•We show that due to the non-interoperability with the caches, the proposals for end-to-end encryption may have a prohibitive traffic overhead on the name servers.

Our work indicates that further study may be required to adjust the proposals to stand up to their security guarantees, and to make them suitable for the common servers' configurations in the DNS infrastructure. Our study is based on collection and analysis of the DNS traffic of 50K-top Alexa domains and 568 TLDs.

References

[1]

DNSCrypt. website. http://dnscrypt.org/.

[2]

A Day in the Life of the Internet (DITL), 2002.

[3]

D. J. Bernstein. Introduction to dnscurve (2008).

[4]

S. Bortzmeyer. Possible solutions to DNS privacy issues. Internet Draft, 2014. http://tools.ietf.org/html/draft-bortzmeyer-dnsop-privacy-sol-00.

[5]

E. Cohen and H. Kaplan. Prefetching the means for document transfer: A new approach for reducing web latency. Computer Networks, 39(4):437--455, 2002.

[6]

E. Cohen and H. Kaplan. Proactive caching of dns records: Addressing a performance bottleneck. Computer Networks, 41(6):707--726, 2003.

Digital Library

[7]

G. Danezis. Covert communications despite traffic dataretention. In Security Protocols XVI, pages 198--214. Springer, 2011.

Digital Library

[8]

M. Dempsky. Starting TLS over DNS. Internet Draft, 2014. http://tools.ietf.org/html/draft-dempsky-dnscurve-01.

[9]

Y. Gilad and A. Herzberg. Plug-and-play ip security: Anonymity infrastructure instead of pki. In J. Crampton, S. Jajodia, and K. Mayes, editors, ESORICS, volume 8134 of Lecture Notes in Computer Science, pages 255--272. Springer, 2013. Full version in Cryptology ePrint Archive, Report 2013/410, http://eprint.iacr.org/.

[10]

A. Herzberg and H. Shulman. Security of patched DNS. In Computer Security - ESORICS 2012 - 17th European Symposium on Research in Computer Security, Pisa, Italy, September 10--12, 2012. Proceedings, pages 271--288, 2012.

[11]

A. Herzberg and H. Shulman. Fragmentation Considered Poisonous: or one-domain-to-rule-them-all.org. In IEEE CNS 2013. The Conference on Communications and Network Security, Washington, D.C., U.S. IEEE, 2013.

[12]

A. Herzberg and H. Shulman. Socket Overloading for Fun and Cache Poisoning. In C. N. P. Jr., editor, ACM Annual Computer Security Applications Conference (ACM ACSAC), New Orleans, Louisiana, U.S., December 2013.

Digital Library

[13]

A. Herzberg and H. Shulman. Vulnerable delegation of DNS resolution. In Computer Security - ESORICS 2013 - 18th European Symposium on Research in Computer Security, Egham, UK, September 9--13, 2013. Proceedings, pages 219--236, 2013.

[14]

A. Herzberg and H. Shulman. DNS Authentication as a Service: Preventing Amplification Attacks. In Computer Security Applications Conference, 2014. ACSAC'14. Annual, December 2014.

Digital Library

[15]

A. Herzberg and H. Shulman. Retrofitting Security into Network Protocols: The Case of DNSSEC. Internet Computing, IEEE, 18(1):66--71, 2014.

Digital Library

[16]

Internet Systems Consortium. Bind. https://www.isc.org/software/bind.

[17]

J. Jung, E. Sit, H. Balakrishnan, and R. Morris. Dns performance and the effectiveness of caching. Networking, IEEE/ACM Transactions on, 10(5):589--603, 2002.

Digital Library

[18]

P. Levis. The Collateral Damage of Internet Censorship by DNS Injection. ACM SIGCOMM CCR, 42(3), 2012.

Digital Library

[19]

Y. Lu and G. Tsudik. Towards plugging privacy leaks in the domain name system. In Peer-to-Peer Computing (P2P), 2010 IEEE Tenth International Conference on, pages 1--10. IEEE, 2010.

[20]

OpenDNS. Public Open DNS Resolver, 2014. http://www.opendns.com/about/.

[21]

E. Osterweil, G. Wiley, D. Mitchell, and A. Newton. Opportunistic Encryption with DANE Semantics and IPsec: IPSECA. Internet Draft, 2014. http://tools.ietf.org/html/draft-osterweil-dane-ipsec-00.

[22]

V. Ramasubramanian and E. Sirer. Perils of transitive trust in the domain name system. In Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement, pages 35--35. USENIX Association, 2005.

Digital Library

[23]

B. Schneier. NSA Targets the Privacy-Conscious for Surveillance, 2014. https://www.schneier.com/blog/archives/2014/07/nsa_targets_pri.html.

[24]

H. Shulman. The (in)Security of Outsourced DNS. Technical Report, August 2014.

[25]

H. Shulman and S. Ezra. Poster: On the Resilience of DNS Infrastructure. In ACM Conference on Computer and Communications Security (CCS), Scottsdale, Arizona, U.S. ACM, 2014.

Digital Library

[26]

H. Shulman and M. Waidner. Fragmentation Considered Leaking: Port Inference for DNS Poisoning. In Applied Cryptography and Network Security (ACNS), Lausanne, Switzerland. Springer, 2014.

[27]

B. Timms, J. Reid, and J. Schlyter. IANA Registration for Encrypted ENUM. Internet Draft (Experimental), 2008. http://tools.ietf.org/html/draft-timms-encrypt-naptr-01.

[28]

D. Ulevitch. Opendns, July 2006.

[29]

Z. Wang. Analysis of dns cache effects on query distribution. The Scientific World Journal, 2013, 2013.

[30]

D. Wessels and M. Fomenkov. Wow, thats a lot of packets. In Proceedings of Passive and Active Measurement Workshop (PAM), 2003.

[31]

W. Wijngaards. Unbound, NLnet Labs. http://www.unbound.net/documentation/info_timeout.html.

[32]

W. Wijngaards. Confidential DNS. Internet Draft, 2014. http://tools.ietf.org/html/draft-wijngaards-dnsop-confidentialdns-01.

[33]

F. Zhao, Y. Hori, and K. Sakurai. Analysis of privacy disclosure in dns query. In Multimedia and Ubiquitous Engineering, 2007. MUE'07. International Conference on, pages 952--957. IEEE, 2007.

Digital Library

[34]

L. Zhu, Z. Hu, J. Heidemann, D. Wessels, and A. Mankin. Starting TLS over DNS. Internet Draft, 2014. http://tools.ietf.org/html/draft-hzhwm-start-tls-for-dns-00.

[35]

L. Zhu, Z. Hu, J. Heidemann, D. Wessels, A. Mankin, and N. Somaiya. T-DNS: Connection-Oriented DNS to Improve Privacy and Security. website, 2014. http://www.isi.edu/~johnh/PAPERS/Zhu14a.pdf

Cited By

Pan QYan HQin ZQi B(2023)PACLASS: A Lightweight Classification Framework on DNS-Over-HTTPSICC 2023 - IEEE International Conference on Communications10.1109/ICC45041.2023.10279398(3805-3810)Online publication date: 28-May-2023
https://doi.org/10.1109/ICC45041.2023.10279398
Dahanayaka TWang ZJourjon GSeneviratne S(2022)Inline Traffic Analysis Attacks on DNS over HTTPS2022 IEEE 47th Conference on Local Computer Networks (LCN)10.1109/LCN53696.2022.9843593(132-139)Online publication date: 26-Sep-2022
https://doi.org/10.1109/LCN53696.2022.9843593
Chang DChen JLi ZLi X(2022)Hide and Seek: Revisiting DNS-based User Tracking2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP53844.2022.00020(188-205)Online publication date: Jun-2022
https://doi.org/10.1109/EuroSP53844.2022.00020
Show More Cited By

Index Terms

Pretty Bad Privacy: Pitfalls of DNS Encryption
1. Security and privacy
  1. Network security

Recommendations

Who is answering my queries: understanding and characterizing interception of the DNS resolution path
ANRW '19: Proceedings of the Applied Networking Research Workshop

DNS is a critical service for almost all Internet applications. DNS queries from end users are handled by recursive DNS servers for scalability. For convenience, Internet Service Providers (ISPs) assign recursive servers for their clients automatically ...
Read More
A Selective Re-Query Case Sensitive Encoding Scheme Against DNS Cache Poisoning Attacks

A domain name system (DNS) with a hierarchical domain name resolution scheme plays an important role in today's Internet surfing. To protect DNS against cache poisoning attacks is a key issue to achieve Internet security. A lot of defense schemes have ...
Read More
A wrinkle in time: a case study in DNS poisoning
Abstract
The domain name system (DNS) provides a translation between readable domain names and IP addresses. The DNS is a key infrastructure component of the Internet and a prime target for a variety of attacks. One of the most significant threats to DNS’ ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WPES '14: Proceedings of the 13th Workshop on Privacy in the Electronic Society

November 2014

218 pages

ISBN:9781450331487

DOI:10.1145/2665943

General Chair:
Gail-Joon Ahn
Arizona State University, USA
,
Program Chair:
Anupam Datta
Carnegie Mellon University, USA

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 November 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Bundesministerium für Bildung und Forschung
Hessian LOEWE excellence initiative within CASED

Conference

CCS'14

Sponsor:

SIGSAC

CCS'14: 2014 ACM SIGSAC Conference on Computer and Communications Security

November 3, 2014

Arizona, Scottsdale, USA

Acceptance Rates

WPES '14 Paper Acceptance Rate 26 of 67 submissions, 39%;

Overall Acceptance Rate 106 of 355 submissions, 30%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

23
Total Citations
View Citations
763
Total Downloads

Downloads (Last 12 months)42
Downloads (Last 6 weeks)1

Other Metrics

View Author Metrics

Citations

Cited By

Pan QYan HQin ZQi B(2023)PACLASS: A Lightweight Classification Framework on DNS-Over-HTTPSICC 2023 - IEEE International Conference on Communications10.1109/ICC45041.2023.10279398(3805-3810)Online publication date: 28-May-2023
https://doi.org/10.1109/ICC45041.2023.10279398
Dahanayaka TWang ZJourjon GSeneviratne S(2022)Inline Traffic Analysis Attacks on DNS over HTTPS2022 IEEE 47th Conference on Local Computer Networks (LCN)10.1109/LCN53696.2022.9843593(132-139)Online publication date: 26-Sep-2022
https://doi.org/10.1109/LCN53696.2022.9843593
Chang DChen JLi ZLi X(2022)Hide and Seek: Revisiting DNS-based User Tracking2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP53844.2022.00020(188-205)Online publication date: Jun-2022
https://doi.org/10.1109/EuroSP53844.2022.00020
Hynek KVekshin DLuxemburk JCejka TWasicek A(2022)Summary of DNS Over HTTPS AbuseIEEE Access10.1109/ACCESS.2022.317549710(54668-54680)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3175497
Dai TJeitner PShulman HWaidner MKuipers FCaesar M(2021)From IP to transport and beyondProceedings of the 2021 ACM SIGCOMM 2021 Conference10.1145/3452296.3472933(836-849)Online publication date: 9-Aug-2021
https://dl.acm.org/doi/10.1145/3452296.3472933
Zou FMeng DGao WLi L(2021)DePL: Detecting Privacy Leakage in DNS-over-HTTPS Traffic2021 IEEE 20th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom53373.2021.00088(577-586)Online publication date: Oct-2021
https://doi.org/10.1109/TrustCom53373.2021.00088
Jin LHao SHuang YWang HCotton C(2021)DNSonChain: Delegating Privacy-Preserved DNS Resolution to Blockchain2021 IEEE 29th International Conference on Network Protocols (ICNP)10.1109/ICNP52444.2021.9651951(1-11)Online publication date: 1-Nov-2021
https://doi.org/10.1109/ICNP52444.2021.9651951
Silva PMonteiro ESimoes P(2021)Privacy in the Cloud: A Survey of Existing Solutions and Research ChallengesIEEE Access10.1109/ACCESS.2021.30495999(10473-10497)Online publication date: 2021
https://doi.org/10.1109/ACCESS.2021.3049599
Khormali APark JAlasmary HAnwar ASaad MMohaisen D(2021)Domain name system security and privacy: A contemporary surveyComputer Networks10.1016/j.comnet.2020.107699185(107699)Online publication date: Feb-2021
https://doi.org/10.1016/j.comnet.2020.107699
Hoang NAkhavan Niaki ABorisov NGill PPolychronakis MSun HShieh SGu GAteniese G(2020)Assessing the Privacy Benefits of Domain Name EncryptionProceedings of the 15th ACM Asia Conference on Computer and Communications Security10.1145/3320269.3384728(290-304)Online publication date: 5-Oct-2020
https://dl.acm.org/doi/10.1145/3320269.3384728
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents