ACM Digital Library home
ACM home
Advanced Search
10.1145/3355369.3355580acmconferencesArticle/Chapter ViewAbstractPublication PagesimcConference Proceedingsconference-collections
research-article

An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come?

Authors Info & Claims
IMC '19: Proceedings of the Internet Measurement ConferenceOctober 2019 Pages 22–35https://doi.org/10.1145/3355369.3355580
Online:21 October 2019Publication History
  • 28citation
  • 1,083
    • Downloads
Metrics
Total Citations28
Total Downloads1,083
Last 12 Months238
Last 6 weeks27
IMC '19: Proceedings of the Internet Measurement Conference
An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come?
Pages 22–35
PreviousChapterNextChapter

ABSTRACT

DNS packets are designed to travel in unencrypted form through the Internet based on its initial standard. Recent discoveries show that real-world adversaries are actively exploiting this design vulnerability to compromise Internet users' security and privacy. To mitigate such threats, several protocols have been proposed to encrypt DNS queries between DNS clients and servers, which we jointly term as DNS-over-Encryption. While some proposals have been standardized and are gaining strong support from the industry, little has been done to understand their status from the view of global users.

This paper performs by far the first end-to-end and large-scale analysis on DNS-over-Encryption. By collecting data from Internet scanning, user-end measurement and passive monitoring logs, we have gained several unique insights. In general, the service quality of DNS-over-Encryption is satisfying, in terms of accessibility and latency. For DNS clients, DNS-over-Encryption queries are less likely to be disrupted by in-path interception compared to traditional DNS, and the extra overhead is tolerable. However, we also discover several issues regarding how the services are operated. As an example, we find 25% DNS-over-TLS service providers use invalid SSL certificates. Compared to traditional DNS, DNS-over-Encryption is used by far fewer users but we have witnessed a growing trend. As such, we believe the community should push broader adoption of DNS-over-Encryption and we also suggest the service providers carefully review their implementations.

References

  1. [n. d.]. Cisco IOS NetFlow. https://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-netflow/index.html.Google ScholarGoogle Scholar
  2. [n. d.]. Cloudflare Resolver. https://cloudflare-dns.com/.Google ScholarGoogle Scholar
  3. [n. d.]. DNSCrypt-proxy 2. https://github.com/jedisct1/dnscrypt-proxy.Google ScholarGoogle Scholar
  4. [n. d.]. Google Public DNS. https://developers.google.com/speed/public-dns/.Google ScholarGoogle Scholar
  5. [n. d.]. HTTP and SOCKS PROXIES. https://www.proxyrack.com/.Google ScholarGoogle Scholar
  6. [n. d.]. Knot DNS. https://www.knot-dns.cz/.Google ScholarGoogle Scholar
  7. [n. d.]. Latest 1.1.1.1 Topics - Cloudflare Community. https://community.cloudflare.com/c/reliability/1111.Google ScholarGoogle Scholar
  8. [n. d.]. Let's Encrypt - Free SSL/TLS Certificates. https://letsencrypt.org.Google ScholarGoogle Scholar
  9. [n. d.]. OpenNIC Project. https://www.opennic.org/.Google ScholarGoogle Scholar
  10. [n. d.]. Zhima Proxy. http://h.zhimaruanjian.com/.Google ScholarGoogle Scholar
  11. 2013. DNSCrypt version 2 protocol specification. https://dnscrypt.info/protocol.Google ScholarGoogle Scholar
  12. 2014. The NSA and GCHQ's QUANTUMTHEORY Hacking Tactics. https://theintercept.com/document/2014/03/12/nsa-gchqs-quantumtheory-hacking-tactics/.Google ScholarGoogle Scholar
  13. 2018. OpenSSL Cryptography and SSL/TLS toolkit. https://www.openssl.org/.Google ScholarGoogle Scholar
  14. 2018. Quad9 DNS: Internet Security & Privacy In a Few Easy Steps. https://www.quad9.net/.Google ScholarGoogle Scholar
  15. 2018. WLC Virtual IP address 1.1.1.1. https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/213535-wlc-virtual-ip-address-1-1-1-1.html.Google ScholarGoogle Scholar
  16. 2019. 360 PassiveDNS. https://passivedns.cn/help/.Google ScholarGoogle Scholar
  17. 2019. Getdns API. https://github.com/getdnsapi/getdns.Google ScholarGoogle Scholar
  18. 2019. Luminati: Residental Proxy Service for Businesses. https://luminati.io.Google ScholarGoogle Scholar
  19. 2019. MOZILLA Included CA Certificate List. https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport.Google ScholarGoogle Scholar
  20. 2019. NetworkScan Mon. https://scan.netlab.360.com/#/dashboard.Google ScholarGoogle Scholar
  21. 2019. NLnetLabs - Unbound. https://www.nlnetlabs.nl/projects/unbound/about/.Google ScholarGoogle Scholar
  22. 2019. Passive DNS historical internet database: Farsight DNSDB. https://www.farsightsecurity.com/solutions/dnsdb/Google ScholarGoogle Scholar
  23. 2019. RIPE Atlas - RIPE Network Coordination Centre. https://atlas.ripe.net/.Google ScholarGoogle Scholar
  24. 2019. Systemd - News. https://github.com/systemd/systemd/blob/master/NEWS.Google ScholarGoogle Scholar
  25. 2019. Yandex.DNS. https://dns.yandex.com/.Google ScholarGoogle Scholar
  26. Mark Allman. 2016. Detecting DNS Root Manipulation. In PAM 2016, Heraklion, Greece, March 31-April 1, 2016. Proceedings, Vol. 9631. Springer, 276.Google ScholarGoogle Scholar
  27. Anonymous. 2014. Towards a Comprehensive Picture of the Great Firewall's DNS Censorship. In FOCI 14. USENIX Association, San Diego, CA. https://www.usenix.org/conference/foci14/workshop-program/presentation/anonymousGoogle ScholarGoogle Scholar
  28. APNIC. 2019. DNSSEC Measurement Maps. https://stats.labs.apnic.net/dnssec.Google ScholarGoogle Scholar
  29. Stephane Bortzmeyer. 2015. DNS privacy considerations. Technical Report.Google ScholarGoogle Scholar
  30. Stephane Bortzmeyer. 2016. DNS query name minimisation to improve privacy. Technical Report.Google ScholarGoogle Scholar
  31. Jon Brodkin. 2018. AT&T explains why it blocked Cloudflare DNS: It was just an accident. https://arstechnica.com/information-technology/2018/05/att-is-blocking-cloudflares-privacy-focused-dns-calls-it-an-accident/.Google ScholarGoogle Scholar
  32. Deliang Chang, Qianli Zhang, and Xing Li. 2015. Study on os fingerprinting and nat/tethering based on dns log analysis. In IRTF & ISOC Workshop on Research and Applications of Internet Measurements (RAIM).Google ScholarGoogle Scholar
  33. Taejoong Chung, Roland van Rijswijk-Deij, Balakrishnan Chandrasekaran, David Choffnes, Dave Levin, Bruce M Maggs, Alan Mislove, and Christo Wilson. 2017. A Longitudinal, End-to-End View of the {DNSSEC} Ecosystem. In 26th { USENIX} Security Symposium ({USENIX} Security 17). 1307--1322.Google ScholarGoogle Scholar
  34. Internet Systems Consortuim. 2019. BIND 9 Open Source DNS Server. https://www.isc.org/downloads/bind/.Google ScholarGoogle Scholar
  35. David Dagon, Niels Provos, Christopher P Lee, and Wenke Lee. 2008. Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority.. In NDSS.Google ScholarGoogle Scholar
  36. John Dickinson and Sara Dickinson. 2019. DNS Privacy Implementation Status. https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implementation+Status.Google ScholarGoogle Scholar
  37. Sara Dickinson. 2018. DNS Privacy Project. https://dnsprivacy.org/wiki/display/DP.Google ScholarGoogle Scholar
  38. Sara Dickinson. 2019. DNS Privacy Daemon - Stubby. https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby.Google ScholarGoogle Scholar
  39. Sara Dickinson. 2019. DNS Privacy Test Servers. https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers.Google ScholarGoogle Scholar
  40. Google Public DNS. 2019. Migration to anycast and RFC 8484 DoH. https://developers.google.com/speed/public-dns/docs/doh/migration.Google ScholarGoogle Scholar
  41. Zakir Durumeric, Zane Ma, Drew Springall, Richard Barnes, Nick Sullivan, Elie Bursztein, Michael Bailey, J Alex Halderman, and Vern Paxson. 2017. The security impact of HTTPS interception. In NDSS.Google ScholarGoogle Scholar
  42. Zakir Durumeric, Eric Wustrow, and J Alex Halderman. 2013. ZMap: Fast Internet-wide Scanning and Its Security Applications.. In USENIX Security Symposium, Vol. 8. 47--53.Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Fortinet. 2017. Preventing certificate warnings (default certificate). https://cookbook.fortinet.com/preventing-certificate-warnings-defaultcert-56/.Google ScholarGoogle Scholar
  44. Christian Grothoff, Matthias Wachs, Monika Ermert, and Jacob Appelbaum. 2015. NSA's MORECOWBELL: Knell for DNS. https://leaksource.files.wordpress.com/2015/02/nsas-morecowbell-knell-for-dns.pdf.Google ScholarGoogle Scholar
  45. DPRIVE Working Group. 2018. DNS PRIVate Exchange WG. https://datatracker.ietf.org/doc/charter-ietf-dprive/.Google ScholarGoogle Scholar
  46. Olafur Guomundsson and Marek Vavrusa. 2018. DoH and DoT experience. https://indico.dns-oarc.net/event/29/contributions/653/attachments/640/1027/DoT_and_DoH_experience.pdf.Google ScholarGoogle Scholar
  47. Brian Haberman and Catherine Master. 2018. DNS-over-TLS Measurements with RIPE Atlas Probes. https://datatracker.ietf.org/meeting/102/materials/slides-102-dprive-dns-over-tls-measurements-with-ripe-atlas-probes-01.Google ScholarGoogle Scholar
  48. Dominik Herrmann, Christian Banse, and Hannes Federrath. 2013. Behavior-based tracking: Exploiting characteristic patterns in DNS traffic. Computers & Security 39 (2013), 17--33.Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. Z Hu, Liang Zhu, John Heidemann, Allison Mankin, Duane Wessels, and Paul Hoffman. 2016. Specification for DNS over transport layer security (TLS). Technical Report.Google ScholarGoogle Scholar
  50. P Huffman and P McManus. 2018. DNS Queries over HTTPS (DoH). Technical Report.Google ScholarGoogle Scholar
  51. Christian Huitema, Melinda Shore, Allison Mankin, Sara Dickinson, and Jana Iyengar. 2018. Specification of DNS over Dedicated QUIC Connections. https://tools.ietf.org/html/draft-huitema-quic-dnsoquic-05.Google ScholarGoogle Scholar
  52. Daniel Kahn Gillmor. 2018. Trust relationships between users and private DNS resolvers. https://drive.google.com/file/d/13AeDutZJ1WZ-PrNZ9ZROsAc1-jfdhHvm/viewGoogle ScholarGoogle Scholar
  53. Karthikeyan C Kasiviswanathan. 2018. Postmortem of a Compromised MikroTik Router. https://www.symantec.com/blogs/threat-intelligence/hacked-mikrotik-router.Google ScholarGoogle Scholar
  54. Dae Wook Kim and Junjie Zhang. 2015. You are how you query: Deriving behavioral fingerprints from DNS traffic. In International Conference on Security and Privacy in Communication Systems. Springer, 348--366.Google ScholarGoogle ScholarCross RefCross Ref
  55. Matthias Kirchler, Dominik Herrmann, Jens Lindemann, and Marius Kloft. 2016. Tracked without a trace: linking sessions of users by unsupervised learning of patterns in their DNS traffic. In Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security. ACM, 23--34.Google ScholarGoogle ScholarDigital LibraryDigital Library
  56. Erik Kline and Ben Schwartz. 2018. DNS over TLS support in Android P Developer Preview. https://android-developers.googleblog.com/2018/04/dns-over-tls-support-in-android-p.htmlGoogle ScholarGoogle Scholar
  57. Marc Kührer, Thomas Hupperich, Jonas Bushart, Christian Rossow, and Thorsten Holz. 2015. Going wild: Large-scale classification of open DNS resolvers. In IMC. ACM, 355--368.Google ScholarGoogle Scholar
  58. Wilson Lian, Eric Rescorla, Hovav Shacham, and Stefan Savage. 2013. Measuring the Practical Impact of DNSSEC Deployment.. In USENIX.Google ScholarGoogle Scholar
  59. Jinjin Liang, Jian Jiang, Haixin Duan, Kang Li, and Jianping Wu. 2013. Measuring query latency of top level DNS servers. In PAM. Springer, 145--154.Google ScholarGoogle Scholar
  60. Baojun Liu, Chaoyi Lu, Haixin Duan, Ying Liu, Zhou Li, Shuang Hao, and Min Yang. 2018. Who is answering my queries: understanding and characterizing interception of the DNS resolution path. In USENIX Security Symposium. 1113--1128.Google ScholarGoogle Scholar
  61. Alexander Mayrhofer. 2016. The edns (0) padding option. (2016).Google ScholarGoogle Scholar
  62. Patrick McManus. 2018. Firefox Nightly Secure DNS Experimental Results. https://blog.nightly.mozilla.org/2018/08/28/firefox-nightly-secure-dns-experimental-results/.Google ScholarGoogle Scholar
  63. Patrick McManus. 2018. Improving DNS Privacyin Firefox - Firefox Nightly News. https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/.Google ScholarGoogle Scholar
  64. Xianghang Mi, Ying Liu, Xuan Feng, Xiaojing Liao, Baojun Liu, XiaoFeng Wang, Feng Qian, Zhou Li, Sumayah Alrwais, and Limin Sun. 2019. Resident Evil: Understanding Residential IP Proxy as a Dark Service. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE.Google ScholarGoogle ScholarCross RefCross Ref
  65. 360 Netlab. 2019. Netlab OpenData. https://data.netlab.360.com/.Google ScholarGoogle Scholar
  66. Paul Pearce, Ben Jones, Frank Li, Roya Ensafi, Nick Feamster, Nick Weaver, and Vern Paxson. 2017. Global measurement of dns manipulation. In USENIX Security Symposium. USENIX. 307--323.Google ScholarGoogle Scholar
  67. Matt Prytuluk. 2018. Preventing Circumvention of Cisco Umbrella with Firewall Rules. https://support.umbrella.com/hc/en-us/articles/230904088-Preventing-Circumvention-of-Cisco-Umbrella-with-Firewall-Rules.Google ScholarGoogle Scholar
  68. Rod Rasmussen. 2016. The Pros and Cons of DNS Encryption. https://www.infosecurity-magazine.com/opinions/the-pros-and-cons-of-dns-encryption/.Google ScholarGoogle Scholar
  69. Tirumaleswar Reddy, Daniel Gillmor, and Sara Dickinson. 2018. Usage Profiles for DNS over TLS and DNS over DTLS. (2018).Google ScholarGoogle Scholar
  70. Tirumaleswar Reddy, D Wing, and P Patil. 2017. DNS over Datagram Transport Layer Security (DTLS). Technical Report.Google ScholarGoogle Scholar
  71. Sandra Siby, Marc Juarez, Narseo Vallina-Rodriguez, and Carmela Troncoso. 2018. DNS Privacy not so private: the traffic analysis perspective. (2018).Google ScholarGoogle Scholar
  72. Jonathan M Spring and Carly L Huth. 2012. The impact of passive dns collection on end-user privacy. Securing and Trusting Internet Names (2012).Google ScholarGoogle Scholar
  73. Daniel Stenberg. 2019. Public available servers. https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers.Google ScholarGoogle Scholar
  74. Marty Strong. 2018. Fixing Reachability to 1.1.1.1, GLOBALLY! https://labs.ripe.net/Members/marty_strong/fixing-reachability-to-1-1-1-1-globallyGoogle ScholarGoogle Scholar
  75. Nick Sullivan. 2017. Introducing Zero Round Trip Time Resumption (0-RTT). https://blog.cloudflare.com/introducing-0-rtt/.Google ScholarGoogle Scholar
  76. Gareth Tyson, Shan Huang, Felix Cuadrado, Ignacio Castro, Vasile C Perta, Arjuna Sathiaseelan, and Steve Uhlig. 2017. Exploring HTTP header manipulation in-the-wild. In Proceedings of the 26th International Conference on World Wide Web. International World Wide Web Conferences Steering Committee, 451--458.Google ScholarGoogle ScholarDigital LibraryDigital Library
  77. David Ulevitch. 2011. DNSCrypt: Critical, fundamental, and about time. https://umbrella.cisco.com/blog/2011/12/06/dnscrypt-critical-fundamental-and-about-time/.Google ScholarGoogle Scholar
  78. Nicholas Weaver, Christian Kreibich, and Vern Paxson. 2011. Redirecting DNS for Ads and Profit.. In FOCI.Google ScholarGoogle Scholar
  79. Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin, and Nikita Somaiya. 2015. Connection-oriented DNS to improve privacy and security. In Security and Privacy (SP), 2015 IEEE Symposium on. IEEE, 171--186.Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come?

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        Get this Publication

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        View Table of Contents
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!