skip to main content
research-article
Open access

PDoT: Private DNS-over-TLS with TEE Support

Published: 11 February 2021 Publication History
  • Get Citation Alerts
  • Abstract

    Security and privacy of the Internet Domain Name System (DNS) have been longstanding concerns. Recently, there is a trend to protect DNS traffic using Transport Layer Security (TLS). However, at least two major issues remain: (1) How do clients authenticate DNS-over-TLS endpoints in a scalable and extensible manner? and (2) How can clients trust endpoints to behave as expected? In this article, we propose a novel Private DNS-over-TLS (PDoT) architecture. PDoT includes a DNS Recursive Resolver (RecRes) that operates within a Trusted Execution Environment. Using Remote Attestation, DNS clients can authenticate and receive strong assurance of trustworthiness of PDoT RecRes. We provide an open source proof-of-concept implementation of PDoT and experimentally demonstrate that its latency and throughput match that of the popular Unbound DNS-over-TLS resolver.

    References

    [1]
    2009. Introduction to DNSCurve. Retrieved May 29, 2019 from https://dnscurve.org/index.html.
    [2]
    G. Acs, M. Conti, P. Gasti, C. Ghali, and G. Tsudik. 2013. Cache privacy in named-data networking. In Proceedings of the 2013 IEEE 33rd International Conference on Distributed Computing Systems. 41--51.
    [3]
    Fritz Alder, N. Asokan, Arseny Kurnikov, Andrew Paverd, and Michael Steiner. 2019. S-FaaS: Trustworthy and accountable function-as-a-service using Intel SGX. In Proceedings of the ACM Cloud Computing Security Workshop (CCSW’19).
    [4]
    Darren Anstee. 2020. Disappearing DNS: DoT and DoH, Where One Letter Makes a Great Difference. Retrieved May 15, 2020 from https://www.securitymagazine.com/articles/91674-disappearing-dns-dot-and-doh-where-one-letter-makes-a-great-difference.
    [5]
    R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. 2005. DNS Security Introduction and Requirements. Technical Report.
    [6]
    ARM. 2009. ARM Security Technology—Building a Secure System using TrustZone Technology. Retrieved May 29, 2019 from http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.prd29-genc-009492c/index.html.
    [7]
    S. Bortzmeyer. 2016. DNS Query Name Minimisation to Improve Privacy. Technical Report.
    [8]
    S Bortzmeyer. 2018. Encryption and authentication of the DNS resolver-to-authoritative communication. Retrieved from https://tools.ietf.org/html/draft-bortzmeyer-dprive-resolver-to-auth-01.
    [9]
    Jon Brodkin. 2020. Firefox turns encrypted DNS on by default to thwart snooping ISPs. Retrieved May 15, 2020 from https://arstechnica.com/information-technology/2020/02/firefox-turns-encrypted-dns-on-by-default-to-thwart-snooping-isps/.
    [10]
    Sergio Castillo-Perez and Joaquin Garcia-Alfaro. 2008. Anonymous Resolution of DNS Queries. Springer, Berlin, 987--1000.
    [11]
    V. G. Cerf. 1991. Guidelines for Internet Measurement Activities. Technical Report.
    [12]
    Cloudflare. DNS over TLS—Cloudflare Resolver. Retrieved May 29, 2019 from https://1.1.1.1/dns/.
    [13]
    Cloudflare. [n.d.]. 1.1.1.1 Resolver Examination Report. Retrieved from https://www.cloudflare.com/compliance/.
    [14]
    Cloudflare. [n.d.]. Announcing 1.1.1.1: The Fastest, Privacy-first Consumer DNS Service. Retrieved from https://blog.cloudflare.com/announcing-1111/.
    [15]
    Cloudflare. [n.d.]. Announcing the Results of the 1.1.1.1 Public DNS Resolver Privacy Examination. Retrieved from https://blog.cloudflare.com/announcing-the-results-of-the-1-1-1-1-public-dns-resolver-privacy-examination/.
    [16]
    Manuel Costa, Lawrence Esswood, Olga Ohrimenko, Felix Schuster, and Sameer Wagh. 2017. The pyramid scheme: Oblivious RAM for trusted processors. arXiv:1712.07882. Retrieved from https://arxiv.org/abs/1712.07882.
    [17]
    Victor Costan, Ilia Lebedev, and Srinivas Devadas. 2016. Sanctum: Minimal Hardware Extensions for Strong Software Isolation. 857--874. https://www.usenix.org/conference/usenixsecurity16/technicalsessions/presentation/costan.
    [18]
    cs.nic. 2019. Knot Resolver. Retrieved May 29, 2019 from https://www.knot-resolver.cz/.
    [19]
    T. Dierks and E. Rescorla. 2008. The Transport Layer Security (TLS) Protocol Version 1.2. Technical Report.
    [20]
    Huayi Duan, Cong Wang, Xingliang Yuan, Yajin Zhou, Qian Wang, and Kui Ren. 2017. LightBox: Full-stack protected stateful middlebox at lightning speed. arxiv:1706.06261. Retrieved from http://arxiv.org/abs/1706.06261.
    [21]
    D. Eastlake. 2013. Domain Name System (DNS) IANA Considerations. Technical Report.
    [22]
    Annie Edmundson, Paul Schmitt, and Nick Feamster. 2018. ODNS: Oblivious DNS. Retrieved May 29, 2019 from https://odns.cs.princeton.edu/.
    [23]
    Hannes Federrath, Karl-Peter Fuchs, Dominik Herrmann, and Christopher Piosecny. 2011. Privacy-preserving DNS: Analysis of Broadcast, Range Queries and Mix-based Protection Methods. Springer, Berlin, 665--683.
    [24]
    David Goltzsche, Signe Rusch, Manuel Nieke, Sebastien Vaucher, Nico Weichbrodt, Valerio Schiavoni, Pierre-Louis Aublin, Paolo Cosa, Christof Fetzer, Pascal Felber, Peter Pietzuch, and Rudiger Kapitza. 2018. EndBox: Scalable middlebox functions using client-side trusted execution. In Proceedings of the 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN’18). IEEE, 386--397.
    [25]
    Google. 2018. DNS over TLS Support in Android P Developer Preview. Retrieved May 29, 2019 from https://security.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html.
    [26]
    P. Hoffman. 2018. DNS Queries Over HTTPS (DoH). Technical Report.
    [27]
    P. Hoffman and P. McManus. 2018. DNS Queries over HTTPS (DoH).
    [28]
    Rebekah Houser, Zhou Li, Chase Cotton, and Haining Wang. 2019. An investigation on information leakage of DNS over TLS. In Proceedings of the 15th International Conference on Emerging Networking Experiments and Technologies (CoNEXT’19). Association for Computing Machinery, Inc., New York, NY, 123--137.
    [29]
    Zi Hu, Liang Zhu, John Heidemann, Allison Mankin, Duane Wessels, and P. Hoffman. 2016. Specification for DNS over Transport Layer Security (TLS). Technical Report.
    [30]
    Tommy Jensen, Ivan Pashov, and Gabriel Montenegro. 2019. Windows Will Improve User Privacy with DNS over HTTPS. Retrieved May 15, 2020 from https://techcommunity.microsoft.com/t5/networking-blog/windows-will-improve-user-privacy-with-dns-over-https/ba-p/1014229.
    [31]
    Thomas Knauth, Michael Steiner, Somnath Chakrabarti, Li Lei, Cedric Xing, and Mona Vij. 2018. Integrating remote attestation with transport layer security. arxiv:1801.05863. Retrieved from http://arxiv.org/abs/1801.05863.
    [32]
    SPROUT Lab. 2019. PDoT Source Code. Retrieved from https://github.com/sprout-uci/PDoT.
    [33]
    NLnet Labs. Stubby. Retrieved May 29, 2019 from https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby.
    [34]
    NLnet Labs. Unbound. Retrieved May 29, 2019 from https://nlnetlabs.nl/projects/unbound/about/.
    [35]
    Fangfei Liu, Yuval Yarom, Qian Ge, Gernot Heiser, and Ruby B. Lee. 2015. Last-level cache side-channel attacks are practical. In Proceedings of the 2015 IEEE Symposium on Security and Privacy. IEEE, 605--622.
    [36]
    Chaoyi Lu, Baojun Liu, Zhou Li, Shuang Hao, Haixin Duan, Mingming Zhang, Chunying Leng, Ying Liu, Zaifeng Zhang, and Jianping Wu. 2019. An end-to-end, large-scale measurement of DNS-over-encryption: How far have we come? In Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC. Association for Computing Machinery, New York, NY, 22--35.
    [37]
    Y. Lu and G. Tsudik. 2010. Towards plugging privacy leaks in the domain name system. In Proceedings of the 2010 IEEE 10th International Conference on Peer-to-Peer Computing (P2P’10). IEEE, 1--10.
    [38]
    Majestic. 2012. Majestic Million. Retrieved from https://blog.majestic.com/development/majestic-million-csv-daily/.
    [39]
    Frank McKeen, Ilya Alexandrovich, Alex Berenzon, Carlos V. Rozas, Hisham Shafi, Vedvyas Shanbhogue, and Uday R. Savagaonkar. 2013. Innovative instructions and software model for isolated execution. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy (HASP’13). ACM Press, New York, New York, 1 page.
    [40]
    Microsoft. 2017. Introducing Azure Confidential Computing. Retrieved May 29, 2019 https://azure.microsoft.com/en-us/blog/introducing-azure-confidential-computing/.
    [41]
    P. V. Mockapetris. 1987. Domain Names—Implementation and Specification. Technical Report.
    [42]
    DNSCrypt Project. 2019. DNSCrypt. Retrieved May 29, 2019 from https://dnscrypt.info/.
    [43]
    Sajin Sasy, Sergey Gorbunov, and Christopher W. Fletcher. 2017. ZeroTrace: Oblivious memory primitives from Intel SGX. IACR Cryptology ePrint Archive 2017 (2017), 549.
    [44]
    Ming-Wei Shih, Sangho Lee, Taesoo Kim, and Marcus Peinado. 2017. T-SGX: Eradicating controlled-channel attacks against enclave programs. In Proceedings of the Network and Distributed System Security Symposium (NDSS’17).
    [45]
    Haya Shulman and Haya. 2014. Pretty bad privacy: Pitfalls of DNS encryption. In Proceedings of the 13th Workshop on Privacy in the Electronic Society (WPES’14). ACM Press, New York, NY, 191--200.
    [46]
    Sandra Siby, Marc Juarez, Claudia Diaz, Narseo Vallina-Rodriguez, and Carmela Troncoso. 2020. Encrypted DNS --> Privacy? A traffic analysis perspective. In Proceedings of the Network and Distributed System Security Symposium (NDSS’20). arxiv:1906.09682
    [47]
    Sandeep Tamrakar, Jian Liu, Andrew Paverd, Jan-Erik Ekberg, Benny Pinkas, and N. Asokan. 2017. The circle game: Scalable private membership test using trusted hardware. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security (ASIA CCS’17).
    [48]
    Bohdan Trach, Alfred Krohmer, Franz Gregor, Sergei Arnautov, Pramod Bhatotia, and Christof Fetzer. 2018. ShieldBox: Secure middleboxes using shielded execution. In Proceedings of the Symposium on SDN Research (SOSR’18). ACM Press, New York, New York, 1--14.
    [49]
    Yuanzhong Xu, Weidong Cui, and Marcus Peinado. 2015. Controlled-channel attacks: Deterministic side channels for untrusted operating systems. In Proceedings of the 2015 IEEE Symposium on Security and Privacy. IEEE, 640--656.
    [50]
    Fangming Zhao, Yoshiaki Hori, and Kouichi Sakurai. 2007. Analysis of privacy disclosure in DNS query. In Proceedings of the 2007 International Conference on Multimedia and Ubiquitous Engineering (MUE’07). IEEE, 952--957.
    [51]
    Fangming Zhao, Yoshiaki Hori, and Kouichi Sakurai. 2007. Two-servers PIR based DNS query scheme with privacy-preserving. In Proceedings of the 2007 International Conference on Intelligent Pervasive Computing (IPC’07). IEEE, 299--302.
    [52]
    Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin, and Nikita Somaiya. 2015. Connection-oriented DNS to improve privacy and security. In Proceedings of the 2015 IEEE Symposium on Security and Privacy. IEEE, 171--186.

    Cited By

    View all
    • (2023)DID We Miss Anything?: Towards Privacy-Preserving Decentralized ID ArchitectureIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.323595120:6(4881-4898)Online publication date: Nov-2023
    • (2022)A Survey on DNS Encryption: Current Development, Malware Misuse, and Inference TechniquesACM Computing Surveys10.1145/354733155:8(1-28)Online publication date: 13-Jul-2022
    • (2022)Towards Automated Auditing for Account and Session Management Flaws in Single Sign-On Deployments2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833753(1774-1790)Online publication date: May-2022

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image Digital Threats: Research and Practice
    Digital Threats: Research and Practice  Volume 2, Issue 1
    Special Issue on ACSAC'19: Part 2
    March 2021
    160 pages
    EISSN:2576-5337
    DOI:10.1145/3447873
    Issue’s Table of Contents
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 11 February 2021
    Accepted: 01 October 2020
    Revised: 01 September 2020
    Received: 01 May 2020
    Published in DTRAP Volume 2, Issue 1

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. Domain name system
    2. privacy
    3. trusted execution environment

    Qualifiers

    • Research-article
    • Research
    • Refereed

    Funding Sources

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)227
    • Downloads (Last 6 weeks)19

    Other Metrics

    Citations

    Cited By

    View all
    • (2023)DID We Miss Anything?: Towards Privacy-Preserving Decentralized ID ArchitectureIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.323595120:6(4881-4898)Online publication date: Nov-2023
    • (2022)A Survey on DNS Encryption: Current Development, Malware Misuse, and Inference TechniquesACM Computing Surveys10.1145/354733155:8(1-28)Online publication date: 13-Jul-2022
    • (2022)Towards Automated Auditing for Account and Session Management Flaws in Single Sign-On Deployments2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833753(1774-1790)Online publication date: May-2022

    View Options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    HTML Format

    View this article in HTML Format.

    HTML Format

    Get Access

    Login options

    Full Access

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media