research-article

Open access

PDoT: Private DNS-over-TLS with TEE Support

Authors:

Yoshimichi Nakatsuka,

Andrew Paverd, and

Gene TsudikAuthors Info & Claims

Digital Threats: Research and Practice , Volume 2, Issue 1

Article No.: 3, Pages 1 - 22

https://doi.org/10.1145/3431171

Published: 11 February 2021 Publication History

All formats PDF

Abstract

Security and privacy of the Internet Domain Name System (DNS) have been longstanding concerns. Recently, there is a trend to protect DNS traffic using Transport Layer Security (TLS). However, at least two major issues remain: (1) How do clients authenticate DNS-over-TLS endpoints in a scalable and extensible manner? and (2) How can clients trust endpoints to behave as expected? In this article, we propose a novel Private DNS-over-TLS (PDoT) architecture. PDoT includes a DNS Recursive Resolver (RecRes) that operates within a Trusted Execution Environment. Using Remote Attestation, DNS clients can authenticate and receive strong assurance of trustworthiness of PDoT RecRes. We provide an open source proof-of-concept implementation of PDoT and experimentally demonstrate that its latency and throughput match that of the popular Unbound DNS-over-TLS resolver.

References

[1]

2009. Introduction to DNSCurve. Retrieved May 29, 2019 from https://dnscurve.org/index.html.

[2]

G. Acs, M. Conti, P. Gasti, C. Ghali, and G. Tsudik. 2013. Cache privacy in named-data networking. In Proceedings of the 2013 IEEE 33rd International Conference on Distributed Computing Systems. 41--51.

[3]

Fritz Alder, N. Asokan, Arseny Kurnikov, Andrew Paverd, and Michael Steiner. 2019. S-FaaS: Trustworthy and accountable function-as-a-service using Intel SGX. In Proceedings of the ACM Cloud Computing Security Workshop (CCSW’19).

[4]

Darren Anstee. 2020. Disappearing DNS: DoT and DoH, Where One Letter Makes a Great Difference. Retrieved May 15, 2020 from https://www.securitymagazine.com/articles/91674-disappearing-dns-dot-and-doh-where-one-letter-makes-a-great-difference.

[5]

R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. 2005. DNS Security Introduction and Requirements. Technical Report.

[6]

ARM. 2009. ARM Security Technology—Building a Secure System using TrustZone Technology. Retrieved May 29, 2019 from http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.prd29-genc-009492c/index.html.

[7]

S. Bortzmeyer. 2016. DNS Query Name Minimisation to Improve Privacy. Technical Report.

[8]

S Bortzmeyer. 2018. Encryption and authentication of the DNS resolver-to-authoritative communication. Retrieved from https://tools.ietf.org/html/draft-bortzmeyer-dprive-resolver-to-auth-01.

[9]

Jon Brodkin. 2020. Firefox turns encrypted DNS on by default to thwart snooping ISPs. Retrieved May 15, 2020 from https://arstechnica.com/information-technology/2020/02/firefox-turns-encrypted-dns-on-by-default-to-thwart-snooping-isps/.

[10]

Sergio Castillo-Perez and Joaquin Garcia-Alfaro. 2008. Anonymous Resolution of DNS Queries. Springer, Berlin, 987--1000.

[11]

V. G. Cerf. 1991. Guidelines for Internet Measurement Activities. Technical Report.

[12]

Cloudflare. DNS over TLS—Cloudflare Resolver. Retrieved May 29, 2019 from https://1.1.1.1/dns/.

[13]

Cloudflare. [n.d.]. 1.1.1.1 Resolver Examination Report. Retrieved from https://www.cloudflare.com/compliance/.

[14]

Cloudflare. [n.d.]. Announcing 1.1.1.1: The Fastest, Privacy-first Consumer DNS Service. Retrieved from https://blog.cloudflare.com/announcing-1111/.

[15]

Cloudflare. [n.d.]. Announcing the Results of the 1.1.1.1 Public DNS Resolver Privacy Examination. Retrieved from https://blog.cloudflare.com/announcing-the-results-of-the-1-1-1-1-public-dns-resolver-privacy-examination/.

[16]

Manuel Costa, Lawrence Esswood, Olga Ohrimenko, Felix Schuster, and Sameer Wagh. 2017. The pyramid scheme: Oblivious RAM for trusted processors. arXiv:1712.07882. Retrieved from https://arxiv.org/abs/1712.07882.

[17]

Victor Costan, Ilia Lebedev, and Srinivas Devadas. 2016. Sanctum: Minimal Hardware Extensions for Strong Software Isolation. 857--874. https://www.usenix.org/conference/usenixsecurity16/technicalsessions/presentation/costan.

[18]

cs.nic. 2019. Knot Resolver. Retrieved May 29, 2019 from https://www.knot-resolver.cz/.

[19]

T. Dierks and E. Rescorla. 2008. The Transport Layer Security (TLS) Protocol Version 1.2. Technical Report.

[20]

Huayi Duan, Cong Wang, Xingliang Yuan, Yajin Zhou, Qian Wang, and Kui Ren. 2017. LightBox: Full-stack protected stateful middlebox at lightning speed. arxiv:1706.06261. Retrieved from http://arxiv.org/abs/1706.06261.

[21]

D. Eastlake. 2013. Domain Name System (DNS) IANA Considerations. Technical Report.

[22]

Annie Edmundson, Paul Schmitt, and Nick Feamster. 2018. ODNS: Oblivious DNS. Retrieved May 29, 2019 from https://odns.cs.princeton.edu/.

[23]

Hannes Federrath, Karl-Peter Fuchs, Dominik Herrmann, and Christopher Piosecny. 2011. Privacy-preserving DNS: Analysis of Broadcast, Range Queries and Mix-based Protection Methods. Springer, Berlin, 665--683.

[24]

David Goltzsche, Signe Rusch, Manuel Nieke, Sebastien Vaucher, Nico Weichbrodt, Valerio Schiavoni, Pierre-Louis Aublin, Paolo Cosa, Christof Fetzer, Pascal Felber, Peter Pietzuch, and Rudiger Kapitza. 2018. EndBox: Scalable middlebox functions using client-side trusted execution. In Proceedings of the 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN’18). IEEE, 386--397.

[25]

Google. 2018. DNS over TLS Support in Android P Developer Preview. Retrieved May 29, 2019 from https://security.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html.

[26]

P. Hoffman. 2018. DNS Queries Over HTTPS (DoH). Technical Report.

[27]

P. Hoffman and P. McManus. 2018. DNS Queries over HTTPS (DoH).

[28]

Rebekah Houser, Zhou Li, Chase Cotton, and Haining Wang. 2019. An investigation on information leakage of DNS over TLS. In Proceedings of the 15th International Conference on Emerging Networking Experiments and Technologies (CoNEXT’19). Association for Computing Machinery, Inc., New York, NY, 123--137.

Digital Library

[29]

Zi Hu, Liang Zhu, John Heidemann, Allison Mankin, Duane Wessels, and P. Hoffman. 2016. Specification for DNS over Transport Layer Security (TLS). Technical Report.

[30]

Tommy Jensen, Ivan Pashov, and Gabriel Montenegro. 2019. Windows Will Improve User Privacy with DNS over HTTPS. Retrieved May 15, 2020 from https://techcommunity.microsoft.com/t5/networking-blog/windows-will-improve-user-privacy-with-dns-over-https/ba-p/1014229.

[31]

Thomas Knauth, Michael Steiner, Somnath Chakrabarti, Li Lei, Cedric Xing, and Mona Vij. 2018. Integrating remote attestation with transport layer security. arxiv:1801.05863. Retrieved from http://arxiv.org/abs/1801.05863.

[32]

SPROUT Lab. 2019. PDoT Source Code. Retrieved from https://github.com/sprout-uci/PDoT.

[33]

NLnet Labs. Stubby. Retrieved May 29, 2019 from https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby.

[34]

NLnet Labs. Unbound. Retrieved May 29, 2019 from https://nlnetlabs.nl/projects/unbound/about/.

[35]

Fangfei Liu, Yuval Yarom, Qian Ge, Gernot Heiser, and Ruby B. Lee. 2015. Last-level cache side-channel attacks are practical. In Proceedings of the 2015 IEEE Symposium on Security and Privacy. IEEE, 605--622.

[36]

Chaoyi Lu, Baojun Liu, Zhou Li, Shuang Hao, Haixin Duan, Mingming Zhang, Chunying Leng, Ying Liu, Zaifeng Zhang, and Jianping Wu. 2019. An end-to-end, large-scale measurement of DNS-over-encryption: How far have we come? In Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC. Association for Computing Machinery, New York, NY, 22--35.

[37]

Y. Lu and G. Tsudik. 2010. Towards plugging privacy leaks in the domain name system. In Proceedings of the 2010 IEEE 10th International Conference on Peer-to-Peer Computing (P2P’10). IEEE, 1--10.

[38]

Majestic. 2012. Majestic Million. Retrieved from https://blog.majestic.com/development/majestic-million-csv-daily/.

[39]

Frank McKeen, Ilya Alexandrovich, Alex Berenzon, Carlos V. Rozas, Hisham Shafi, Vedvyas Shanbhogue, and Uday R. Savagaonkar. 2013. Innovative instructions and software model for isolated execution. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy (HASP’13). ACM Press, New York, New York, 1 page.

[40]

Microsoft. 2017. Introducing Azure Confidential Computing. Retrieved May 29, 2019 https://azure.microsoft.com/en-us/blog/introducing-azure-confidential-computing/.

[41]

P. V. Mockapetris. 1987. Domain Names—Implementation and Specification. Technical Report.

[42]

DNSCrypt Project. 2019. DNSCrypt. Retrieved May 29, 2019 from https://dnscrypt.info/.

[43]

Sajin Sasy, Sergey Gorbunov, and Christopher W. Fletcher. 2017. ZeroTrace: Oblivious memory primitives from Intel SGX. IACR Cryptology ePrint Archive 2017 (2017), 549.

[44]

Ming-Wei Shih, Sangho Lee, Taesoo Kim, and Marcus Peinado. 2017. T-SGX: Eradicating controlled-channel attacks against enclave programs. In Proceedings of the Network and Distributed System Security Symposium (NDSS’17).

[45]

Haya Shulman and Haya. 2014. Pretty bad privacy: Pitfalls of DNS encryption. In Proceedings of the 13th Workshop on Privacy in the Electronic Society (WPES’14). ACM Press, New York, NY, 191--200.

[46]

Sandra Siby, Marc Juarez, Claudia Diaz, Narseo Vallina-Rodriguez, and Carmela Troncoso. 2020. Encrypted DNS --> Privacy? A traffic analysis perspective. In Proceedings of the Network and Distributed System Security Symposium (NDSS’20). arxiv:1906.09682

[47]

Sandeep Tamrakar, Jian Liu, Andrew Paverd, Jan-Erik Ekberg, Benny Pinkas, and N. Asokan. 2017. The circle game: Scalable private membership test using trusted hardware. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security (ASIA CCS’17).

[48]

Bohdan Trach, Alfred Krohmer, Franz Gregor, Sergei Arnautov, Pramod Bhatotia, and Christof Fetzer. 2018. ShieldBox: Secure middleboxes using shielded execution. In Proceedings of the Symposium on SDN Research (SOSR’18). ACM Press, New York, New York, 1--14.

[49]

Yuanzhong Xu, Weidong Cui, and Marcus Peinado. 2015. Controlled-channel attacks: Deterministic side channels for untrusted operating systems. In Proceedings of the 2015 IEEE Symposium on Security and Privacy. IEEE, 640--656.

[50]

Fangming Zhao, Yoshiaki Hori, and Kouichi Sakurai. 2007. Analysis of privacy disclosure in DNS query. In Proceedings of the 2007 International Conference on Multimedia and Ubiquitous Engineering (MUE’07). IEEE, 952--957.

Digital Library

[51]

Fangming Zhao, Yoshiaki Hori, and Kouichi Sakurai. 2007. Two-servers PIR based DNS query scheme with privacy-preserving. In Proceedings of the 2007 International Conference on Intelligent Pervasive Computing (IPC’07). IEEE, 299--302.

Digital Library

[52]

Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin, and Nikita Somaiya. 2015. Connection-oriented DNS to improve privacy and security. In Proceedings of the 2015 IEEE Symposium on Security and Privacy. IEEE, 171--186.

Digital Library

Cited By

Huh SShim MLee JWoo SKim HLee H(2023)DID We Miss Anything?: Towards Privacy-Preserving Decentralized ID ArchitectureIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.323595120:6(4881-4898)Online publication date: Nov-2023
https://doi.org/10.1109/TDSC.2023.3235951
Lyu MGharakheili HSivaraman V(2022)A Survey on DNS Encryption: Current Development, Malware Misuse, and Inference TechniquesACM Computing Surveys10.1145/354733155:8(1-28)Online publication date: 13-Jul-2022
https://dl.acm.org/doi/10.1145/3547331
Ghasemisharif MKanich CPolakis J(2022)Towards Automated Auditing for Account and Session Management Flaws in Single Sign-On Deployments2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833753(1774-1790)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833753

Index Terms

PDoT: Private DNS-over-TLS with TEE Support
1. Security and privacy

Recommendations

PDoT: private DNS-over-TLS with TEE support
ACSAC '19: Proceedings of the 35th Annual Computer Security Applications Conference

Security and privacy of the Internet Domain Name System (DNS) have been longstanding concerns. Recently, there is a trend to protect DNS traffic using Transport Layer Security (TLS). However, at least two major issues remain: (1) how do clients ...
Read More
Securing DNS: Extending DNS Servers with a DNSSEC Validator

DNS Security Extensions (DNSSEC) is a proposed standard for securely authenticating information in the Domain Name System. DNSSEC validators check the digital signatures on DNS data. However, designing a validator worth the operational costs is a ...
Read More
Measurement for encrypted open resolvers: Applications and security
Abstract
Encrypted DNS has been proposed to mitigate the vulnerability of traditional DNS to surveillance and tampering. Some encrypted DNS protocols, like DNS over HTTPS (DoH) and DNS over TLS (DoT), have been promoted by the community and ...
Read More

Comments

Information & Contributors

Information

Published In

cover image Digital Threats: Research and Practice

Digital Threats: Research and Practice Volume 2, Issue 1

Special Issue on ACSAC'19: Part 2

March 2021

160 pages

EISSN:2576-5337

DOI:10.1145/3447873

Editors:
Arun Lakhotia
University of Louisiana at Lafayette and Cythereal, USA
,
Leigh Metcalf
CERT, USA

Issue’s Table of Contents

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 February 2021

Accepted: 01 October 2020

Revised: 01 September 2020

Received: 01 May 2020

Published in DTRAP Volume 2, Issue 1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

NSF (National Science Foundation)

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
1,040
Total Downloads

Downloads (Last 12 months)227
Downloads (Last 6 weeks)19

Other Metrics

View Author Metrics

Citations

Cited By

Huh SShim MLee JWoo SKim HLee H(2023)DID We Miss Anything?: Towards Privacy-Preserving Decentralized ID ArchitectureIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.323595120:6(4881-4898)Online publication date: Nov-2023
https://doi.org/10.1109/TDSC.2023.3235951
Lyu MGharakheili HSivaraman V(2022)A Survey on DNS Encryption: Current Development, Malware Misuse, and Inference TechniquesACM Computing Surveys10.1145/354733155:8(1-28)Online publication date: 13-Jul-2022
https://dl.acm.org/doi/10.1145/3547331
Ghasemisharif MKanich CPolakis J(2022)Towards Automated Auditing for Account and Session Management Flaws in Single Sign-On Deployments2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833753(1774-1790)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833753

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Media

Figures

Other

Tables

View Issue’s Table of Contents