ACM Digital Library home
ACM home
Advanced Search
10.1145/3473604.3474563acmconferencesArticle/Chapter ViewAbstractPublication PagescommConference Proceedingsconference-collections
research-article
Open Access

Exploring Simple Detection Techniques for DNS-over-HTTPS Tunnels

FOCI '21: Proceedings of the ACM SIGCOMM 2021 Workshop on Free and Open Communications on the InternetAugust 2021 Pages 37–42https://doi.org/10.1145/3473604.3474563
Published:27 August 2021
  • 0citation
  • 185
    • Downloads
Metrics
Total Citations0
Total Downloads185
Last 12 Months185
Last 6 weeks61

ABSTRACT

While DNS tunneling has shown promise as a censorship circumvention technique, it is limited by the plaintext nature of the DNS protocol, which renders it easily detectable to censors. DNS-over-HTTPS (DoH) [16] resolves this detectability obstacle, by encrypting the entire DNS protocol inside HTTPS. DoH tunneling shows promise as a medium for circumvention as its adoption increases in everyday usage, but it may still be vulnerable to flow-based attacks. This paper explores the design space of threshold-based attacks and defences on encrypted DNS tunnels. We identify thresholds separating tunnel traffic from browser-generated DoH traffic using packet size, packet rate, and throughput. We further propose modifications for encrypted DNS tunnels to evade flow-based detection and measure the reduction in usability. Notably, throughput is decreased by at least 27x and page load time is increased by at least 23x. However, despite the cutback in usability, we outline the potential for DNS tunnels to work in conjunction with, and obfuscate the registration traffic of, other anti-censorship tools.

References

  1. Sadia Afroz and David Fifield. 2015. 'Timeline of Tor Censorship'. http://www1.icsi.berkeley.edu/~sadia/tor_timeline.pdf. Accessed March 2021.Google ScholarGoogle Scholar
  2. Qurat-Ul-Ann Danyal Akbar, Marcel Flores, and Aleksandar Kuzmanovic. 2016. DNS-sly: Avoiding Censorship through Network Complexity. In 6th USENIX Workshop on Free and Open Communications on the Internet, FOCI '16, Austin, TX, USA, August 8, 2016, Amir Houmansadr and Prateek Mittal (Eds.). USENIX Association. https://www.usenix.org/conference/foci16/workshop-program/presentation/akbarGoogle ScholarGoogle Scholar
  3. Marc Bevand. 2016. My Experience With the Great Firewall of China. https://blog.zorinaq.com/my-experience-with-the-great-firewall-of-china/ Accessed May 2021.Google ScholarGoogle Scholar
  4. Timm Böttger, Felix Cuadrado, Gianni Antichi, Eder Leão Fernandes, Gareth Tyson, Ignacio Castro, and Steve Uhlig. 2019. An Empirical Study of the Cost of DNS-over-HTTPS. In Proceedings of the Internet Measurement Conference. 15--21.Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Ron Bowes. 2013. dnscat2. https://github.com/iagox86/dnscat2.Google ScholarGoogle Scholar
  6. Erik Ekman and Bjorn Andersson. 2006. 'Iodine'. https://code.kryo.se/iodine/. Accessed March 2021.Google ScholarGoogle Scholar
  7. Wendy Ellens, Piotr Zuraniewski, Anna Sperotto, Harm Schotanus, Michel Mandjes, and Erik Meeuwissen. 2013. Flow-Based Detection of DNS Tunnels. In Emerging Management Mechanisms for the Future Internet - 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2013, Barcelona, Spain, June 25-28, 2013. Proceedings (Lecture Notes in Computer Science, Vol. 7943), Guillaume Doyen, Martin Waldburger, Pavel Celeda, Anna Sperotto, and Burkhard Stiller (Eds.). Springer, 124--135. https://doi.org/10.1007/978-3-642-38998-6_16Google ScholarGoogle Scholar
  8. Greg Farnham and Antonios Atlasis. 2013. Detecting DNS tunneling. SANS Institute InfoSec Reading Room 9 (2013), 1--32.Google ScholarGoogle Scholar
  9. David Fifield. 2017. Threat modeling and circumvention of Internet censorship. Ph.D. Dissertation. University of California, Berkeley.Google ScholarGoogle Scholar
  10. David Fifield. 2020. dnstt. https://www.bamsoftware.com/software/dnstt/index.htmlGoogle ScholarGoogle Scholar
  11. David Fifield. 2020. Turbo Tunnel, a good way to design censorship circumvention protocols. In 10th USENIX Workshop on Free and Open Communications on the Internet, FOCI 2020, August 11, 2020, Roya Ensafi and Hans Klein (Eds.). USENIX Association. https://www.usenix.org/conference/foci20/presentation/fifieldGoogle ScholarGoogle Scholar
  12. Sergey Frolov, Jack Wampler, Sze Chuen Tan, J. Alex Halderman, Nikita Borisov, and Eric Wustrow. 2019. Conjure: Summoning Proxies from Unused Address Space. In Computer and Communications Security. ACM. https://jhalderm.com/pub/papers/conjure-ccs19.pdfGoogle ScholarGoogle Scholar
  13. Sergey Frolov and Eric Wustrow. 2019. The use of TLS in Censorship Circumvention. In 26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24-27, 2019. The Internet Society. https://www.ndss-symposium.org/ndss-paper/the-use-of-tls-in-censorship-circumvention/Google ScholarGoogle ScholarCross RefCross Ref
  14. Serene Han. 2011. Snowflake Technical Overview. https://keroserene.net/snowflake/technical. [Online; accessed 8-June-2018].Google ScholarGoogle Scholar
  15. Firefox Help. 2019. DNS-over-HTTPS (DoH) FAQs. https://support.mozilla.org/en-US/kb/dns-over-https-doh-faqs Accessed April 2021.Google ScholarGoogle Scholar
  16. Paul Hoffman and Patrick McManus. 2018. DNS Queries over HTTPS (DoH). RFC 8484. IETF Tools. https://tools.ietf.org/html/rfc8484Google ScholarGoogle Scholar
  17. A. Houmansadr, C. Brubaker, and V. Shmatikov. 2013. The Parrot Is Dead: Observing Unobservable Network Communications. In 2013 IEEE Symposium on Security and Privacy. 65--79. https://doi.org/10.1109/SP.2013.14Google ScholarGoogle Scholar
  18. Z. Hu, L. Zhu, J. Heidemann, A. Mankin, D. Wessels, and P. Hoffman. 2016. Specification for DNS over Transport Layer Security (TLS). RFC 7858. IETF Tools. https://tools.ietf.org/html/rfc7858Google ScholarGoogle Scholar
  19. Mohammadreza MontazeriShatoori, Logan Davidson, Gurdip Kaur, and Arash Habibi Lashkari. 2020. Detection of DoH Tunnels using Time-series Classification of Encrypted Traffic. In 2020 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech). 63--70. https://doi.org/10.1109/DASC-PICom-CBDCom-CyberSciTech49142.2020.00026Google ScholarGoogle Scholar
  20. Ramakrishna Padmanabhan, Alberto Dainotti, Nima Fatemi, Arturo Filastò, Maria Xynou, and Simone Basso. 2019. Iran's nation-wide Internet blackout: Measurement data and technical observations. https://ooni.org/post/2019-iran-internet-blackout/Google ScholarGoogle Scholar
  21. Michael Carl Tschantz, Sadia Afroz, anonymous, and Vern Paxson. 2016. SoK: Towards Grounding Censorship Circumvention in Empiricism. In IEEE Symposium on Security and Privacy, SP 2016, San Jose, CA, USA, May 22-26, 2016. IEEE Computer Society, 914--933. https://doi.org/10.1109/SP.2016.59Google ScholarGoogle Scholar
  22. Dmitrii Vekshin, Karel Hynek, and Tomas Cejka. 2020. DoH Insight: Detecting DNS over HTTPS by Machine Learning. In Proceedings of the 15th International Conference on Availability, Reliability and Security (Virtual Event, Ireland) (ARES '20). Association for Computing Machinery, New York, NY, USA, Article 87, 8 pages. https://doi.org/10.1145/3407023.3409192Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Cathy Wang, Paul Janiszewski, Shela Qiu, and Carmen Kwan. 2021. dnstt-uTLS Fork. https://github.com/pjanisze/dnstt-uTLS.Google ScholarGoogle Scholar
  24. Liang Wang, Kevin P. Dyer, Aditya Akella, Thomas Ristenpart, and Thomas Shrimpton. 2015. Seeing through Network-Protocol Obfuscation. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (Denver, Colorado, USA) (CCS '15). Association for Computing Machinery, New York, NY, USA, 57--69. https://doi.org/10.1145/2810103.2813715Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Eric Wustrow, Colleen M. Swanson, and J. Alex Halderman. 2014. TapDance: End-to-middle Anticensorship Without Flow Blocking. In 23rd USENIX Security Symposium (San Diego, CA). 159--174. http://dl.acm.org/citation.cfm?id=2671225.2671236Google ScholarGoogle Scholar
  26. Irvan Zhan. 2015. DNSCatProxy. https://github.com/izhan/dnstun_pt.Google ScholarGoogle Scholar

Index Terms

  1. Exploring Simple Detection Techniques for DNS-over-HTTPS Tunnels

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    Get this Publication

    • Published in

      ACM Conferences cover image
      FOCI '21: Proceedings of the ACM SIGCOMM 2021 Workshop on Free and Open Communications on the Internet
      August 2021
      59 pages
      ISBN:9781450386401
      DOI:10.1145/3473604

      Copyright © 2021 Owner/Author

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 27 August 2021
      • Online: 23 August 2021

      Permissions

      Request permissions about this article.

      Request Permissions

      Author Tags

      Qualifiers

      • research-article
      • Research
      • Refereed limited

    • Article Metrics

      • Downloads (Last 12 months)185
      • Downloads (Last 6 weeks)61

      Other Metrics

      View Author Metrics

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!