Chaoyi Lu
ABSTRACT
DNS packets are designed to travel in unencrypted form through the Internet based on its initial standard. Recent discoveries show that real-world adversaries are actively exploiting this design vulnerability to compromise Internet users' security and privacy. To mitigate such threats, several protocols have been proposed to encrypt DNS queries between DNS clients and servers, which we jointly term as DNS-over-Encryption. While some proposals have been standardized and are gaining strong support from the industry, little has been done to understand their status from the view of global users.
This paper performs by far the first end-to-end and large-scale analysis on DNS-over-Encryption. By collecting data from Internet scanning, user-end measurement and passive monitoring logs, we have gained several unique insights. In general, the service quality of DNS-over-Encryption is satisfying, in terms of accessibility and latency. For DNS clients, DNS-over-Encryption queries are less likely to be disrupted by in-path interception compared to traditional DNS, and the extra overhead is tolerable. However, we also discover several issues regarding how the services are operated. As an example, we find 25% DNS-over-TLS service providers use invalid SSL certificates. Compared to traditional DNS, DNS-over-Encryption is used by far fewer users but we have witnessed a growing trend. As such, we believe the community should push broader adoption of DNS-over-Encryption and we also suggest the service providers carefully review their implementations.
- [n. d.]. Cisco IOS NetFlow. https://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-netflow/index.html.Google Scholar
- [n. d.]. Cloudflare Resolver. https://cloudflare-dns.com/.Google Scholar
- [n. d.]. DNSCrypt-proxy 2. https://github.com/jedisct1/dnscrypt-proxy.Google Scholar
- [n. d.]. Google Public DNS. https://developers.google.com/speed/public-dns/.Google Scholar
- [n. d.]. HTTP and SOCKS PROXIES. https://www.proxyrack.com/.Google Scholar
- [n. d.]. Knot DNS. https://www.knot-dns.cz/.Google Scholar
- [n. d.]. Latest 1.1.1.1 Topics - Cloudflare Community. https://community.cloudflare.com/c/reliability/1111.Google Scholar
- [n. d.]. Let's Encrypt - Free SSL/TLS Certificates. https://letsencrypt.org.Google Scholar
- [n. d.]. OpenNIC Project. https://www.opennic.org/.Google Scholar
- [n. d.]. Zhima Proxy. http://h.zhimaruanjian.com/.Google Scholar
- 2013. DNSCrypt version 2 protocol specification. https://dnscrypt.info/protocol.Google Scholar
- 2014. The NSA and GCHQ's QUANTUMTHEORY Hacking Tactics. https://theintercept.com/document/2014/03/12/nsa-gchqs-quantumtheory-hacking-tactics/.Google Scholar
- 2018. OpenSSL Cryptography and SSL/TLS toolkit. https://www.openssl.org/.Google Scholar
- 2018. Quad9 DNS: Internet Security & Privacy In a Few Easy Steps. https://www.quad9.net/.Google Scholar
- 2018. WLC Virtual IP address 1.1.1.1. https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/213535-wlc-virtual-ip-address-1-1-1-1.html.Google Scholar
- 2019. 360 PassiveDNS. https://passivedns.cn/help/.Google Scholar
- 2019. Getdns API. https://github.com/getdnsapi/getdns.Google Scholar
- 2019. Luminati: Residental Proxy Service for Businesses. https://luminati.io.Google Scholar
- 2019. MOZILLA Included CA Certificate List. https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport.Google Scholar
- 2019. NetworkScan Mon. https://scan.netlab.360.com/#/dashboard.Google Scholar
- 2019. NLnetLabs - Unbound. https://www.nlnetlabs.nl/projects/unbound/about/.Google Scholar
- 2019. Passive DNS historical internet database: Farsight DNSDB. https://www.farsightsecurity.com/solutions/dnsdb/Google Scholar
- 2019. RIPE Atlas - RIPE Network Coordination Centre. https://atlas.ripe.net/.Google Scholar
- 2019. Systemd - News. https://github.com/systemd/systemd/blob/master/NEWS.Google Scholar
- 2019. Yandex.DNS. https://dns.yandex.com/.Google Scholar
- Mark Allman. 2016. Detecting DNS Root Manipulation. In PAM 2016, Heraklion, Greece, March 31-April 1, 2016. Proceedings, Vol. 9631. Springer, 276.Google Scholar
- Anonymous. 2014. Towards a Comprehensive Picture of the Great Firewall's DNS Censorship. In FOCI 14. USENIX Association, San Diego, CA. https://www.usenix.org/conference/foci14/workshop-program/presentation/anonymousGoogle Scholar
- APNIC. 2019. DNSSEC Measurement Maps. https://stats.labs.apnic.net/dnssec.Google Scholar
- Stephane Bortzmeyer. 2015. DNS privacy considerations. Technical Report.Google Scholar
- Stephane Bortzmeyer. 2016. DNS query name minimisation to improve privacy. Technical Report.Google Scholar
- Jon Brodkin. 2018. AT&T explains why it blocked Cloudflare DNS: It was just an accident. https://arstechnica.com/information-technology/2018/05/att-is-blocking-cloudflares-privacy-focused-dns-calls-it-an-accident/.Google Scholar
- Deliang Chang, Qianli Zhang, and Xing Li. 2015. Study on os fingerprinting and nat/tethering based on dns log analysis. In IRTF & ISOC Workshop on Research and Applications of Internet Measurements (RAIM).Google Scholar
- Taejoong Chung, Roland van Rijswijk-Deij, Balakrishnan Chandrasekaran, David Choffnes, Dave Levin, Bruce M Maggs, Alan Mislove, and Christo Wilson. 2017. A Longitudinal, End-to-End View of the {DNSSEC} Ecosystem. In 26th { USENIX} Security Symposium ({USENIX} Security 17). 1307--1322.Google Scholar
- Internet Systems Consortuim. 2019. BIND 9 Open Source DNS Server. https://www.isc.org/downloads/bind/.Google Scholar
- David Dagon, Niels Provos, Christopher P Lee, and Wenke Lee. 2008. Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority.. In NDSS.Google Scholar
- John Dickinson and Sara Dickinson. 2019. DNS Privacy Implementation Status. https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implementation+Status.Google Scholar
- Sara Dickinson. 2018. DNS Privacy Project. https://dnsprivacy.org/wiki/display/DP.Google Scholar
- Sara Dickinson. 2019. DNS Privacy Daemon - Stubby. https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby.Google Scholar
- Sara Dickinson. 2019. DNS Privacy Test Servers. https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers.Google Scholar
- Google Public DNS. 2019. Migration to anycast and RFC 8484 DoH. https://developers.google.com/speed/public-dns/docs/doh/migration.Google Scholar
- Zakir Durumeric, Zane Ma, Drew Springall, Richard Barnes, Nick Sullivan, Elie Bursztein, Michael Bailey, J Alex Halderman, and Vern Paxson. 2017. The security impact of HTTPS interception. In NDSS.Google Scholar
- Zakir Durumeric, Eric Wustrow, and J Alex Halderman. 2013. ZMap: Fast Internet-wide Scanning and Its Security Applications.. In USENIX Security Symposium, Vol. 8. 47--53.Google ScholarDigital Library
- Fortinet. 2017. Preventing certificate warnings (default certificate). https://cookbook.fortinet.com/preventing-certificate-warnings-defaultcert-56/.Google Scholar
- Christian Grothoff, Matthias Wachs, Monika Ermert, and Jacob Appelbaum. 2015. NSA's MORECOWBELL: Knell for DNS. https://leaksource.files.wordpress.com/2015/02/nsas-morecowbell-knell-for-dns.pdf.Google Scholar
- DPRIVE Working Group. 2018. DNS PRIVate Exchange WG. https://datatracker.ietf.org/doc/charter-ietf-dprive/.Google Scholar
- Olafur Guomundsson and Marek Vavrusa. 2018. DoH and DoT experience. https://indico.dns-oarc.net/event/29/contributions/653/attachments/640/1027/DoT_and_DoH_experience.pdf.Google Scholar
- Brian Haberman and Catherine Master. 2018. DNS-over-TLS Measurements with RIPE Atlas Probes. https://datatracker.ietf.org/meeting/102/materials/slides-102-dprive-dns-over-tls-measurements-with-ripe-atlas-probes-01.Google Scholar
- Dominik Herrmann, Christian Banse, and Hannes Federrath. 2013. Behavior-based tracking: Exploiting characteristic patterns in DNS traffic. Computers & Security 39 (2013), 17--33.Google ScholarDigital Library
- Z Hu, Liang Zhu, John Heidemann, Allison Mankin, Duane Wessels, and Paul Hoffman. 2016. Specification for DNS over transport layer security (TLS). Technical Report.Google Scholar
- P Huffman and P McManus. 2018. DNS Queries over HTTPS (DoH). Technical Report.Google Scholar
- Christian Huitema, Melinda Shore, Allison Mankin, Sara Dickinson, and Jana Iyengar. 2018. Specification of DNS over Dedicated QUIC Connections. https://tools.ietf.org/html/draft-huitema-quic-dnsoquic-05.Google Scholar
- Daniel Kahn Gillmor. 2018. Trust relationships between users and private DNS resolvers. https://drive.google.com/file/d/13AeDutZJ1WZ-PrNZ9ZROsAc1-jfdhHvm/viewGoogle Scholar
- Karthikeyan C Kasiviswanathan. 2018. Postmortem of a Compromised MikroTik Router. https://www.symantec.com/blogs/threat-intelligence/hacked-mikrotik-router.Google Scholar
- Dae Wook Kim and Junjie Zhang. 2015. You are how you query: Deriving behavioral fingerprints from DNS traffic. In International Conference on Security and Privacy in Communication Systems. Springer, 348--366.Google ScholarCross Ref
- Matthias Kirchler, Dominik Herrmann, Jens Lindemann, and Marius Kloft. 2016. Tracked without a trace: linking sessions of users by unsupervised learning of patterns in their DNS traffic. In Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security. ACM, 23--34.Google ScholarDigital Library
- Erik Kline and Ben Schwartz. 2018. DNS over TLS support in Android P Developer Preview. https://android-developers.googleblog.com/2018/04/dns-over-tls-support-in-android-p.htmlGoogle Scholar
- Marc Kührer, Thomas Hupperich, Jonas Bushart, Christian Rossow, and Thorsten Holz. 2015. Going wild: Large-scale classification of open DNS resolvers. In IMC. ACM, 355--368.Google Scholar
- Wilson Lian, Eric Rescorla, Hovav Shacham, and Stefan Savage. 2013. Measuring the Practical Impact of DNSSEC Deployment.. In USENIX.Google Scholar
- Jinjin Liang, Jian Jiang, Haixin Duan, Kang Li, and Jianping Wu. 2013. Measuring query latency of top level DNS servers. In PAM. Springer, 145--154.Google Scholar
- Baojun Liu, Chaoyi Lu, Haixin Duan, Ying Liu, Zhou Li, Shuang Hao, and Min Yang. 2018. Who is answering my queries: understanding and characterizing interception of the DNS resolution path. In USENIX Security Symposium. 1113--1128.Google Scholar
- Alexander Mayrhofer. 2016. The edns (0) padding option. (2016).Google Scholar
- Patrick McManus. 2018. Firefox Nightly Secure DNS Experimental Results. https://blog.nightly.mozilla.org/2018/08/28/firefox-nightly-secure-dns-experimental-results/.Google Scholar
- Patrick McManus. 2018. Improving DNS Privacyin Firefox - Firefox Nightly News. https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/.Google Scholar
- Xianghang Mi, Ying Liu, Xuan Feng, Xiaojing Liao, Baojun Liu, XiaoFeng Wang, Feng Qian, Zhou Li, Sumayah Alrwais, and Limin Sun. 2019. Resident Evil: Understanding Residential IP Proxy as a Dark Service. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE.Google ScholarCross Ref
- 360 Netlab. 2019. Netlab OpenData. https://data.netlab.360.com/.Google Scholar
- Paul Pearce, Ben Jones, Frank Li, Roya Ensafi, Nick Feamster, Nick Weaver, and Vern Paxson. 2017. Global measurement of dns manipulation. In USENIX Security Symposium. USENIX. 307--323.Google Scholar
- Matt Prytuluk. 2018. Preventing Circumvention of Cisco Umbrella with Firewall Rules. https://support.umbrella.com/hc/en-us/articles/230904088-Preventing-Circumvention-of-Cisco-Umbrella-with-Firewall-Rules.Google Scholar
- Rod Rasmussen. 2016. The Pros and Cons of DNS Encryption. https://www.infosecurity-magazine.com/opinions/the-pros-and-cons-of-dns-encryption/.Google Scholar
- Tirumaleswar Reddy, Daniel Gillmor, and Sara Dickinson. 2018. Usage Profiles for DNS over TLS and DNS over DTLS. (2018).Google Scholar
- Tirumaleswar Reddy, D Wing, and P Patil. 2017. DNS over Datagram Transport Layer Security (DTLS). Technical Report.Google Scholar
- Sandra Siby, Marc Juarez, Narseo Vallina-Rodriguez, and Carmela Troncoso. 2018. DNS Privacy not so private: the traffic analysis perspective. (2018).Google Scholar
- Jonathan M Spring and Carly L Huth. 2012. The impact of passive dns collection on end-user privacy. Securing and Trusting Internet Names (2012).Google Scholar
- Daniel Stenberg. 2019. Public available servers. https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers.Google Scholar
- Marty Strong. 2018. Fixing Reachability to 1.1.1.1, GLOBALLY! https://labs.ripe.net/Members/marty_strong/fixing-reachability-to-1-1-1-1-globallyGoogle Scholar
- Nick Sullivan. 2017. Introducing Zero Round Trip Time Resumption (0-RTT). https://blog.cloudflare.com/introducing-0-rtt/.Google Scholar
- Gareth Tyson, Shan Huang, Felix Cuadrado, Ignacio Castro, Vasile C Perta, Arjuna Sathiaseelan, and Steve Uhlig. 2017. Exploring HTTP header manipulation in-the-wild. In Proceedings of the 26th International Conference on World Wide Web. International World Wide Web Conferences Steering Committee, 451--458.Google ScholarDigital Library
- David Ulevitch. 2011. DNSCrypt: Critical, fundamental, and about time. https://umbrella.cisco.com/blog/2011/12/06/dnscrypt-critical-fundamental-and-about-time/.Google Scholar
- Nicholas Weaver, Christian Kreibich, and Vern Paxson. 2011. Redirecting DNS for Ads and Profit.. In FOCI.Google Scholar
- Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin, and Nikita Somaiya. 2015. Connection-oriented DNS to improve privacy and security. In Security and Privacy (SP), 2015 IEEE Symposium on. IEEE, 171--186.Google ScholarDigital Library
Index Terms
- An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come?
Recommendations
An investigation on information leakage of DNS over TLS
CoNEXT '19: Proceedings of the 15th International Conference on Emerging Networking Experiments And TechnologiesDNS over TLS (DoT) protects the confidentiality and integrity of DNS communication by encrypting DNS messages transmitted between users and resolvers. In recent years, DoT has been deployed by popular recursive resolvers like Cloudflare and Google. ...
Understanding the Impact of Encrypted DNS on Internet Censorship
WWW '21: Proceedings of the Web Conference 2021DNS traffic is transmitted in plaintext, resulting in privacy leakage. To combat this problem, secure protocols have been used to encrypt DNS messages. Existing studies have investigated the performance overhead and privacy benefits of encrypted DNS ...
A DNS Server Classification Method Based on Long-Term Behavior Features
Machine Learning for Cyber SecurityAbstractObtaining the overall status of domain name system (DNS) by DNS measurement is of great significance to DNS protection and Internet traffic optimization. The accurate identification of the DNS server type is one of the challenging problems in the ...
Comments