Encrypted DNS --&gt; Privacy? A Traffic Analysis Perspective

Siby, Sandra; Juárez, Marc; Díaz, Claudia; Vallina-Rodriguez, Narseo; Troncoso, Carmela

doi:10.14722/ndss.2020.24301

Cited by 67 publications

(60 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Many scientists have been involved in the development of methods for analyzing DNS traffic, issues of its encryption in order to protect users' DNS requests from monitoring and censorship. For example, the authors of paper [13] have concluded that the existing standard DNS traffic schemes are ineffective. Works [14][15][16][17] emphasize the relevance of DNS traffic protection and point to the need for a thorough analysis of possible leaks.…”

Section: Literature Review and Problem Statementmentioning

confidence: 99%

Development of an algorithm to protect user communication devices against data leaks

Zadereyko

Prokop

Trofymenko

et al. 2021

EEJET

View full text Add to dashboard Cite

In order to identify ways used to collect data from user communication devices, an analysis of the interaction between DNS customers and the Internet name domain space has been carried out. It has been established that the communication device's DNS traffic is logged by the DNS servers of the provider, which poses a threat to the privacy of users. A comprehensive algorithm of protection against the collection of user data, consisting of two modules, has been developed and tested. The first module makes it possible to redirect the communication device's DNS traffic through DNS proxy servers with a predefined anonymity class based on the proposed multitest. To ensure a smooth and sustainable connection, the module automatically connects to a DNS proxy server that has minimal response time from those available in the compiled list. The second module blocks the acquisition of data collected by the developers of the software installed on the user's communication device, as well as by specialized Internet services owned by IT companies. The proposed algorithm makes it possible for users to choose their preferred level of privacy when communicating with the Internet space, thereby providing them with a choice of privacy level and, as a result, limiting the possibility of information manipulation over their owners. The DNS traffic of various fixed and mobile communication devices has been audited. The analysis of DNS traffic has enabled to identify and structure the DNS requests responsible for collecting data from users by the Internet services owned by IT companies. The identified DNS queries have been blocked; it has been experimentally confirmed that the performance of the basic and application software on communication devices was not compromised.

show abstract

Section: Literature Review and Problem Statementmentioning

confidence: 99%

Development of an algorithm to protect user communication devices against data leaks

Zadereyko

Prokop

Trofymenko

et al. 2021

EEJET

View full text Add to dashboard Cite

show abstract

“…e measurements are produced from a set of 1 M websites, which means that if one wants to maintain the desired accuracy, they should regularly restart the crawling process to update the resulting set of IP addresses. Furthermore, Siby et al [36] have proposed an n-gram model to predict the domain names from DoH based on the sizes and timing of the packets. ey achieve an F1-score of 70% in an open world scenario of 1500 monitored webpages and demonstrate the robustness against countermeasures such as padding.…”

Section: Related Workmentioning

confidence: 99%

“…For instance, we could cache domain names from older look-ups or use optional precrawled domain names such as in [35]. Additionally, combinations with the DoH fingerprinting work of [36] may have a beneficial outcome on the accuracy of Open-Knock. Finally, a higher number of webpage samples (h) in Section 4.6 or a longer delay q in Section 4.5 may substantially increase the accuracy of our method, although future experiments would be useful to measure the exact impact.…”

Section: Future Workmentioning

confidence: 99%

Knocking on IPs: Identifying HTTPS Websites for Zero-Rated Traffic

Martino

Quax

Lamotte

2020

Security and Communication Networks

View full text Add to dashboard Cite

Zero-rating is a technique where internet service providers (ISPs) allow consumers to utilize a specific website without charging their internet data plan. Implementing zero-rating requires an accurate website identification method that is also efficient and reliable to be applied on live network traffic. In this paper, we examine existing website identification methods with the objective of applying zero-rating. Furthermore, we demonstrate the ineffectiveness of these methods against modern encryption protocols such as Encrypted SNI and DNS over HTTPS and therefore show that ISPs are not able to maintain the current zero-rating approaches in the forthcoming future. To address this concern, we present “Open-Knock,” a novel approach that is capable of accurately identifying a zero-rated website, thwarts free-riding attacks, and is sustainable on the increasingly encrypted web. In addition, our approach does not require plaintext protocols or preprocessed fingerprints upfront. Finally, our experimental analysis unveils that we are able to convert each IP address to the correct domain name for each website in the Tranco top 6000 websites list with an accuracy of 50.5% and therefore outperform the current state-of-the-art approaches.

show abstract

“…EDNS(0) padding thus provides privacy for the encrypted DNS messages. However, Siby et al [93] found that adding EDNS(0) padding solely will not prevent traffic analysis attacks, and adversaries would still be able to access DNS content using ML-based analysis techniques.…”

Section: Dns Privacy Extensionsmentioning

confidence: 99%

“…DoT suggests using the EDNS(0) padding option to pad the DNS messages with a variable number of octets and make them more resilient against traffic-analysis and side-channel leaks in Stage-1. However, recent literature shows that encryption and padding techniques in DoT are not strong enough to resist Machine Learning (ML) based traffic analysis attacks [93,48]. DoT uses a specific port (853) and its traffic is distinguishable, which makes its traffic susceptible to blocking, redirecting, or censorship [49,63].…”

Section: Dnscrypt Is Resilient-to-eavesdropping-in-mentioning

confidence: 99%

Survey And Evaluation of Secure-DNS Alternatives Through Passive Measurements

jahromi¹

View full text Add to dashboard Cite

As security was not among the original DNS design goals, over ten secure-DNS schemes have been proposed to improve security and privacy during the name resolution process.One of the schemes is DNS-over-TLS (DoT), which relies on the Internet's PKI for establishing trust in recursive resolvers. The security research community has studied and improved security shortcomings in the web certificate ecosystem. DoT's certificates, on the other hand, have not been investigated comprehensively. This thesis analyzes the certificate ecosystem of DoT in comparison to HTTPS. The results are so far promising, as they show that DoT appears to have benefited from the PKI security advancements that were designed for HTTPS. The thesis then surveys secure-DNS schemes, and presents an evaluation framework to assess their security, availability, privacy, and anonymity benefits. Our evaluation illustrates that none of the DNS schemes secures the complete path of the domain name resolution. All rated schemes provide only partial security benefits in specific domain name resolution stages. The results shed light on the challenges of designing a comprehensive and widely-deployable secure-DNS scheme to secure the complete name resolution path.However, as some schemes can be combined, their resultant benefits can address individual shortcomings.

show abstract

Encrypted DNS --> Privacy? A Traffic Analysis Perspective

Cited by 67 publications

References 28 publications

Development of an algorithm to protect user communication devices against data leaks

Development of an algorithm to protect user communication devices against data leaks

Knocking on IPs: Identifying HTTPS Websites for Zero-Rated Traffic

Survey And Evaluation of Secure-DNS Alternatives Through Passive Measurements

Contact Info

Product

Resources

About