OARC 25 (Dallas)

A Study of Privacy and Anonymity in the DNS

15 Oct 2016, 11:45

30m

Gold (The Fairmont Dallas)

Standard Presentation Public Workshop Public Workshop: Measurement and Testing

Speaker

Christopher Wood (UCI)

Description

The need for a private Domain Name System (DNS) has become increasingly important in recent years. There are several different proposals to address this growing problem, including DNS-over-TLS and DNSCurve. The former enables clients to create ephemeral sessions with either their resolver or authoritative (stub) servers in which queries can be issued. The latter uses per-query encryption to protect queries between clients and servers. Encryption is core mechanism used to enable client privacy in both of these solutions. However, in a recent study, Shulman showed that encryption alone is insufficient to protect the privacy of queries. Information leaked in DNS side channels, such query timing, frequency, and resolution ``chains,'' may reveal the contents of a query. Moreover, by observing the trust properties of DNS servers and their responses, an adversary may also learn the specific record within a domain that was requested.

Summary

There are a variety of mechanisms that can be used to plug these side channels, including:
message padding, query chaffing, query partitioning or splitting, and message interleaving.
Each of these techniques can increase the amount of entropy of a given query. Message buffering
can also be used to minimize information that is leaked through timing side channels.
Using query traces collected through DNS-OARC, we systematically study the efficacy of these
techniques against Shulman's attacks. We compare the privacy gains against the observed slowdown
induced by these privacy-preserving techniques.

Moreover, Shulman also showed that caching resolvers can be identified through timing side channel
attacks. We discuss several resolver techniques that can be used to deter these attacks
without introducing extra load on the authoritative name servers. Specifically, we study
randomized response delays to clients to mask the presence of caches. With
appropriately computed delays, resolver identification becomes difficult.

Finally, to complement query and resolver privacy, we also study client anonymity. In particular, we seek to
learn to what extent (cleartext) DNS query patterns can be linked to individual users.
Trivial linkability attacks mean that stub servers can learn information about individual
clients, even if encryption (without mutual authentication) is used to protect queries
in transit. Using both supervised and unsupervised machine learning algorithms,
we conducted linkability experiments in a scenario with only two users browsing the web
for a large amount of time (e.g., the course of an entire day). Our results indicate that
query patterns have no discernible impact on client anonymity.
We study three important security properties of the DNS: query privacy, resolver transparency, and client anonymity. In the presence of transport layer or per-record encryption, we find that deterring Shulman's privacy attacks negates many of the benefits of the DNS infrastructure such as caching and hierarchical, recursive resolution for reduced latency and system traffic. With respect to anonymity, we find that client behavior is not noticeably leaked by individual queries. This means that DNS clients do not need to modify individual queries to aid anonymity.

Presentation materials

Slides

dns16.pdf