May 12 – 13, 2019
Shangri-La Bangkok
Asia/Bangkok timezone

Who Is Answering My Queries: Understanding and Characterizing Interception of the DNS Resolution Path

May 12, 2019, 12:00 PM
Ballroom 1 (Shangri-La Bangkok)

Ballroom 1

Shangri-La Bangkok

89 ซอย Wat Suan Plu - Dumex, Khwaeng Bang Rak, Khet Bang Rak, Krung Thep Maha Nakhon 10500, Thailand
Standard Presentation Public Workshop


Mr Baojun Liu (Tsinghua University)Mr Chaoyi Lu (Tsinghua University)


DNS is a critical service for almost all Internet applications. Since almost all DNS queries are sent in plain-text, it’s possible for transparent proxies to intercept DNS queries sent to public resolvers, and surreptitiously respond using alternative resolvers instead. However, this kind of hidden interception can introduce privacy and security issues to client users.

Understanding the characterizes of hidden DNS interception is by no means trivial. It’s very challenging to observe interception because we need vantages points sharing the same network with interceptors. We solved this problem by re-targeting the proxy and a popular security software used by a large number of real-world users to conduct the measurement study.

In the end, we performed a first large-scale measurement study of on-path DNS interception and shed light on its scope and characterizes. In practice, we designed a novel approach to detecting interception and deployed a global measurement platform. As different transport protocols and various recursive servers are considered, our measurement study is achieved with good depth and breadth. The key observation is that, among the 3,047 ASes that we investigate, we find intercepted DNS queries in 259 ASes. Particularly, 27.9% DNS/UDP queries from China to Google Public DNS are intercepted.

Our research provides a first large-scale study on DNS end-to-end violation. Our work delivers strong evidence of DNS interception and serves as strong motivation of deploying DNS-over-Encryption. After being published, our findings are reported by several well-known media, such as ACM Technews, The Register, and Hackread. Our paper also gets comments from Nick Sullivan, head of cryptography at Cloudflare, that “this paper accelerates the need to transite DNS from an unencrypted protocol to one that protected by strong encryption and authentication technologies.”

Talk Duration 30 Minutes

Primary author

Mr Baojun Liu (Tsinghua University)


Mr Chaoyi Lu (Tsinghua University) Prof. Haixin Duan (Tsinghua University) Prof. Ying Liu (Tsinghua University) Prof. Zhou Li (University of California, Irvine) Prof. Shuang Hao (University of Texas at Dallas) Prof. Min Yang (Fudan University)

Presentation materials