Speaker
Description
DNS cache snooping on small, misconfigured, open DNS resolvers is considered a privacy threat, because users can be easily deanonymized. However, the large number of users of public DNS resolvers, such as Google Public DNS, allows cache snooping to be used as a privacy-preserving measurement tool instead. The growing footprint of such public resolvers presents an opportunity to observe rare domain usage, while preserving the privacy of the users accessing them. However, the complexity of large public resolvers raises challenges as well as opportunities. In this work, we present Trufflehunter, a DNS cache snooping tool for estimating the prevalence of rare and sensitive Internet applications. Trufflehunter models the complex behavior of large multi-layer distributed caching infrastructures. In particular, using controlled experiments, we have inferred the caching strategies of the four most popular public DNS resolvers (Google Public DNS, Cloudflare DNS, OpenDNS and Quad9). Using a controlled testbed, we evaluated how accurately Trufflehunter can estimate domain name usage across the U.S. By applying this technique in the wild, we provided a lower-bound estimate of the popularity of several rare and sensitive applications (most notably smartphone stalkerware) which are otherwise challenging to survey.
