Characterizing Privacy Leakage in Encrypted DNS Traffic
Summary :
Increased demand for DNS privacy has driven the creation of several encrypted DNS protocols, such as DNS over HTTPS (DoH), DNS over TLS (DoT), and DNS over QUIC (DoQ). Recently, DoT and DoH have been deployed by some vendors like Google and Cloudflare. This paper addresses privacy leakage in these three encrypted DNS protocols (especially DoQ) with different DNS recursive resolvers (Google, NextDNS, and Bind) and DNS proxy (AdGuard). More particularly, we investigate encrypted DNS traffic to determine whether the adversary can infer the category of websites users visit for this purpose. Through analyzing packet traces of three encrypted DNS protocols, we show that the classification performance of the websites (i.e., user's privacy leakage) is very high in terms of identifying 42 categories of the websites both in public (Google and NextDNS) and local (Bind) resolvers. By comparing the case with cache and without cache at the local resolver, we confirm that the caching effect is negligible as regards identification. We also show that discriminative features are mainly related to the inter-arrival time of packets for DNS resolving. Indeed, we confirm that the F1 score decreases largely by removing these features. We further investigate two possible countermeasures that could affect the inter-arrival time analysis in the local resolver: AdBlocker and DNS prefetch. However, there is no significant improvement in results with these countermeasures. These findings highlight that information leakage is still possible even in encrypted DNS traffic regardless of underlying protocols (i.e., HTTPS, TLS, QUIC).
- Publication
- IEICE TRANSACTIONS on Communications Vol.E106-B No.2 pp.156-165
- Publication Date
- 2023/02/01
- Publicized
- 2022/08/02
- Online ISSN
- 1745-1345
- DOI
- 10.1587/transcom.2022EBP3014
- Type of Manuscript
- PAPER
- Category
- Internet
Authors
Guannan HU
the Graduate University for Advanced Studies (Sokendai)
Kensuke FUKUDA
the Graduate University for Advanced Studies (Sokendai),National Institute of Informatics (NII)
Keyword
Latest Issue
Copyrights notice of machine-translated contents
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Cite this
Copy
Guannan HU, Kensuke FUKUDA, "Characterizing Privacy Leakage in Encrypted DNS Traffic" in IEICE TRANSACTIONS on Communications,
vol. E106-B, no. 2, pp. 156-165, February 2023, doi: 10.1587/transcom.2022EBP3014.
Abstract: Increased demand for DNS privacy has driven the creation of several encrypted DNS protocols, such as DNS over HTTPS (DoH), DNS over TLS (DoT), and DNS over QUIC (DoQ). Recently, DoT and DoH have been deployed by some vendors like Google and Cloudflare. This paper addresses privacy leakage in these three encrypted DNS protocols (especially DoQ) with different DNS recursive resolvers (Google, NextDNS, and Bind) and DNS proxy (AdGuard). More particularly, we investigate encrypted DNS traffic to determine whether the adversary can infer the category of websites users visit for this purpose. Through analyzing packet traces of three encrypted DNS protocols, we show that the classification performance of the websites (i.e., user's privacy leakage) is very high in terms of identifying 42 categories of the websites both in public (Google and NextDNS) and local (Bind) resolvers. By comparing the case with cache and without cache at the local resolver, we confirm that the caching effect is negligible as regards identification. We also show that discriminative features are mainly related to the inter-arrival time of packets for DNS resolving. Indeed, we confirm that the F1 score decreases largely by removing these features. We further investigate two possible countermeasures that could affect the inter-arrival time analysis in the local resolver: AdBlocker and DNS prefetch. However, there is no significant improvement in results with these countermeasures. These findings highlight that information leakage is still possible even in encrypted DNS traffic regardless of underlying protocols (i.e., HTTPS, TLS, QUIC).
URL: https://global.ieice.org/en_transactions/communications/10.1587/transcom.2022EBP3014/_p
Copy
@ARTICLE{e106-b_2_156,
author={Guannan HU, Kensuke FUKUDA, },
journal={IEICE TRANSACTIONS on Communications},
title={Characterizing Privacy Leakage in Encrypted DNS Traffic},
year={2023},
volume={E106-B},
number={2},
pages={156-165},
abstract={Increased demand for DNS privacy has driven the creation of several encrypted DNS protocols, such as DNS over HTTPS (DoH), DNS over TLS (DoT), and DNS over QUIC (DoQ). Recently, DoT and DoH have been deployed by some vendors like Google and Cloudflare. This paper addresses privacy leakage in these three encrypted DNS protocols (especially DoQ) with different DNS recursive resolvers (Google, NextDNS, and Bind) and DNS proxy (AdGuard). More particularly, we investigate encrypted DNS traffic to determine whether the adversary can infer the category of websites users visit for this purpose. Through analyzing packet traces of three encrypted DNS protocols, we show that the classification performance of the websites (i.e., user's privacy leakage) is very high in terms of identifying 42 categories of the websites both in public (Google and NextDNS) and local (Bind) resolvers. By comparing the case with cache and without cache at the local resolver, we confirm that the caching effect is negligible as regards identification. We also show that discriminative features are mainly related to the inter-arrival time of packets for DNS resolving. Indeed, we confirm that the F1 score decreases largely by removing these features. We further investigate two possible countermeasures that could affect the inter-arrival time analysis in the local resolver: AdBlocker and DNS prefetch. However, there is no significant improvement in results with these countermeasures. These findings highlight that information leakage is still possible even in encrypted DNS traffic regardless of underlying protocols (i.e., HTTPS, TLS, QUIC).},
keywords={},
doi={10.1587/transcom.2022EBP3014},
ISSN={1745-1345},
month={February},}
Copy
TY - JOUR
TI - Characterizing Privacy Leakage in Encrypted DNS Traffic
T2 - IEICE TRANSACTIONS on Communications
SP - 156
EP - 165
AU - Guannan HU
AU - Kensuke FUKUDA
PY - 2023
DO - 10.1587/transcom.2022EBP3014
JO - IEICE TRANSACTIONS on Communications
SN - 1745-1345
VL - E106-B
IS - 2
JA - IEICE TRANSACTIONS on Communications
Y1 - February 2023
AB - Increased demand for DNS privacy has driven the creation of several encrypted DNS protocols, such as DNS over HTTPS (DoH), DNS over TLS (DoT), and DNS over QUIC (DoQ). Recently, DoT and DoH have been deployed by some vendors like Google and Cloudflare. This paper addresses privacy leakage in these three encrypted DNS protocols (especially DoQ) with different DNS recursive resolvers (Google, NextDNS, and Bind) and DNS proxy (AdGuard). More particularly, we investigate encrypted DNS traffic to determine whether the adversary can infer the category of websites users visit for this purpose. Through analyzing packet traces of three encrypted DNS protocols, we show that the classification performance of the websites (i.e., user's privacy leakage) is very high in terms of identifying 42 categories of the websites both in public (Google and NextDNS) and local (Bind) resolvers. By comparing the case with cache and without cache at the local resolver, we confirm that the caching effect is negligible as regards identification. We also show that discriminative features are mainly related to the inter-arrival time of packets for DNS resolving. Indeed, we confirm that the F1 score decreases largely by removing these features. We further investigate two possible countermeasures that could affect the inter-arrival time analysis in the local resolver: AdBlocker and DNS prefetch. However, there is no significant improvement in results with these countermeasures. These findings highlight that information leakage is still possible even in encrypted DNS traffic regardless of underlying protocols (i.e., HTTPS, TLS, QUIC).
ER -
English
