ABSTRACT
The Domain Name System (DNS) is used in every website visit and e-mail transmission, so privacy is an obvious concern. In DNS, users ask recursive resolvers (or "recursives") to make queries on their behalf. Prior analysis of DNS privacy focused on privacy risks to individual end-users, mainly in traffic between users and recursives. Recursives cache and aggregate traffic for many users, factors that are commonly assumed to protect end-user privacy above the recursive. We document institutional privacy as a new risk posed by DNS data collected at authoritative servers, even after caching and aggregation by DNS recursives. We are the first to demonstrate this risk by looking at leaks of e-mail exchanges which show communications patterns, and leaks from accessing sensitive websites, both of which can harm an institution's public image. We define a methodology to identify queries from institutions and identify leaks. We show the current practices of prefix-preserving anonymization of IP addresses and aggregation above the recursive are not sufficient to protect institutional privacy, suggesting the need for novel approaches. We demonstrate this claim by applying our methodology to real-world traffic from DNS servers that use partial prefix-preserving anonymization. Our work prompts additional privacy considerations for institutions that run their own resolvers and authoritative server operators that log and share DNS data.
- Comparison of DNS blacklists. https://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists. [accessed 2019-11-25].Google Scholar
- DNSThought - qname minimization. https://dnsthought.nlnetlabs.nl/. [accessed 2021-05-04].Google Scholar
- IAB tech lab content taxonomy. https://iabtechlab.com/standards/content-taxonomy/. [accessed 2021-06-25].Google Scholar
- Regional internet registries statistics. https://www-public.imtbs-tsp.eu/~maigron/RIR_Stats/RIR_Delegations/World/ASN-ByNb.html. [accessed 2019-11-10].Google Scholar
- Security information exchange protects from cybercrime - farsight security. https://www.farsightsecurity.com/solutions/security-information-exchange/. [accessed 2019-10-08].Google Scholar
- Webshrinker. https://docs.webshrinker.com. [accessed 2018-11-01].Google Scholar
- Week-long B-Root DNS requests, IMPACT ID: USC-LANDER b-root-week-message-question-20190109/rev10299. http://www.isi.edu. Provided by USC/B-Root Operations with USC/LANDER project.Google Scholar
- Your Privacy - Public DNS. https://developers.google.com/speed/public-dns/privacy. [accessed 2019-11-25].Google Scholar
- Barnes, R., Schneier, B., Jennings, C., Hardie, T., Trammell, B., Huitema, C., and Borkmann, D. Confidentiality in the face of pervasive surveillance: A threat model and problem statement. RFC 7624, Internet Request For Comments, Aug. 2015.Google Scholar
- Bilge, L., Sen, S., Balzarotti, D., Kirda, E., and Kruegel, C. Exposure: A passive DNS analysis service to detect and report malicious domains. ACM Trans. Inf. Syst. Secur. 16, 4 (Apr. 2014), 14:1--14:28.Google ScholarDigital Library
- Born, K., and Gustafson, D. Detecting DNS tunnels using character frequency analysis. CoRR abs/1004.4358 (2010).Google Scholar
- Bortzmeyer, S. DNS privacy considerations. RFC 7626, IETF, 2015.Google Scholar
- Bortzmeyer, S. DNS query name minimisation to improve privacy. RFC 7816, IETF, 2016.Google Scholar
- Castro, S., Wessels, D., Fomenkov, M., and Claffy, K. A day at the root of the internet. SIGCOMM Comput. Commun. Rev. 38, 5 (Sept. 2008), 41--46.Google ScholarDigital Library
- de Vries, W. B., Scheitle, Q., Müller, M., Toorop, W., Dolmans, R., and van Rijswijk-Deij, R. A first look at QNAME minimization in the Domain Name System. In Passive and Active Measurement (Cham, 2019), D. Choffnes and M. Barcellos, Eds., Springer International Publishing, pp. 147--160.Google ScholarDigital Library
- de Vries, W. B., Van Rijswijk-Deij, R., de Boer, P., and Pras, A. Passive observations of a large DNS service: 2.5 years in the life of Google. In 2018 Network Traffic Measurement and Analysis Conference (June 2018), pp. 1--8.Google ScholarCross Ref
- Denis, F. Free IP address to ASN database. https://iptoasn.com/. [accessed 2018-11-01].Google Scholar
- Dickinson, S., Overeinder, B., van Rijswijk-Deij, R., and Mankin, A. Recommendations for DNS Privacy Service Operators. RFC 8932, Oct. 2020.Google ScholarCross Ref
- DNS-OARC. DITL traces and analysis. https://www.dns-oarc.net/oarc/data/ditl, Jan. 2018. [accessed 2019-10-08].Google Scholar
- Dwork, C., McSherry, F., Nissim, K., and Smith, A. Calibrating noise to sensitivity in private data analysis. In Proceedings of the Third Conference on Theory of Cryptography (Berlin, Heidelberg, 2006), TCC'06, Springer-Verlag, pp. 265--284.Google ScholarDigital Library
- Edmundson, A., Schmitt, P., Feamster, N., and Mankin, A. Oblivious DNS - strong privacy for DNS queries. Tech. rep., July 2018.Google Scholar
- Foremski, P., Gasser, O., and Moura, G. C. M. Dns observatory: The big picture of the dns. In Proceedings of the ACM Internet Measurement Conference (Amsterdam, the Netherlands, Oct. 2019), ACM, pp. 87--101.Google ScholarDigital Library
- Hardaker, W. Analyzing and mitigating privacy with the DNS root service. Tech. rep., 2018.Google Scholar
- Hesselman, C., Jansen, J., Wullink, M., Vink, K., and Simon, M. A privacy framework for DNS big data applications. Tech. rep., SIDN Labs, 2014.Google Scholar
- Hoffman, P., and McManus, P. DNS queries over HTTPS (DoH). RFC 8484, Nov. 2018.Google ScholarDigital Library
- Imana, B., Korolova, A., and Heidemann, J. S. Enumerating privacy leaks in DNS data collected above the recursive. In Proceedings of the ISOC NDSS Workshop on DNS Privacy (2017).Google Scholar
- Jung, J., and Sit, E. An empirical study of spam traffic and the use of DNS black lists. In Proceedings of the ACM Internet Measurement Conf. (New York, NY, USA, 2004), IMC '04, ACM, pp. 370--375.Google ScholarDigital Library
- Kinnear, E., Pauly, T., Wood, C., and McManus, P. Oblivious DNS over HTTPS. Tech. rep., IETF, October 2019.Google Scholar
- Kumari, W. A., and Hoffman, P. E. Running a Root Server Local to a Resolver. RFC 8806, June 2020.Google ScholarCross Ref
- Lee, S. Current practices for DNS privacy: Protection towards pervasive surveillance, 2019. Undergraduate Thesis.Google Scholar
- Levine, J. DNS blacklists and whitelists. RFC 5782, IETF, 2010.Google Scholar
- Livingood, J., Mayrhofer, A., and Overeinder, B. DNS Privacy Requirements for Exchanges between Recursive Resolvers and Authoritative Servers. Internet-Draft draft-ietf-dprive-phase2-requirements-02, Internet Engineering Task Force, Nov. 2020. Work in Progress.Google Scholar
- MacMillan, D., and Dwoskin, E. The war inside Palantir. https://www.washingtonpost.com/business/2019/08/22/war-inside-palantir-data-mining-firms-ties-ice-under-attack-by-employees/, Aug. 2019. [accessed 2019-10-23].Google Scholar
- Mockapetris, P. Domain names---concepts and facilities. RFC 1034, Internet Request For Comments, Nov. 1987.Google Scholar
- Mohaisen, A., and Ren, K. Leakage of .onion at the DNS root: Measurements, causes, and countermeasures. IEEE/ACM Transactions on Networking 25, 5 (Oct 2017), 3059--3072.Google ScholarDigital Library
- Moura, G. C. M., Heidemann, J., Müller, M., de O. Schmidt, R., and Davids, M. When the dike breaks: Dissecting DNS defenses during DDoS. In Proceedings of the ACM Internet Measurement Conf. (New York, NY, USA, 2018), IMC '18, ACM, pp. 8--21.Google ScholarDigital Library
- Pradkin, Y. cryptopANT - IP address anonymization library. https://ant.isi.edu/software/cryptopANT/man.html. [accessed 2019-11-09].Google Scholar
- Rainey, R. Jefferson parish a leader in deportations, but sanctuary city row worries sheriff. https://www.nola.com/news/politics/article_d3a5ee8e-d912-525f-9137-df900524c959.html, Mar. 2017. [accessed 2019-10-23].Google Scholar
- Root Operators. http://www.root-servers.org, Apr. 2019.Google Scholar
- RSSAC. RSSAC advisory on measurements of the root server system. Tech. Rep. RSSAC002v3, ICANN, June 2016.Google Scholar
- Schmitt, P., Edmundson, A., Mankin, A., and Feamster, N. Oblivious DNS: Practical privacy for DNS queries: Published in PoPETS 2019. In Proceedings of the Applied Networking Research Workshop (New York, NY, USA, 2019), ANRW '19, ACM, pp. 17--19.Google ScholarDigital Library
- Spring, J. M., and Huth, C. L. The impact of passive DNS collection on end-user privacy. In Proc. of Workshop on Securing and Trusting Internet Names (2012).Google Scholar
- Thomas, M. Maximizing qname minimization: A new chapter in DNS protocol evolution. https://blog.verisign.com/security/maximizing-qname-minimization-a-new-chapter-in-dns-protocol-evolution/. [accessed 2021-05-04].Google Scholar
- Xu, J., Fan, J., Ammar, M., and Moon, S. B. On the design and performance of prefix-preserving ip traffic trace anonymization. In Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement (New York, NY, USA, 2001), IMW '01, ACM, pp. 263--266.Google ScholarDigital Library
- Zhu, L., Hu, Z., Heidemann, J., Wessels, D., Mankin, A., and Somaiya, N. Connection-oriented DNS to improve privacy and security. In 2015 IEEE Symposium on Security and Privacy (May 2015), pp. 171--186.Google ScholarDigital Library
Index Terms
- Institutional privacy risks in sharing DNS data
Recommendations
Privacy-preserving data sharing in cloud computing
Storing and sharing databases in the cloud of computers raise serious concern of individual privacy. We consider two kinds of privacy risk: presence leakage, by which the attackers can explicitly identify individuals in (or not in) the database, and ...
Analysis of Privacy Disclosure in DNS Query
MUE '07: Proceedings of the 2007 International Conference on Multimedia and Ubiquitous EngineeringWhen a DNS (domain name system) client needs to look up a name, it queries DNS servers to resolve the name on the Internet. The query information from the client was passed through one or more DNS servers. While useful, in the whole query transmission, ...
Comments