TY - GEN
T1 - Encrypted DNS ⇒ Privacy? A Traffic Analysis Perspective
AU - Siby, Sandra
AU - Juarez, Marc
AU - Diaz, Claudia
AU - Vallina-Rodriguez, Narseo
AU - Troncoso, Carmela
N1 - Publisher Copyright:
© 2020 27th Annual Network and Distributed System Security Symposium, NDSS 2020. All Rights Reserved.
PY - 2020
Y1 - 2020
N2 - Virtually every connection to an Internet service is preceded by a DNS lookup. Lookups are performed without any traffic-level protection, thus enabling manipulation, redirection, surveillance, and censorship. To address these issues, large organizations such as Google and Cloudflare are deploying standardized protocols that encrypt DNS traffic between end users and recursive resolvers: DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH). In this paper, we examine whether encrypting DNS traffic can protect users from traffic analysis-based monitoring and censoring. We propose a novel feature set to perform traffic analysis attacks, as the features used to attack HTTPS or Tor traffic are not suitable for DNS' characteristics. We show that traffic analysis enables the identification of domains with high accuracy in closed and open world settings, using 124 times less data than attacks on HTTPS flows. We also show that DNS-based censorship is still possible on encrypted DNS traffic. We find that factors such as end-user location, recursive resolver, platform, or DNS client do negatively affect the attacks' performance, but they are far from completely stopping them. We demonstrate that the standardized padding schemes are not effective. Yet, Tor 'which does not effectively mitigate traffic analysis attacks on web traffic' is a good defense against DoH traffic analysis.
AB - Virtually every connection to an Internet service is preceded by a DNS lookup. Lookups are performed without any traffic-level protection, thus enabling manipulation, redirection, surveillance, and censorship. To address these issues, large organizations such as Google and Cloudflare are deploying standardized protocols that encrypt DNS traffic between end users and recursive resolvers: DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH). In this paper, we examine whether encrypting DNS traffic can protect users from traffic analysis-based monitoring and censoring. We propose a novel feature set to perform traffic analysis attacks, as the features used to attack HTTPS or Tor traffic are not suitable for DNS' characteristics. We show that traffic analysis enables the identification of domains with high accuracy in closed and open world settings, using 124 times less data than attacks on HTTPS flows. We also show that DNS-based censorship is still possible on encrypted DNS traffic. We find that factors such as end-user location, recursive resolver, platform, or DNS client do negatively affect the attacks' performance, but they are far from completely stopping them. We demonstrate that the standardized padding schemes are not effective. Yet, Tor 'which does not effectively mitigate traffic analysis attacks on web traffic' is a good defense against DoH traffic analysis.
UR - http://www.scopus.com/inward/record.url?scp=85092009258&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85092009258&partnerID=8YFLogxK
U2 - 10.14722/ndss.2020.24301
DO - 10.14722/ndss.2020.24301
M3 - Conference contribution
AN - SCOPUS:85092009258
T3 - 27th Annual Network and Distributed System Security Symposium, NDSS 2020
BT - 27th Annual Network and Distributed System Security Symposium, NDSS 2020
PB - The Internet Society
T2 - 27th Annual Network and Distributed System Security Symposium, NDSS 2020
Y2 - 23 February 2020 through 26 February 2020
ER -