research-article

An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come?

Authors:

Mingming Zhang,

Jianping WuAuthors Info & Claims

IMC '19: Proceedings of the Internet Measurement Conference

Pages 22 - 35

https://doi.org/10.1145/3355369.3355580

Published: 21 October 2019 Publication History

Abstract

DNS packets are designed to travel in unencrypted form through the Internet based on its initial standard. Recent discoveries show that real-world adversaries are actively exploiting this design vulnerability to compromise Internet users' security and privacy. To mitigate such threats, several protocols have been proposed to encrypt DNS queries between DNS clients and servers, which we jointly term as DNS-over-Encryption. While some proposals have been standardized and are gaining strong support from the industry, little has been done to understand their status from the view of global users.

This paper performs by far the first end-to-end and large-scale analysis on DNS-over-Encryption. By collecting data from Internet scanning, user-end measurement and passive monitoring logs, we have gained several unique insights. In general, the service quality of DNS-over-Encryption is satisfying, in terms of accessibility and latency. For DNS clients, DNS-over-Encryption queries are less likely to be disrupted by in-path interception compared to traditional DNS, and the extra overhead is tolerable. However, we also discover several issues regarding how the services are operated. As an example, we find 25% DNS-over-TLS service providers use invalid SSL certificates. Compared to traditional DNS, DNS-over-Encryption is used by far fewer users but we have witnessed a growing trend. As such, we believe the community should push broader adoption of DNS-over-Encryption and we also suggest the service providers carefully review their implementations.

References

[1]

[n. d.]. Cisco IOS NetFlow. https://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-netflow/index.html.

[2]

[n. d.]. Cloudflare Resolver. https://cloudflare-dns.com/.

[3]

[n. d.]. DNSCrypt-proxy 2. https://github.com/jedisct1/dnscrypt-proxy.

[4]

[n. d.]. Google Public DNS. https://developers.google.com/speed/public-dns/.

[5]

[n. d.]. HTTP and SOCKS PROXIES. https://www.proxyrack.com/.

[6]

[n. d.]. Knot DNS. https://www.knot-dns.cz/.

[7]

[n. d.]. Latest 1.1.1.1 Topics - Cloudflare Community. https://community.cloudflare.com/c/reliability/1111.

[8]

[n. d.]. Let's Encrypt - Free SSL/TLS Certificates. https://letsencrypt.org.

[9]

[n. d.]. OpenNIC Project. https://www.opennic.org/.

[10]

[n. d.]. Zhima Proxy. http://h.zhimaruanjian.com/.

[11]

2013. DNSCrypt version 2 protocol specification. https://dnscrypt.info/protocol.

[12]

2014. The NSA and GCHQ's QUANTUMTHEORY Hacking Tactics. https://theintercept.com/document/2014/03/12/nsa-gchqs-quantumtheory-hacking-tactics/.

[13]

2018. OpenSSL Cryptography and SSL/TLS toolkit. https://www.openssl.org/.

[14]

2018. Quad9 DNS: Internet Security & Privacy In a Few Easy Steps. https://www.quad9.net/.

[15]

2018. WLC Virtual IP address 1.1.1.1. https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/213535-wlc-virtual-ip-address-1-1-1-1.html.

[16]

2019. 360 PassiveDNS. https://passivedns.cn/help/.

[17]

2019. Getdns API. https://github.com/getdnsapi/getdns.

[18]

2019. Luminati: Residental Proxy Service for Businesses. https://luminati.io.

[19]

2019. MOZILLA Included CA Certificate List. https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport.

[20]

2019. NetworkScan Mon. https://scan.netlab.360.com/#/dashboard.

[21]

2019. NLnetLabs - Unbound. https://www.nlnetlabs.nl/projects/unbound/about/.

[22]

2019. Passive DNS historical internet database: Farsight DNSDB. https://www.farsightsecurity.com/solutions/dnsdb/

[23]

2019. RIPE Atlas - RIPE Network Coordination Centre. https://atlas.ripe.net/.

[24]

2019. Systemd - News. https://github.com/systemd/systemd/blob/master/NEWS.

[25]

2019. Yandex.DNS. https://dns.yandex.com/.

[26]

Mark Allman. 2016. Detecting DNS Root Manipulation. In PAM 2016, Heraklion, Greece, March 31-April 1, 2016. Proceedings, Vol. 9631. Springer, 276.

[27]

Anonymous. 2014. Towards a Comprehensive Picture of the Great Firewall's DNS Censorship. In FOCI 14. USENIX Association, San Diego, CA. https://www.usenix.org/conference/foci14/workshop-program/presentation/anonymous

[28]

APNIC. 2019. DNSSEC Measurement Maps. https://stats.labs.apnic.net/dnssec.

[29]

Stephane Bortzmeyer. 2015. DNS privacy considerations. Technical Report.

[30]

Stephane Bortzmeyer. 2016. DNS query name minimisation to improve privacy. Technical Report.

[31]

Jon Brodkin. 2018. AT&T explains why it blocked Cloudflare DNS: It was just an accident. https://arstechnica.com/information-technology/2018/05/att-is-blocking-cloudflares-privacy-focused-dns-calls-it-an-accident/.

[32]

Deliang Chang, Qianli Zhang, and Xing Li. 2015. Study on os fingerprinting and nat/tethering based on dns log analysis. In IRTF & ISOC Workshop on Research and Applications of Internet Measurements (RAIM).

[33]

Taejoong Chung, Roland van Rijswijk-Deij, Balakrishnan Chandrasekaran, David Choffnes, Dave Levin, Bruce M Maggs, Alan Mislove, and Christo Wilson. 2017. A Longitudinal, End-to-End View of the {DNSSEC} Ecosystem. In 26th { USENIX} Security Symposium ({USENIX} Security 17). 1307--1322.

[34]

Internet Systems Consortuim. 2019. BIND 9 Open Source DNS Server. https://www.isc.org/downloads/bind/.

[35]

David Dagon, Niels Provos, Christopher P Lee, and Wenke Lee. 2008. Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority. In NDSS.

[36]

John Dickinson and Sara Dickinson. 2019. DNS Privacy Implementation Status. https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implementation+Status.

[37]

Sara Dickinson. 2018. DNS Privacy Project. https://dnsprivacy.org/wiki/display/DP.

[38]

Sara Dickinson. 2019. DNS Privacy Daemon - Stubby. https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby.

[39]

Sara Dickinson. 2019. DNS Privacy Test Servers. https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers.

[40]

Google Public DNS. 2019. Migration to anycast and RFC 8484 DoH. https://developers.google.com/speed/public-dns/docs/doh/migration.

[41]

Zakir Durumeric, Zane Ma, Drew Springall, Richard Barnes, Nick Sullivan, Elie Bursztein, Michael Bailey, J Alex Halderman, and Vern Paxson. 2017. The security impact of HTTPS interception. In NDSS.

[42]

Zakir Durumeric, Eric Wustrow, and J Alex Halderman. 2013. ZMap: Fast Internet-wide Scanning and Its Security Applications. In USENIX Security Symposium, Vol. 8. 47--53.

Digital Library

[43]

Fortinet. 2017. Preventing certificate warnings (default certificate). https://cookbook.fortinet.com/preventing-certificate-warnings-defaultcert-56/.

[44]

Christian Grothoff, Matthias Wachs, Monika Ermert, and Jacob Appelbaum. 2015. NSA's MORECOWBELL: Knell for DNS. https://leaksource.files.wordpress.com/2015/02/nsas-morecowbell-knell-for-dns.pdf.

[45]

DPRIVE Working Group. 2018. DNS PRIVate Exchange WG. https://datatracker.ietf.org/doc/charter-ietf-dprive/.

[46]

Olafur Guomundsson and Marek Vavrusa. 2018. DoH and DoT experience. https://indico.dns-oarc.net/event/29/contributions/653/attachments/640/1027/DoT_and_DoH_experience.pdf.

[47]

Brian Haberman and Catherine Master. 2018. DNS-over-TLS Measurements with RIPE Atlas Probes. https://datatracker.ietf.org/meeting/102/materials/slides-102-dprive-dns-over-tls-measurements-with-ripe-atlas-probes-01.

[48]

Dominik Herrmann, Christian Banse, and Hannes Federrath. 2013. Behavior-based tracking: Exploiting characteristic patterns in DNS traffic. Computers & Security 39 (2013), 17--33.

Digital Library

[49]

Z Hu, Liang Zhu, John Heidemann, Allison Mankin, Duane Wessels, and Paul Hoffman. 2016. Specification for DNS over transport layer security (TLS). Technical Report.

[50]

P Huffman and P McManus. 2018. DNS Queries over HTTPS (DoH). Technical Report.

[51]

Christian Huitema, Melinda Shore, Allison Mankin, Sara Dickinson, and Jana Iyengar. 2018. Specification of DNS over Dedicated QUIC Connections. https://tools.ietf.org/html/draft-huitema-quic-dnsoquic-05.

[52]

Daniel Kahn Gillmor. 2018. Trust relationships between users and private DNS resolvers. https://drive.google.com/file/d/13AeDutZJ1WZ-PrNZ9ZROsAc1-jfdhHvm/view

[53]

Karthikeyan C Kasiviswanathan. 2018. Postmortem of a Compromised MikroTik Router. https://www.symantec.com/blogs/threat-intelligence/hacked-mikrotik-router.

[54]

Dae Wook Kim and Junjie Zhang. 2015. You are how you query: Deriving behavioral fingerprints from DNS traffic. In International Conference on Security and Privacy in Communication Systems. Springer, 348--366.

[55]

Matthias Kirchler, Dominik Herrmann, Jens Lindemann, and Marius Kloft. 2016. Tracked without a trace: linking sessions of users by unsupervised learning of patterns in their DNS traffic. In Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security. ACM, 23--34.

Digital Library

[56]

Erik Kline and Ben Schwartz. 2018. DNS over TLS support in Android P Developer Preview. https://android-developers.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html

[57]

Marc Kührer, Thomas Hupperich, Jonas Bushart, Christian Rossow, and Thorsten Holz. 2015. Going wild: Large-scale classification of open DNS resolvers. In IMC. ACM, 355--368.

[58]

Wilson Lian, Eric Rescorla, Hovav Shacham, and Stefan Savage. 2013. Measuring the Practical Impact of DNSSEC Deployment. In USENIX.

[59]

Jinjin Liang, Jian Jiang, Haixin Duan, Kang Li, and Jianping Wu. 2013. Measuring query latency of top level DNS servers. In PAM. Springer, 145--154.

[60]

Baojun Liu, Chaoyi Lu, Haixin Duan, Ying Liu, Zhou Li, Shuang Hao, and Min Yang. 2018. Who is answering my queries: understanding and characterizing interception of the DNS resolution path. In USENIX Security Symposium. 1113--1128.

[61]

Alexander Mayrhofer. 2016. The edns (0) padding option. (2016).

[62]

Patrick McManus. 2018. Firefox Nightly Secure DNS Experimental Results. https://blog.nightly.mozilla.org/2018/08/28/firefox-nightly-secure-dns-experimental-results/.

[63]

Patrick McManus. 2018. Improving DNS Privacyin Firefox - Firefox Nightly News. https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/.

[64]

Xianghang Mi, Ying Liu, Xuan Feng, Xiaojing Liao, Baojun Liu, XiaoFeng Wang, Feng Qian, Zhou Li, Sumayah Alrwais, and Limin Sun. 2019. Resident Evil: Understanding Residential IP Proxy as a Dark Service. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE.

[65]

360 Netlab. 2019. Netlab OpenData. https://data.netlab.360.com/.

[66]

Paul Pearce, Ben Jones, Frank Li, Roya Ensafi, Nick Feamster, Nick Weaver, and Vern Paxson. 2017. Global measurement of dns manipulation. In USENIX Security Symposium. USENIX. 307--323.

[67]

Matt Prytuluk. 2018. Preventing Circumvention of Cisco Umbrella with Firewall Rules. https://support.umbrella.com/hc/en-us/articles/230904088-Preventing-Circumvention-of-Cisco-Umbrella-with-Firewall-Rules.

[68]

Rod Rasmussen. 2016. The Pros and Cons of DNS Encryption. https://www.infosecurity-magazine.com/opinions/the-pros-and-cons-of-dns-encryption/.

[69]

Tirumaleswar Reddy, Daniel Gillmor, and Sara Dickinson. 2018. Usage Profiles for DNS over TLS and DNS over DTLS. (2018).

[70]

Tirumaleswar Reddy, D Wing, and P Patil. 2017. DNS over Datagram Transport Layer Security (DTLS). Technical Report.

[71]

Sandra Siby, Marc Juarez, Narseo Vallina-Rodriguez, and Carmela Troncoso. 2018. DNS Privacy not so private: the traffic analysis perspective. (2018).

[72]

Jonathan M Spring and Carly L Huth. 2012. The impact of passive dns collection on end-user privacy. Securing and Trusting Internet Names (2012).

[73]

Daniel Stenberg. 2019. Public available servers. https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers.

[74]

Marty Strong. 2018. Fixing Reachability to 1.1.1.1, GLOBALLY! https://labs.ripe.net/Members/marty_strong/fixing-reachability-to-1-1-1-1-globally

[75]

Nick Sullivan. 2017. Introducing Zero Round Trip Time Resumption (0-RTT). https://blog.cloudflare.com/introducing-0-rtt/.

[76]

Gareth Tyson, Shan Huang, Felix Cuadrado, Ignacio Castro, Vasile C Perta, Arjuna Sathiaseelan, and Steve Uhlig. 2017. Exploring HTTP header manipulation in-the-wild. In Proceedings of the 26th International Conference on World Wide Web. International World Wide Web Conferences Steering Committee, 451--458.

Digital Library

[77]

David Ulevitch. 2011. DNSCrypt: Critical, fundamental, and about time. https://umbrella.cisco.com/blog/2011/12/06/dnscrypt-critical-fundamental-and-about-time/.

[78]

Nicholas Weaver, Christian Kreibich, and Vern Paxson. 2011. Redirecting DNS for Ads and Profit. In FOCI.

[79]

Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin, and Nikita Somaiya. 2015. Connection-oriented DNS to improve privacy and security. In Security and Privacy (SP), 2015 IEEE Symposium on. IEEE, 171--186.

Digital Library

Cited By

Le Pochat VFernandez SVan Goethem TTajalizadehkhoob SDesmet LDuda AJoosen WKorczyński M(2024)Evaluating the Impact of Design Decisions on Passive DNS-Based Domain Rankings2024 8th Network Traffic Measurement and Analysis Conference (TMA)10.23919/TMA62044.2024.10559182(1-11)Online publication date: 21-May-2024
https://doi.org/10.23919/TMA62044.2024.10559182
Gürsoy GVarol ANasab A(2024)DNS Tunnel Problem In Cybersecurity2024 12th International Symposium on Digital Forensics and Security (ISDFS)10.1109/ISDFS60797.2024.10527301(1-6)Online publication date: 29-Apr-2024
https://doi.org/10.1109/ISDFS60797.2024.10527301
Hu GFukuda K(2024)Privacy Leakage of DNS over QUIC: Analysis and Countermeasure2024 International Conference on Artificial Intelligence in Information and Communication (ICAIIC)10.1109/ICAIIC60209.2024.10463369(518-523)Online publication date: 19-Feb-2024
https://doi.org/10.1109/ICAIIC60209.2024.10463369
Show More Cited By

Index Terms

An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come?
1. Networks

Recommendations

An investigation on information leakage of DNS over TLS
CoNEXT '19: Proceedings of the 15th International Conference on Emerging Networking Experiments And Technologies

DNS over TLS (DoT) protects the confidentiality and integrity of DNS communication by encrypting DNS messages transmitted between users and resolvers. In recent years, DoT has been deployed by popular recursive resolvers like Cloudflare and Google. ...
Understanding the Impact of Encrypted DNS on Internet Censorship
WWW '21: Proceedings of the Web Conference 2021

DNS traffic is transmitted in plaintext, resulting in privacy leakage. To combat this problem, secure protocols have been used to encrypt DNS messages. Existing studies have investigated the performance overhead and privacy benefits of encrypted DNS ...
A DNS Server Classification Method Based on Long-Term Behavior Features
Machine Learning for Cyber Security
Abstract
Obtaining the overall status of domain name system (DNS) by DNS measurement is of great significance to DNS protection and Internet traffic optimization. The accurate identification of the DNS server type is one of the challenging problems in the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '19: Proceedings of the Internet Measurement Conference

October 2019

497 pages

ISBN:9781450369480

DOI:10.1145/3355369

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 October 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

IMC '19

Sponsor:

IMC '19: ACM Internet Measurement Conference

October 21 - 23, 2019

Amsterdam, Netherlands

Acceptance Rates

IMC '19 Paper Acceptance Rate 39 of 197 submissions, 20%;

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Upcoming Conference

IMC '24

Sponsor:
sigcomm
sigcomm

ACM Internet Measurement Conference

November 4 - 6, 2024

Madrid , AA , Spain

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

58
Total Citations
View Citations
1,571
Total Downloads

Downloads (Last 12 months)251
Downloads (Last 6 weeks)36

Reflects downloads up to 26 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Le Pochat VFernandez SVan Goethem TTajalizadehkhoob SDesmet LDuda AJoosen WKorczyński M(2024)Evaluating the Impact of Design Decisions on Passive DNS-Based Domain Rankings2024 8th Network Traffic Measurement and Analysis Conference (TMA)10.23919/TMA62044.2024.10559182(1-11)Online publication date: 21-May-2024
https://doi.org/10.23919/TMA62044.2024.10559182
Gürsoy GVarol ANasab A(2024)DNS Tunnel Problem In Cybersecurity2024 12th International Symposium on Digital Forensics and Security (ISDFS)10.1109/ISDFS60797.2024.10527301(1-6)Online publication date: 29-Apr-2024
https://doi.org/10.1109/ISDFS60797.2024.10527301
Hu GFukuda K(2024)Privacy Leakage of DNS over QUIC: Analysis and Countermeasure2024 International Conference on Artificial Intelligence in Information and Communication (ICAIIC)10.1109/ICAIIC60209.2024.10463369(518-523)Online publication date: 19-Feb-2024
https://doi.org/10.1109/ICAIIC60209.2024.10463369
Alzighaibi A(2023)Detection of DoH Traffic Tunnels Using Deep Learning for Encrypted Traffic ClassificationComputers10.3390/computers1203004712:3(47)Online publication date: 22-Feb-2023
https://doi.org/10.3390/computers12030047
Li BZhu YLiu QSun YZhang YGuo L(2023)Wrapping DNS into HTTP(S): An Empirical Study on Name Resolution in Mobile Applications2023 IFIP Networking Conference (IFIP Networking)10.23919/IFIPNetworking57963.2023.10186431(1-9)Online publication date: 12-Jun-2023
https://doi.org/10.23919/IFIPNetworking57963.2023.10186431
Sengupta JKosek MFries JDikshit PBajpai V(2023)Web Privacy By Design: Evaluating Cross-layer Interactions of QUIC, DNS and H/32023 IFIP Networking Conference (IFIP Networking)10.23919/IFIPNetworking57963.2023.10186362(1-9)Online publication date: 12-Jun-2023
https://doi.org/10.23919/IFIPNetworking57963.2023.10186362
HU GFUKUDA K(2023)Characterizing Privacy Leakage in Encrypted DNS TrafficIEICE Transactions on Communications10.1587/transcom.2022EBP3014E106.B:2(156-165)Online publication date: 1-Feb-2023
https://doi.org/10.1587/transcom.2022EBP3014
Lenders MAmsüss CGündogan CNawrocki MSchmidt TWählisch M(2023)Securing Name Resolution in the IoT: DNS over CoAPProceedings of the ACM on Networking10.1145/36094231:CoNEXT2(1-25)Online publication date: 28-Sep-2023
https://dl.acm.org/doi/10.1145/3609423
Trevisan MSoro FMellia MDrago IMorla R(2023)Attacking DoH and ECH: Does Server Name Encryption Protect Users’ Privacy?ACM Transactions on Internet Technology10.1145/357072623:1(1-22)Online publication date: 23-Feb-2023
https://dl.acm.org/doi/10.1145/3570726
Xiao YVarvello MWarrior MKuzmanovic A(2023)Decoding the Kodi EcosystemACM Transactions on the Web10.1145/356370017:1(1-36)Online publication date: 1-Feb-2023
https://dl.acm.org/doi/10.1145/3563700
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents