An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come?

DNS packets are designed to travel in unencrypted form through the Internet based on its initial standard. Recent discoveries show that real-world adversaries are actively exploiting this design vulnerability to compromise Internet users' security and privacy. To mitigate such threats, several protocols have been proposed to encrypt DNS queries between DNS clients and servers, which we jointly term as DNS-over-Encryption. While some proposals have been standardized and are gaining strong support from the industry, little has been done to understand their status from the view of global users. This paper performs by far the first end-to-end and large-scale analysis on DNS-over-Encryption. By collecting data from Internet scanning, user-end measurement and passive monitoring logs, we have gained several unique insights. In general, the service quality of DNS-over-Encryption is satisfying, in terms of accessibility and latency. For DNS clients, DNS-over-Encryption queries are less likely to be disrupted by in-path interception compared to traditional DNS, and the extra overhead is tolerable. However, we also discover several issues regarding how the services are operated. As an example, we find 25% DNS-over-TLS service providers use invalid SSL certificates. Compared to traditional DNS, DNS-over-Encryption is used by far fewer users but we have witnessed a growing trend. As such, we believe the community should push broader adoption of DNS-over-Encryption and we also suggest the service providers carefully review their implementations.

[1]  Deliang Chang,et al.  Study on OS Fingerprinting and NAT / Tethering based on DNS Log Analysis , 2015 .

[2]  Paul E. Hoffman,et al.  Specification for DNS over Transport Layer Security (TLS) , 2016, RFC.

[3]  Stephane Bortzmeyer DNS Query Name Minimisation to Improve Privacy , 2016, RFC.

[4]  Jonathan M. Spring,et al.  The Impact of Passive DNS Collection on End-user Privacy , 2012 .

[5]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[6]  Christian Grothoff,et al.  NSA’s MORECOWBELL: Knell for DNS , 2015 .

[7]  Nick Feamster,et al.  Global Measurement of DNS Manipulation , 2017, USENIX Security Symposium.

[8]  Junjie Zhang,et al.  You Are How You Query: Deriving Behavioral Fingerprints from DNS Traffic , 2015, SecureComm.

[9]  Tirumaleswar Reddy,et al.  Usage Profiles for DNS over TLS and DNS over DTLS , 2018, RFC.

[10]  Alexander Mayrhofer,et al.  The EDNS(0) Padding Option , 2016, RFC.

[11]  Plácido Luna Let's Encrypt - Free SSL/TLS Certificates , 2016 .

[12]  Christian Rossow,et al.  Going Wild: Large-Scale Classification of Open DNS Resolvers , 2015, Internet Measurement Conference.

[13]  Steve Uhlig,et al.  Exploring HTTP Header Manipulation In-The-Wild , 2017, WWW.

[14]  Bruce M. Maggs,et al.  A Longitudinal, End-to-End View of the DNSSEC Ecosystem , 2017, USENIX Security Symposium.

[15]  Hannes Federrath,et al.  Behavior-based tracking: Exploiting characteristic patterns in DNS traffic , 2013, Comput. Secur..

[16]  Niels Provos,et al.  Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority , 2008, NDSS.

[17]  Ying Liu,et al.  Who is answering my queries: understanding and characterizing interception of the DNS resolution path , 2019, USENIX Security Symposium.

[18]  Vern Paxson,et al.  Redirecting DNS for Ads and Profit , 2011, FOCI.

[19]  Feng Qian,et al.  Resident Evil: Understanding Residential IP Proxy as a Dark Service , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[20]  Christian Grothoff,et al.  Le programme MORECOWBELL de la NSA sonne le glas du DNS , 2015 .

[21]  Christian Huitema,et al.  Specification of DNS over Dedicated QUIC Connections , 2019 .

[22]  John S. Heidemann,et al.  Connection-Oriented DNS to Improve Privacy and Security , 2015, 2015 IEEE Symposium on Security and Privacy.

[23]  Jianping Wu,et al.  Measuring Query Latency of Top Level DNS Servers , 2013, PAM.

[24]  Nick Sullivan,et al.  The Security Impact of HTTPS Interception , 2017, NDSS.

[25]  Tirumaleswar Reddy,et al.  DNS over Datagram Transport Layer Security (DTLS) , 2017, RFC.

[26]  Stephane Bortzmeyer,et al.  DNS Privacy Considerations , 2015, RFC.

[27]  Nick Feamster,et al.  Detecting DNS Root Manipulation , 2016, PAM.

[28]  Marius Kloft,et al.  Tracked Without a Trace: Linking Sessions of Users by Unsupervised Learning of Patterns in Their DNS Traffic , 2016, AISec@CCS.

[29]  Paul E. Hoffman,et al.  DNS Queries over HTTPS (DoH) , 2018, RFC.

[30]  Carmela Troncoso,et al.  DNS Privacy not so private: the traffic analysis perspective , 2018 .

[31]  Hovav Shacham,et al.  Measuring the Practical Impact of DNSSEC Deployment , 2013, USENIX Security Symposium.

[32]  Towards a Comprehensive Picture of the Great Firewall's DNS Censorship , 2014, FOCI.