Towards Tackling Privacy Disclosure Issues in Domain

Name Service
Xuebiao Yuchi, Guanggang Geng, Zhiwei Yan, and Xiaodong Lee
National Engineering Laboratory for Naming and Addressing, China Internet Network Information Center, Beijing, China
{yuchixuebiao, gengguanggang, yanzhiwei, xl}@cnnic.cn

Abstract—Serving as the global Internet’s phonebook, the further validate its effectiveness and availability according to
Domain Name Service (DNS) helps to translate human-friendly real world experiments. The rest of the paper is organized as
domain names into machine-readable IP addresses, which follows. We discuss the related work in Section 2. Then we
makes DNS of great importance to the operation of the Internet present our analysis of the DNS privacy disclosure problems
and virtually relied on by today’s almost all kinds of Internet- and describe the criterions of validity that are essential for
based activities. As such, people whoever want to go anywhere privacy preserving in Section 3. We propose our DNS privacy
over the Internet will need to refer to the DNS first. Therefore, preserving solution and further validate it through experiments
it has become an ideal way to conduct online privacy
in Section 4. Finally, we discuss our work and conclude this
exploitations through the DNS due to people’s pervasive usage
paper in Section 5.
of the Internet. However, the current DNS doesn’t provide any
countermeasure against this kind of exploitation, and thus risks II. RELATED WORK
severe privacy disclosure problems. In this paper, we give a
comprehensive empirical analysis of DNS privacy disclosure While the privacy issues have been studied intensively
problems by exploring potential privacy leaking paths in the over the decades, the privacy issue of the DNS has attracted
DNS. Then we further identify and describe multiple criterions much less attention and has been largely ignored by the
of validity systematically that are obligated when considering Internet research community. Due to the recent revelations on
DNS privacy preservation. Finally, we propose a simple DNS pervasive monitoring by nation-state surveillance [5], the need
privacy preserving solution with significant deployment for a private DNS has become of great interest in recent years.
potential in the current DNS, which can only lead to a moderate Several different methods to address this growing problem
level of extra query latency perceived by end users. have been proposed, with a large portion of them mainly
taking ways of encrypting the DNS transmitted data, such as
Keywords—Domain Name Service; privacy disclosure; DNS over TLS [1]. However, their proposal can only provide
privacy preserving. the transmitted data encryption between recursive and
authoritative DNS servers, while these DNS servers
themselves still have the ability to spy on the data. Besides
I. INTRODUCTION DNS data encryption, the IETF DPRIVE working group
As a global hierarchically distributed directory service, the introduces a technique called “qname minimization” [2],
Domain Name Service (DNS) provides the translating where the recursors no longer needs to send the full query
functionality between human-friendly domain names and name, but only as much of the name as is necessary for making
machine-readable IP addresses, which makes itself the most progress in the resolution process, to the upstream
critical infrastructure component of the Internet and heavily authoritative DNS servers. Yet again, the DNS privacy
relied by today’s almost all kinds of Internet activities. problems can only be solved partially by this solution. First,
Thereby, for a person who wants to go somewhere over the the full query name will be finally exposed in plaintext during
Internet will need to resort to the DNS first to get the final step of the resolution process between the recursive
corresponding directional instructions. In this context, and authoritative DNS servers. Second, the proposal doesn’t
someone can learn a lot about people’s almost all online address the privacy leaking problem at the recursor side who
source-target information from the DNS. However, as one of still have the ability to spy on the data.
the oldest pieces of infrastructure used in the Internet, the DNS Zhao et al. [3] propose to ensure the DNS privacy by
was initially designed as some kinds of open and public concealing the actual queries using noisy traffic. However, the
service of the Internet and didn’t account for privacy with all privacy ensured by added queries is difficult to analyze and
its data transmitted in the clear. As a result, considerable and that the technique introduces noticeable additional latency and
sensitive information that are valuable for user profile overhead, making it impractical in real world deployment. In
characterization could be easily exploited from the DNS. order to fully solve the DNS privacy disclosure problems,
In this paper, we focus our work on the privacy disclosure some radical solutions propose to replace the current DNS
issues of the DNS. By exploring all possible privacy leaking with some alternative peer-to-peer name systems, such as
paths in the DNS, we first present our empirical analysis of the GNS [4] and Namecoin [5]. For example, the GNS resolution
privacy disclosure problems in the DNS. Then we introduce process utilizes a distributed hash table (DHT) and peer-to-
and detail multiple criterions of validity that are obligated for peer technologies to enable users to find out key-value
DNS privacy preservation. Finally, we propose a novel mappings, which departs significantly from that of the current
scheme to address the DNS privacy disclosure problems, and DNS. While promising, we do not expect that these radical

978-3-901882-89-0 @2017 IFIP 813

solutions could be widely adopted in the near future due to the the user’s all targeting information including each target’s
need for a completely different DNS infrastructure and its high query volume. Since all users rely on the recursor for web
computational complexity which requires special hardware. In surfing, so it’s easy to do this kind of exploitation. The
general, there still lacks of readily available, practical and recursors could either utilize these data themselves, or they
effective solution for the DNS privacy preservation so far. can pass the data to some third-party being part of a
surveillance program like “PRISM” [6]. For example, some
III. PROBLEM DESCRIPTION large hotels may use their controlled recursor to aggregate
A. DNS Overview DNS data in order to extract information from their customers
about what kind of website they always access while residing
Let’s first take an overview of how the DNS runs. in their hotels. Moreover, the recursors can not only listen to
Generally, the DNS infrastructure consists of three different DNS queries sent to it but also can actively drop, forge or
types of components: stub resolvers (on behalf of users), manipulate DNS responses. For example, the recursor
recursive DNS server, and authoritative DNS servers (Fig. 1). controlled by some ISP can simply block access to some
Typically, when a user wants to establish an Internet particular website by dropping the user’s all queries for its
connection with some remote resources, the stub resolver first corresponding domain name.
needs to launch a DNS query for a corresponding domain
name towards its configured recursor (recursor for short), b) Authoritative DNS Servers. Note that the DNS queries
which is commonly provided by the local ISP or a third party received by authoritative DNS servers are originated from
such as Google Public DNS. The recursor will then forward recursors, not from users. Therefore, user’s source IP address
this query to these authoritative DNS servers iteratively until can be hidden from the authoritative DNS servers, which gives
it receives an authoritative answer to this query (step 2 - 4). the user some certain degree of privacy. However, this hiding
Finally, the recursor can reply the stub resolver with this does not always work. For instance, many of today’s recursors
answer, and also have this answer cached locally for a certain actively uses “edns-client-subnet” mechanism [7] to enable
while in case of reuse. As illustrated in Fig. 1, each of the DNS themselves to tag queries sent to authoritative DNS servers
queries will contain two major pieces of information, namely, with the user’s IP address, so that they can receive optimized
the source IP of the originator who launches the query (namely, responses for this specific user instead of the one for this
IPuser or IPrec) and the targeted domain name that the user is recursor. In this case, the authoritative DNS servers will know
looking for (namely, www.example.cn). the exact IP addresses of the users which can lead to serious
user privacy exposure. Moreover, the authoritative DNS
server can also observe and collect all of the incoming DNS
queries just like the recursor. Although the caching
mechanism used by the recursor hides the exact volume of
DNS queries sent to the authoritative DNS servers, the
authoritative servers can still infer expected query volume
theoretically based on the distribution of queries’ arrivals.
c) Transmission Channels. Typically, the DNS traffic is
not encrypted and could be easily observed or injected by
eavesdroppers and attackers. As a result, if the user starts a
HTTPS communication with a website, while the HTTP
traffic is encrypted, the DNS traffic prior to it will not be.
Therefore, we identify two main risks during the transmission
channels, namely, passive eavesdropping and active MITM
Fig. 1. The current DNS query process. attack. In the first case, the eavesdropper does not compromise
B. Risks Analysis any DNS servers, but only eavesdrops on the transmitted DNS
data passively in order to learn source-target related
From the above description, we can infer once a user information. Currently, the plaintext DNS data can be easily
launches a DNS query for some specific domain name, the eavesdropped via unprotected Ethernet and Wi-Fi networks
user’s IP address and targeted domain name will be explicitly by using many tools available. In the second case, attackers
exposed to the DNS severs. Moreover, in the current DNS all can actively inject forged packets into the DNS traffic to
querying behaviors are conducted via UDP in plaintext. In launch MITM attacks. These injections can fool the users and
other words, the current DNS provides no privacy at all. As a redirect the DNS traffic to a malicious DNS server leading to
result, the user’s querying information can be exploited easily compromise of the user’s privacy. Note that the best vantage
by these DNS servers and potential third-party eavesdroppers. point to do the above privacy exploitation is clearly between
In this section we explore the DNS privacy disclosure risks by the stub resolvers and the recursors, since the DNS traffic is
three different scopes, namely, recursors, authoritative DNS not limited by DNS caching.
servers, and transmission channels.
C. Requirements
a) Recursors. Typically, there is no caching policy on the
stub resolver’s side, which means that all of the queries Given the above DNS privacy disclosure risk analysis, in
generated by the stub resolver would be sent to the recursor. this section we detail the criterions of validity that are required
In other words, the recursor can be able to observe and collect for DNS privacy preservation.

814 2017 IFIP/IEEE International Symposium on Integrated Network Management (IM2017): Experience Session - Short Paper
 a) Effectiveness. Note that current DNS privacy preserving adversely impacting the existing DNS infrastructure or the
techniques such as DNS data encryption and “qname user base. In this section, we introduce our initial idea for
minimization” can only solve the DNS privacy disclosure effective DNS privacy preservation and further validate its
problems partially. However, an ideal DNS privacy usability through real-world simulations.
preserving solution should try to be effective enough to avoid
all kinds of privacy leaking risks as described above. Most A. Details
importantly, the user’s source-target information should not Generally, the recursor plays as an agent role between the
be disclosed during the whole DNS query process. In this users and the authoritative DNS servers, and thus has the
context, any of the DNS servers (including recursive and ability to naturally access to all DNS query data involved in
authoritative) or third-party observers should not keep the the whole DNS query process. Therefore, we believe that the
ability to observe or infer the linkage between the user’s key point for an effective DNS privacy preserving solution is
source IP address and his/her targeting domain name to eliminate the recursor’s ability of accessing to all DNS
information from any part of the DNS traffic. query data. In this context, the main idea of our proposed
method for DNS privacy preservation is to introduce a new
b) Usability. Some aggressive solutions aiming to fully type of DNS servers called “privacy preserving server” into
solve the DNS privacy disclosure problems such as Namecoin the DNS query process. Just like the recursors, the privacy
would cause fundamental changes to the current DNS, thus preserving servers play as an agent role between the users and
cannot be widely adopted by the community. Therefore, an the authoritative DNS servers. As illustrated in Fig. 2, when
ideal DNS privacy preserving solution should also try to be the stub resolver wants to query a name “www.example.com”,
compatible enough with current DNS by avoiding significant it first converts this name into an encrypted one (like
changes to the current DNS. In other words, the DNS privacy “e5sdn49imw”) by using the public key provided by its
preserving solution should provide a standards-compliant and predefined privacy preserving server (such as “privacy.cn”).
lightweight interface that could be accessed easily by both Then the stub resolver launches a DNS query for a new
users and DNS servers. For example, since most of current combined name instead towards the recursor (namely,
DNS queries are transmitted in UDP, it is clearly the best “e5sdn49imw.privacy.cn”). When the privacy preserving
choice to make a DNS privacy preserving solution under UDP server receives this DNS query from the recursor, it will
protocol. Furthermore, the introduction of the DNS privacy decrypt this combined name by using the local private key,
preserving solution should not lead to significant delays to the and response the corresponding reply from the authoritative
DNS query process either and the additional workload added DNS servers to the recursor, in an encrypted way. Finally, the
to the DNS servers (if any) should be low. stub resolver will receive the corresponding reply from the
From the above description, we can imply that an ideal recursor and decrypted it by using the local public key.
DNS privacy preserving solution should not only be effective From the above description, we can notice that none of
enough to avoid all of these privacy leaking risks, but should these three types of DNS servers (or other third-party
also show high usability in the current DNS. Unfortunately, eavesdroppers) would keep the ability to observe user’s
none of current solutions for DNS privacy preservation could origin-target information from any part of the DNS query
meet these requirements simultaneously. process, and thus the user’s privacy can be preserved very well.
IV. PROPOSED SOLUTION Meanwhile, all DNS data here can be transmitted by
standards-compliant DNS packets (in UDP), and the whole
In practice, the introduction of any privacy enhancing DNS query process can be implemented by existing DNS
technology will inevitably lead to potential challenge and cost protocols without any changes to the current recursive or
to the DNS. As such, an ideal DNS privacy preserving authoritative. In a word, our solution can be expected to have
solution should follow a lightweight design way to avoid remarkable effectiveness and usability in the current DNS.

authoritative DNS server

“.”

privacy authoritative DNS server

stub resolver recursive
(user) DNS server preserving server “.com”
“privacy.cn”

authoritative DNS server

“example.com”

Fig. 2. DNS query process with privacy preservation.

2017 IFIP/IEEE International Symposium on Integrated Network Management (IM2017): Experience Session - Short Paper 815
B. Validation V. CONCLUSION AND FUTURE WORK
Note that the proposed DNS privacy preserving solution While the DNS research community begins to be aware of
does not cause any changes or additional workload to the the privacy issues in the DNS, it is virtually impossible to
current recursive or authoritative DNS servers. Nevertheless, make significant progress quickly because of the need for
the user’s query latency can be increased inevitably due to the compatibility with existing infrastructure. For example, the
introducing of privacy preserving servers. Therefore, for deployment rate of the security enhancing technology
practical concern, this kind of increase in user’s query latency DNSSEC among world-wide DNS servers is still extremely
should be kept in a moderate level. Therefore, we need to low, even though it has been introduced for many years. In
analyze this kind of increase in user’s query latency fact, even some tiny modification in the DNS might lead to
quantitatively through real world simulations, to further serious negative impact to the DNS, and also somebody’s
validate our solution’s potential applicable prospective. business model or national interests.
Our simulated testbed is built up within a local network (1 Due to effectiveness or usability issues, previous work on
Gbps) and ready-made desktop PCs (Intel Core i7-4710 octal DNS privacy preservation has not resulted in readily
cores, 2 GB RAM, Ubuntu 16.04.1). We use network emulator deployment into the DNS so far. In this paper, we first analyze
netem to simulate real-world latencies between different the whole DNS query process and the privacy disclosure
components. The privacy preserving server is configured to be problems during every single step of the query, then we
authoritative for all DNS queries generated by the stub describe the requirements that an effective and usable DNS
resolvers. Since the query latencies between the privacy privacy preserving technology should meet. We further
preserving server and the authoritative DNS servers will not propose a simple DNS privacy preserving solution which can
be affected by our proposed solution, our focus here is simply only lead to a moderate level of additional query latency to the
to measure and compare the query latencies between the user users demonstrating significant applicable prospect in the
and the privacy preserving server, with the traditional ones current DNS infrastructure. We hope our work could be an
between the user and the recursor. We generate encrypted initial step to address the DNS privacy preserving issues in a
DNS queries from multiple stub resolvers by using locally more effective and usable way. In the next step, we are aiming
deployed load generators towards a single privacy preserving to seek for our solution’s large scale deployment in the real
server, and calculate the average query latency between the world. We also propose to integrate our solution with
stub resolvers and the privacy preserving server which can be DNSSEC technology to provide a more comprehensive one
traced by the load generators. for authenticity, integrity and privacy protection of the DNS.
We also validate our solution’s performance in scalability ACKNOWLEDGMENT
by ranging the query rate from 1k~5k queries per second
gradually. In practice, query latency may be one of the major This work is partially supported by China’s Key R&D
concerns when the users are considering privacy preserving Program (No. 2016YFC0801100) and Around Five Top
technologies for their DNS query process. Exaggerated query Priorities of “One-Three-Five” Strategic Planning, Computer
latency will definitely weaken the user’s willing to adopt this Network Information Center, Chinese Academy of Sciences
solution. Simulation results show that the introduction of our (No. CNIC_PY-1402).
privacy preserving servers into the DNS query process can REFERENCES
only lead to moderate level of additional query latency to the
users which is well kept in a moderate level (Fig. 3). Therefore, [1] L. Zhu, Z. Hu, J. Heidemann, D. Wessels, A. Mankin, and N.
Somaiya, “Connection-oriented DNS to Improve Privacy and
our propose solution is acceptable for the users and Security,” in Proceedings of 2015 IEEE Symposium on
worthwhile for practical deployment. Security and Privacy (S&P), pp. 171-186, 2015.
[2] IETF DNS Private Exchange (DPRIVE) Working Group,
35 https://datatracker.ietf.org/wg/dprive/documents/, 2016.
[3] F. Zhao, Y. Hori, K. Sakurai, “Analysis of Privacy Disclosure
30 in DNS Query,” in Proceedings of International Conference
on Multimedia and Ubiquitous Engineering, pp. 952-957,
2007.
Latency (ms)

25
[4] M. Wachs, M. Schanzenbach, and Christian Grotho, “A
Censorship-Resistant, Privacy-enhancing and Fully
20 Decentralized Name System,” in Proceedings of the 13th
proposed International Conference on Cryptology and Network
tradditional Security, pp. 127-142, 2014.
15
[5] Namecoin, https://en.wikipedia.org/wiki/Namecoin, 2016.
[6] B. Schneier, “NSA Targets the Privacy-Conscious for
10 Surveillance,” https://www.schneier.com/blog/archives/2014/
1 2 3 4 5
Query Rate (x1000) 07/nsa_targets_pri.html, 2014.
Fig. 3. Query latency comparison between the traditional DNS query process
[7] C. Contavalli, W. van der Gaast, D. C. Lawrence, and Warren
and the proposed one. Kumari, “Client Subnet in DNS Queries,”
https://datatracker.ietf.org/doc/rfc7871/, 2016.

816 2017 IFIP/IEEE International Symposium on Integrated Network Management (IM2017): Experience Session - Short Paper