Assessing the Privacy Benefits of Domain Name Encryption

Hoang, Nguyen Phong; Niaki, Arian Akhavan; Borisov, Nikita; Gill, Peter; Polychronakis, Michalis

doi:10.1145/3320269.3384728

Cited by 24 publications

(15 citation statements)

References 66 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The DNS traffic leaks were evaluated in [17]. Papers [18][19][20] analyze the pros and cons of DNS traffic encryption using DNS over TLS (DoT) protocols, DNS over HTTPS (DoH). Study [18] found that even when encryption is enabled, users' data outflow through their DNS queries.…”

Section: Literature Review and Problem Statementmentioning

confidence: 99%

“…Papers [18][19][20] analyze the pros and cons of DNS traffic encryption using DNS over TLS (DoT) protocols, DNS over HTTPS (DoH). Study [18] found that even when encryption is enabled, users' data outflow through their DNS queries. In addition, it was found in [19] that doT and DoH protocols are supported by only a small number of DNS servers.…”

Section: Literature Review and Problem Statementmentioning

confidence: 99%

See 1 more Smart Citation

Development of an algorithm to protect user communication devices against data leaks

Zadereyko

Prokop

Trofymenko

et al. 2021

EEJET

View full text Add to dashboard Cite

In order to identify ways used to collect data from user communication devices, an analysis of the interaction between DNS customers and the Internet name domain space has been carried out. It has been established that the communication device's DNS traffic is logged by the DNS servers of the provider, which poses a threat to the privacy of users. A comprehensive algorithm of protection against the collection of user data, consisting of two modules, has been developed and tested. The first module makes it possible to redirect the communication device's DNS traffic through DNS proxy servers with a predefined anonymity class based on the proposed multitest. To ensure a smooth and sustainable connection, the module automatically connects to a DNS proxy server that has minimal response time from those available in the compiled list. The second module blocks the acquisition of data collected by the developers of the software installed on the user's communication device, as well as by specialized Internet services owned by IT companies. The proposed algorithm makes it possible for users to choose their preferred level of privacy when communicating with the Internet space, thereby providing them with a choice of privacy level and, as a result, limiting the possibility of information manipulation over their owners. The DNS traffic of various fixed and mobile communication devices has been audited. The analysis of DNS traffic has enabled to identify and structure the DNS requests responsible for collecting data from users by the Internet services owned by IT companies. The identified DNS queries have been blocked; it has been experimentally confirmed that the performance of the basic and application software on communication devices was not compromised.

show abstract

Section: Literature Review and Problem Statementmentioning

confidence: 99%

Section: Literature Review and Problem Statementmentioning

confidence: 99%

Development of an algorithm to protect user communication devices against data leaks

Zadereyko

Prokop

Trofymenko

et al. 2021

EEJET

View full text Add to dashboard Cite

show abstract

“…Our threat model is oblivious to the relationship between hosting providers and operators of the recursor, who may be the same entity. Nonetheless, we consider this relationship as an orthogonal problem due to the current state of web co-location, in which the vast majority of web servers are hosted by only a handful of hosting providers [42], among which Google and Cloudflare are dominant [14]. For example, with our K-resolver mechanism, the domain name of a website may be resolved by a recursor that does not belong to Google or Cloudflare.…”

Section: Threat Modelmentioning

confidence: 99%

“…The rapid development and deployment of DoH/DoT has attracted many researchers to study these new protocols. Recent studies mainly investigate two aspects of DoH/DoT: privacy [4,14,18,36] and performance [3,6,30].…”

Section: Related Workmentioning

confidence: 99%

“…In terms of user privacy, researchers aim to tackle two types of adversaries. The first type includes "nosy" on-path observers, who have the privilege to monitor the encrypted traffic between the user and the DoH/DoT server, trying to predict the website being visited by the user using different traffic fingerprinting techniques [4,14,18]. The second type of adversary is located at the recursor, such as compromised or malicious recursors that have illicit intentions to use of the user's online history [36].…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

K-resolver: Towards Decentralizing Encrypted DNS Resolution

Hoang¹,

Lin²,

Ghavamnia³

et al. 2020

Proceedings 2020 Workshop on Measurements, Attacks, and Defenses for the Web

Self Cite

View full text Add to dashboard Cite

Centralized DNS over HTTPS/TLS (DoH/DoT) resolution, which has started being deployed by major hosting providers and web browsers, has sparked controversy among Internet activists and privacy advocates due to several privacy concerns. This design decision causes the trace of all DNS resolutions to be exposed to a third-party resolver, different than the one specified by the user's access network. In this work we propose K-resolver, a DNS resolution mechanism that disperses DNS queries across multiple DoH resolvers, reducing the amount of information about a user's browsing activity exposed to each individual resolver. As a result, none of the resolvers can learn a user's entire web browsing history. We have implemented a prototype of our approach for Mozilla Firefox, and used it to evaluate the performance of web page load time compared to the default centralized DoH approach. While our K-resolver mechanism has some effect on DNS resolution time and web page load time, we show that this is mainly due to the geographical location of the selected DoH servers. When more well-provisioned anycast servers are available, our approach incurs negligible overhead while improving user privacy.

show abstract