Connection-Oriented DNS to Improve Privacy and Security

Zhu, Liang; Hu, Zi; Heidemann, John; Wessels, Duane; Mankin, Allison; Somaiya, Nikita

doi:10.1109/sp.2015.18

Cited by 89 publications

(61 citation statements)

References 47 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…DNS-over-TLS protects privacy of DNS queries and prevents man-in-the-middle (MiTM) attacks against DNS responses. [39] also demonstrated the * Work done while visiting University of California, Irvine, as a US-UK Fulbright Cyber Security Scholar. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page.…”

Section: Introductionmentioning

confidence: 88%

“…We do not consider Denial-of-Service (DoS) attacks on RecRes, since these do not help to achieve either adversary's goal of learning clients' DNS queries. Connection-oriented RecRes-s can defend against DoS attacks using cookie-based mechanisms to prevent SYN flooding [39].…”

Section: Adversary Model and Requirements 31 Adversary Modelmentioning

confidence: 99%

“…In 2015, Zhu et al [39] proposed a DNS design that runs over Transport Layer Security (TLS) connections [13]. DNS-over-TLS protects privacy of DNS queries and prevents man-in-the-middle (MiTM) attacks against DNS responses.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

PDoT

Nakatsuka

Paverd

Tsudik

2019

Proceedings of the 35th Annual Computer Security Applications Conference

View full text Add to dashboard Cite

Security and privacy of the Internet Domain Name System (DNS) have been longstanding concerns. Recently, there is a trend to protect DNS traffic using Transport Layer Security (TLS). However, at least two major issues remain: (1) how do clients authenticate DNS-over-TLS endpoints in a scalable and extensible manner; and (2) how can clients trust endpoints to behave as expected? In this paper, we propose a novel Private DNS-over-TLS (PDoT ) architecture.PDoT includes a DNS Recursive Resolver (RecRes) that operates within a Trusted Execution Environment (TEE). Using Remote Attestation, DNS clients can authenticate, and receive strong assurance of trustworthiness of PDoT RecRes. We provide an open-source proof-of-concept implementation of PDoT and use it to experimentally demonstrate that its latency and throughput match that of the popular Unbound DNS-over-TLS resolver. CCS CONCEPTS• Security and privacy → Web protocol security; Hardwarebased security protocols; Network security; Privacy protections.

show abstract

Section: Introductionmentioning

confidence: 88%

Section: Adversary Model and Requirements 31 Adversary Modelmentioning

confidence: 99%

See 1 more Smart Citation

PDoT

Nakatsuka

Paverd

Tsudik

2019

Proceedings of the 35th Annual Computer Security Applications Conference

View full text Add to dashboard Cite

show abstract

“…According to the design, TLS should be used between the client and the recursive resolver (scenario (2) in Figure 1) or, if the recursive DNS resolver is not trusted, then for end-to-end security, between the client and the name server (scenario (1) in Figure 1). The main difference between the two proposals is that [32], integrated into unbound, uses a non-DNS port for secure connections, and does not support out of order processing of the DNS requests; the technical report, [35], contains more details on the evaluation and implementation.…”

Section: Dns-over-tlsmentioning

confidence: 99%

“…In this work we focus on the proposals which aim to provide privacy to DNS packets by employing encryption, [3,4,8,21,27,32,34,35]. These proposals are on a standardisation track of the IETF and are already supported by some DNS resolvers software, e.g., unbound, [31], and by the public DNS operators, e.g., OpenDNS [28].…”

Section: Introductionmentioning

confidence: 99%

Pretty Bad Privacy

Shulman

2014

Proceedings of the 13th Workshop on Privacy in the Electronic Society

View full text Add to dashboard Cite

As awareness for privacy of Domain Name System (DNS) is increasing, a number of mechanisms for encryption of DNS packets were proposed. We study the prominent defences, focusing on the privacy guarantees, interoperability with the DNS infrastructure, and the efficiency overhead. In particular:We explore dependencies in DNS and show techniques that utilise side channel leaks, due to transitive trust, allowing to infer information about the target domain in an encrypted DNS packet.We examine common DNS servers configurations and show that the proposals are expected to encounter deployment obstacles with (at least) 38% of 50K-top Alexa domains and (at least) 12% of the top-level domains (TLDs), and will disrupt the DNS functionality and availability for clients.We show that due to the non-interoperability with the caches, the proposals for end-to-end encryption may have a prohibitive traffic overhead on the name servers.Our work indicates that further study may be required to adjust the proposals to stand up to their security guarantees, and to make them suitable for the common servers' configurations in the DNS infrastructure. Our study is based on collection and analysis of the DNS traffic of 50K-top Alexa domains and 568 TLDs.

show abstract

Toward Domain Name System privacy enhancement using intent‐based Moving Target Defense framework over software defined networks

Hyder

Ismail

2021

Trans Emerging Tel Tech

View full text Add to dashboard Cite

Moving Target Defense (MTD) is an active security procedure while intent-based networking (IBN) is gaining popularity as an evolving networking model. Software defined network (SDN) provides centralized network management through the control plane. In this article, a mechanism for the privacy enhancement of the Domain Name System (DNS) is proposed using intent-based MTD over SDN. DNS is a critical internet service with a high risk of privacy disclosure as it is related to user preferences. The proposed model privacy enhancement using intent-based MTD running over SDN (PEIMS) exploits IBN API of ONOS SDN controller along with Openflow flow modification for privacy enhancement. PEIMS core components include MTD application running over the ONOS SDN controller, ONOS intent-based API, and the DNS server. The notion is the protection of privacy disclosures that occur during DNS queries. PEIMS provides a dynamic port shuffling technique for mapping DNS traffic to minimize the attacker's chances of observing the DNS queries responses. The proposed model was implemented using ONOS controller, ONOS north bound intent-based API, and Mininet. The proposed model was evaluated in terms of privacy protection, attacker, and defender cost. The results showed promising trends for DNS privacy protection at a low computational cost. The work also quantified the privacy disclosures.

show abstract

Connection-Oriented DNS to Improve Privacy and Security

Cited by 89 publications

References 47 publications

PDoT

PDoT

Pretty Bad Privacy

Toward Domain Name System privacy enhancement using intent‐based Moving Target Defense framework over software defined networks

Contact Info

Product

Resources

About