How Private is Android’s Private DNS Setting? Identifying Apps by Encrypted DNS Traffic

Abstract: DNS over TLS (DoT) and DNS over HTTPS (DoH) promise to improve privacy and security of DNS by encrypting DNS messages, especially when messages are padded to a uniform size. Firstly, to demonstrate the limitations of recommended padding approaches, we present Segram, a novel app fingerprinting attack that allows adversaries to infer which mobile apps are executed on a device. Secondly, we record traffic traces of 118 Android apps using 10 differnet DoT/DoH resolvers to study the effectiveness of Segram under d… Show more

“…Apart from website fingerprinting, Segram, as presented in [85], is able to identify Android applications for smartphones and IoT devices used by clients through the analysis of their DoT or DoH traffic. Apart from website fingerprinting, Segram [85] is able to identify Android applications for smartphones and IoT devices used by clients through the analysis of their DoT or DoH traffic.…”

“…Apart from website fingerprinting, Segram, as presented in [85], is able to identify Android applications for smartphones and IoT devices used by clients through the analysis of their DoT or DoH traffic. Apart from website fingerprinting, Segram [85] is able to identify Android applications for smartphones and IoT devices used by clients through the analysis of their DoT or DoH traffic. The authors used the n-grams of DNS sequences (message sizes and interarrival time) as primary features of their classification model, which outperforms their counterparts [103] employing other features such as n-grams of TLS record sizes and burst lengths.…”

“…The authors used the n-grams of DNS sequences (message sizes and interarrival time) as primary features of their classification model, which outperforms their counterparts [103] employing other features such as n-grams of TLS record sizes and burst lengths. More specifically, their developed model achieved more than 90% accuracy on the traffic traces (publicly available at [82]) of 118 Android apps from ten DoT/DoH resolvers.…”

“…In addition, a feature that can be computed but leads to relatively poor classification performance (i.e., accuracy less than 80% as reported by the respective literature) is marked as "not effective" in Table 10. For example, as stated in [85],…”

“…Key features and their applicability & effectiveness (reported in[59,85,103]) for user profiling when extracted from padded/unpadded DoT/DoH traffic.…”

A Survey on DNS Encryption: Current Development, Malware Misuse, and Inference Techniques

“…Apart from website fingerprinting, Segram, as presented in [85], is able to identify Android applications for smartphones and IoT devices used by clients through the analysis of their DoT or DoH traffic. Apart from website fingerprinting, Segram [85] is able to identify Android applications for smartphones and IoT devices used by clients through the analysis of their DoT or DoH traffic.…”

“…Apart from website fingerprinting, Segram, as presented in [85], is able to identify Android applications for smartphones and IoT devices used by clients through the analysis of their DoT or DoH traffic. Apart from website fingerprinting, Segram [85] is able to identify Android applications for smartphones and IoT devices used by clients through the analysis of their DoT or DoH traffic. The authors used the n-grams of DNS sequences (message sizes and interarrival time) as primary features of their classification model, which outperforms their counterparts [103] employing other features such as n-grams of TLS record sizes and burst lengths.…”

“…The authors used the n-grams of DNS sequences (message sizes and interarrival time) as primary features of their classification model, which outperforms their counterparts [103] employing other features such as n-grams of TLS record sizes and burst lengths. More specifically, their developed model achieved more than 90% accuracy on the traffic traces (publicly available at [82]) of 118 Android apps from ten DoT/DoH resolvers.…”

“…In addition, a feature that can be computed but leads to relatively poor classification performance (i.e., accuracy less than 80% as reported by the respective literature) is marked as "not effective" in Table 10. For example, as stated in [85],…”

“…Key features and their applicability & effectiveness (reported in[59,85,103]) for user profiling when extracted from padded/unpadded DoT/DoH traffic.…”

A Survey on DNS Encryption: Current Development, Malware Misuse, and Inference Techniques

Inferring mobile applications usage from DNS traffic

A Novel Method with Transformers for Fine-grained Encrypted Traffic Classification