K-resolver: Towards Decentralizing Encrypted DNS Resolution

Hoang, Nguyen Phong; Lin, Ivan; Ghavamnia, Seyedhamed; Polychronakis, Michalis

doi:10.14722/madweb.2020.23009

Cited by 12 publications

(2 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Moura et al [21] also encounter centralization in their study of DNS requests to two country code top-level domains (ccTLD), with five large cloud providers being responsible for over 30% of all queries for the ccTLDs of the Netherlands and New Zealand. Recent developments suggest that these trends could be reversed; for example, Hoang et al [12] propose and evaluate K-resolver, which distributes queries over multiple DoH recursors in Firefox, so that no single resolver can build a complete profile of the user and each recursor only learns a subset of domains the user resolved. Arkko et al propose several strategies for distributing DNS queries and discuss the performance and privacy trade-offs of each strategy [2].…”

Section: Dns Centralizationmentioning

confidence: 99%

Encryption without centralization

Hounsel

Schmitt

Borgolte

et al. 2021

Proceedings of the Applied Networking Research Workshop

View full text Add to dashboard Cite

Emerging protocols such as DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) improve the privacy of DNS queries and responses. While this trend towards encryption is positive, deployment of these protocols has in some cases resulted in further centralization of the DNS, which introduces new challenges. In particular, centralization has consequences for performance, privacy, and availability; a potentially greater concern is that it has become more difficult to control the choice of DNS recursive resolver, particularly for IoT devices. Ultimately, the best strategy for selecting among one or more recursive resolvers may ultimately depend on circumstance, user, and even device. Accordingly, the DNS architecture must permit flexibility in allowing users, devices, and applications to specify these strategies. Towards this goal of increased de-centralization and improved flexibility, this paper presents the design and implementation of a refactored DNS resolver architecture that allows for de-centralized name resolution, preserving the benefits of encrypted DNS while satisfying other desirable properties, including performance and privacy. CCS Concepts• Networks → Network protocol design; Network design principles.

show abstract

Section: Dns Centralizationmentioning

confidence: 99%

Encryption without centralization

Hounsel

Schmitt

Borgolte

et al. 2021

Proceedings of the Applied Networking Research Workshop

View full text Add to dashboard Cite

show abstract

“…Although privacy issues of DNS have been addressed in literature, 6,22,23 the use of MTD for user privacy protection is limited. 24 The main motivation of our work is the exploitation of the MTD for privacy enhancement.…”

Section: Introductionmentioning

confidence: 99%

Toward Domain Name System privacy enhancement using intent‐based Moving Target Defense framework over software defined networks

Hyder

Ismail

2021

Trans Emerging Tel Tech

View full text Add to dashboard Cite

Moving Target Defense (MTD) is an active security procedure while intent-based networking (IBN) is gaining popularity as an evolving networking model. Software defined network (SDN) provides centralized network management through the control plane. In this article, a mechanism for the privacy enhancement of the Domain Name System (DNS) is proposed using intent-based MTD over SDN. DNS is a critical internet service with a high risk of privacy disclosure as it is related to user preferences. The proposed model privacy enhancement using intent-based MTD running over SDN (PEIMS) exploits IBN API of ONOS SDN controller along with Openflow flow modification for privacy enhancement. PEIMS core components include MTD application running over the ONOS SDN controller, ONOS intent-based API, and the DNS server. The notion is the protection of privacy disclosures that occur during DNS queries. PEIMS provides a dynamic port shuffling technique for mapping DNS traffic to minimize the attacker's chances of observing the DNS queries responses. The proposed model was implemented using ONOS controller, ONOS north bound intent-based API, and Mininet. The proposed model was evaluated in terms of privacy protection, attacker, and defender cost. The results showed promising trends for DNS privacy protection at a low computational cost. The work also quantified the privacy disclosures.

show abstract

Detection of NAT64/DNS64 by SRV Records: Detection Using Global DNS Tree in the World Beyond Plain-Text DNS

Hunek

Pliva

2020

Computer Networks

View full text Add to dashboard Cite

K-resolver: Towards Decentralizing Encrypted DNS Resolution

Cited by 12 publications

References 29 publications

Encryption without centralization

Encryption without centralization

Toward Domain Name System privacy enhancement using intent‐based Moving Target Defense framework over software defined networks

Detection of NAT64/DNS64 by SRV Records: Detection Using Global DNS Tree in the World Beyond Plain-Text DNS

Contact Info

Product

Resources

About