Oblivious DNS over HTTPS (ODoH): A Practical Privacy Enhancement to DNS

Singanamalla, Sudheesh; Chunhapanya, Suphanat; Hoyland, Jonathan; Vavruša, Marek; Verma, Tarun; Wu, Peter; Fayed, Marwan; Heimerl, Kurtis; Sullivan, Nick; Wood, Christopher A.

doi:10.2478/popets-2021-0085

Cited by 18 publications

(15 citation statements)

References 37 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Although ODNS took an elegant approach compatible with the standard Do53, it involves a large round-trip-time (RTT) since all queries must be forwarded to the ODNS resolver, i.e., an authoritative server. Oblivious DNS over HTTPS (ODoH) [21,25] has been designed by simplifying the architecture and omitting the compatibility with Do53, and realizes a performance comparable to the standard DoH. ODoH introduces a relay called oblivious proxy that just relays encrypted queries and responses between a user and a target resolver.…”

Section: Anonymized/oblivious Dns Protocolsmentioning

confidence: 99%

“…Unlike ODNS, these schemes directly introduce intermediate relays dedicated to the schemes between users and encryption-enabled resolvers and omit the compatibility with Do53. This simplification in the architecture results in their good performance comparable to standard encrypted DNS schemes [25].…”

Section: Introductionmentioning

confidence: 99%

“…In order to resolve this second privacy concern, there have been proposed several anonymization techniques [13,15,24,25] to hide a user's IP address from a full-service resolver. Oblivious DNS (ODNS) [24] is such the first anonymization scheme, which was designed to be compatible with the standard DNS architecture.…”

Section: Introductionmentioning

confidence: 99%

“…Thus the user's address is hidden from the ODNS resolver thanks to the relay. By adopting this relay-based concept into encrypted DNS schemes [16,19], Anonymized DNSCrypt (ADNSCrypt) [13,15] and Oblivious DNS over HTTPS (ODoH) [25] have recently been introduced. Unlike ODNS, these schemes directly introduce intermediate relays dedicated to the schemes between users and encryption-enabled resolvers and omit the compatibility with Do53.…”

Section: Introductionmentioning

confidence: 99%

“…Considering the current deployment of DNS, users do not have various choices of full-service resolvers enabling DNS message encryption, and usually use ones operated by large and limited entities, e.g., Google, Cloudflare, Quad9, etc. Much like encryption-enabled resolvers, relays would be operated by such limited big players as mentioned in [25,Section 7.1]. Hence it may increase concerns about collusion and surveillance.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Mutualized oblivious DNS ($μ$ODNS): Hiding a tree in the wild forest

Kurihara,

Kubo

2021

Preprint

View full text Add to dashboard Cite

The traditional Domain Name System (DNS) lacks fundamental features of security and privacy in its design. As concerns of privacy increased on the Internet, security and privacy enhancements of DNS have been actively investigated and deployed. Specially for user's privacy in DNS queries, several relay-based anonymization schemes have been recently introduced, however, they are vulnerable to the collusion of a relay with a full-service resolver, i.e., identities of users cannot be hidden to the resolver. This paper introduces a new concept of a multiple-relay-based DNS for user anonymity in DNS queries, called the mutualized oblivious DNS (𝜇ODNS), by extending the concept of existing relay-based schemes. The 𝜇ODNS introduces a small and reasonable assumption that each user has at least one trusted/dedicated relay in a network and mutually shares the dedicated one with others. The user just sets the dedicated one as his next-hop, first relay, conveying his queries to the resolver, and randomly chooses its 0 or more subsequent relays shared by other entities. Under this small assumption, the user's identity is concealed to a target resolver in the 𝜇ODNS even if a certain (unknown) subset of relays collude with the resolver. That is, in 𝜇ODNS, users can preserve their privacy and anonymity just by paying a small cost of sharing its resource. Moreover, we present a PoC implementation of 𝜇ODNS that is publicly available on the Internet. We also show that by measurement of round-trip-time for queries, and our PoC implementation of 𝜇ODNS achieves the performance comparable to existing relay-based schemes.

show abstract

Section: Anonymized/oblivious Dns Protocolsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Mutualized oblivious DNS ($μ$ODNS): Hiding a tree in the wild forest

Kurihara,

Kubo

2021

Preprint

View full text Add to dashboard Cite

show abstract

Puncturable Pseudorandom Sets and Private Information Retrieval with Near-Optimal Online Bandwidth and Time

Shi¹,

Aqeel²,

Chandrasekaran

et al. 2021

Lecture Notes in Computer Science

View full text Add to dashboard Cite

General rightsCopyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights.• Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain • You may freely distribute the URL identifying the publication in the public portal ? Take down policyIf you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim.

show abstract