CISPA
Browse
cispa_all_3165.pdf (280.01 kB)

Padding Ain't Enough: Assessing the Privacy Guarantees of Encrypted DNS

Download (280.01 kB)
conference contribution
posted on 2023-11-29, 18:13 authored by Jonas Bushart, Christian RossowChristian Rossow
DNS over TLS (DoT) and DNS over HTTPS (DoH) encrypt DNS to guard user privacy by hiding DNS resolutions from passive adversaries. Yet, past attacks have shown that encrypted DNS is still sensitive to traffic analysis. As a consequence, RFC 8467 proposes to pad messages prior to encryption, which heavily reduces the characteristics of encrypted traffic. In this paper, we show that padding alone is insufficient to counter DNS traffic analysis. We propose a novel traffic analysis method that combines size and timing information to infer the websites a user visits purely based on encrypted and padded DNS traces. To this end, we model DNS Sequences that capture the complexity of websites that usually trigger dozens of DNS resolutions instead of just a single DNS transaction. A closed world evaluation based on the Tranco top-10k websites reveals that attackers can deanonymize test traces for 86.1 % of all websites, and even correctly label all traces for 65.9 % of the websites. Our findings undermine the privacy goals of state-of-the-art message padding strategies in DoT/DoH. We conclude by showing that successful mitigations to such attacks have to remove the entropy of inter-arrival timings between query responses.

History

Preferred Citation

Jonas Bushart and Christian Rossow. Padding Ain't Enough: Assessing the Privacy Guarantees of Encrypted DNS. In: USENIX Workshop on Free and Open Communications on the Internet (FOCI). 2020.

Primary Research Area

  • Threat Detection and Defenses

Secondary Research Area

  • Algorithmic Foundations and Cryptography

Name of Conference

USENIX Workshop on Free and Open Communications on the Internet (FOCI)

Legacy Posted Date

2020-08-12

Open Access Type

  • Unknown

BibTeX

@inproceedings{cispa_all_3165, title = "Padding Ain't Enough: Assessing the Privacy Guarantees of Encrypted DNS", author = "Bushart, Jonas and Rossow, Christian", booktitle="{USENIX Workshop on Free and Open Communications on the Internet (FOCI)}", year="2020", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC