DNS Privacy Workshop 2021

We designed DNSCheck, an active network experiment to detect the blocking of DoT/DoH services. We implemented DNSCheck into OONI Probe, the network-interference measurement tool we develop since 2012. We compiled a list of popular DoT/DoH services and ran DNSCheck measurements with help from volunteer OONI Probe users. We present preliminary results from measurements in Kazakhstan (AS48716), Iran (AS197207), and China (AS45090). We tested 123 DoT/DoH services, corresponding to 461 TCP/QUIC endpoints. We found endpoints to fail or succeed consistently. In AS197207 (Iran), 50% of the DoT endpoints seem blocked. Otherwise, we found that more than 80% of the tested endpoints were always reachable. The most frequently blocked services are Cloudflare’s and Google’s. In most cases, attempting to reach blocked endpoints failed with a timeout. We observed timeouts connecting, during, and after the TLS handshake. TLS blocking depends on either the SNI or the destination endpoint.

Users of DNS over cleartext UDP port 53 (Do53) — i.e. most users of the internet — are at risk from specified privacy and integrity threats, not all of which risks are mitigated by authoritative content signature schemes such as DNSSEC. DNS-over-TLS (DoT) by design does not address several of these risks. DNS-over-HTTPS (DoH) obviates many but not all of the risks, and its transport protocol (i.e. HTTPS) raises historical concerns of privacy due to (e.g.) "cookies." The Tor Network exists to provide TCP circuits with some freedom from tracking, surveillance, and blocking.

Thus: In combination with Tor, DoH, and the principle of "Don't Do That, Then" (DDTT) to mitigate request fingerprinting, I describe DNS over HTTPS over Tor (DoHoT).

Since February 2020, using off-the-shelf open-source software, I have provided DoHoT to my home network. A dnscrypt-proxy caching resolver presents locally as a Do53 resolver that is exclusively configured to make outbound resolution DoH calls over Tor. I have — aside from necessary heartbeats and bootstrap — blocked all outbound port 53 & 853 traffic at my firewall, in order to prevent leaks. I have not sought to prevent other forms of DoH traffic because I am less interested in the challenge of constraining name resolution than I am in enhancing its privacy and integrity.

After an initial five months of testing, tuning, selection of DoH servers, and being forgotten about in the light of world news, in the subsequent seven months (ending February 2021) the DoHoT system has issued more than 1.6 million DoH requests over Tor to a pool of 9 public DoH resolvers, and served an additional 773k responses to clients from cached results. I share performance statistics, a list of technical prejudices that I was told to expect, describe my failure (for the most part) to experience them, and a summary of the experiences of two people relying entirely upon this system for work and personal life during COVID-19 "lockdown".

Domain Name System (DNS) queries map domains that are readable by humans into their corresponding IP addresses. As a way of mitigating the privacy risks associated with DNS queries, protocols such as DNS over HTTPS (DoH) and DNS over TLS (DoT) have been adopted by many major browsers and operating systems. In this paper we present the results of a small-scale online survey with the goal of probing users’ sentiments on Private DNS in Android 9 Pie as well as DoH in Firefox. As many users decide to stick with the default setting, it becomes paramount developers choose defaults that benefit users. While many users choose to stick with the default setting, even given additional information, there are users who would change their DNS settings when given information on what the specific settings actually do. We also see that users believe DNS settings accomplish one thing, but actually the settings do something else. Finally, the survey uncovered interesting trends in users’ knowledge of and trust in DNS service providers.

In conventional DNS, or Do53, requests and responses are sent in cleartext. Thus, DNS recursive resolvers or any on-path adversaries can access privacy-sensitive information. To address this issue, several encryption-based approaches (e.g., DNS-over-HTTPS) and proxy-based approaches (e.g., Oblivious DNS) were proposed. However, encryption-based approaches put too much trust in recursive resolvers. Proxy-based approaches can help hide the client’s identity, but sets a higher deployment barrier while also introducing noticeable performance overhead. We propose PINOT, a packet-header obfuscation system that runs entirely in the data plane of a programmable network switch, which provides a lightweight, low-deployment-barrier anonymization service for clients sending and receiving DNS packets. PINOT does not require any modification to the DNS protocol or additional client software installation or proxy setup. Yet, it can also be combined with existing approaches to provide stronger privacy guarantees. We implement a PINOT prototype on a commodity switch, deploy it in a campus network, and present results on protecting user identity against public DNS services.