an end to end large scale measurement of dns over
play

An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How - PowerPoint PPT Presentation

Nov 12, 2022 •341 likes •746 views

An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come? Chaoyi Lu , Baojun Liu, Zhou Li, Shuang Hao, Haixin Duan, Mingming Zhang, Chunying Leng, Ying Liu, Zaifeng Zhang, Jianping Wu The start of Internet activities.

  1. An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come? Chaoyi Lu , Baojun Liu, Zhou Li, Shuang Hao, Haixin Duan, Mingming Zhang, Chunying Leng, Ying Liu, Zaifeng Zhang, Jianping Wu

  2. The start of Internet activities. ...which says a lot about you. Domain Name System 2 DNS Client Resolver Authoritative server irtf.org? 4.31.198.44 irtf.org? irtf.org? irtf.org?

  3. Where are the risks? DNS Privacy 3 DNS Client Resolver Authoritative server Eavesdropper MITM interception Rogue server

  4. People could be watching our queries. DNS Privacy 4 RFC 7626 on DNS privacy The MORECOWBELL surveillance program of NSA

  5. People could be watching our queries. And do stuff like: DNS Privacy 5 Device Fingerprinting [Chang ’15] User behavior Analysis [Kim ’15] User Tracking [Kirchler ’16]

  6. DNS Privacy: What Has Been Done? RFC 7816 RFC 8310 Usage Profile of DoT Mar. ’18 RFC 8484 DNS-over-HTTPS (DoH) Oct ’18 Jun. ’18 Mozilla’s test of DoH Mar. ’16 QNAME IETF Minimization DNS-over-QUIC, initial draft Apr. ’17 Mar. ’19 Drafts on DoH deployment DNS zone transfers using TLS, draft Nov. ’19 Feb. ’20 IETF DoH WG Sept. ’17 Three IETF WGs. Is an Attack Three standardized protocols. More implementations and tests coming... 6 IETF DPRIVE WG Sept. ’14 Before ’14 DNSCurve & DNSCrypt May. ’14 RFC 7258 Pervasive Monitoring Jan. ’15 DNS-over-DTLS NSA’s MORECOWBELL revealed RFC 7626 DNS Privacy Considerations Aug. ’15 RFC 7858 DNS-over-TLS (DoT) May. ’16 Feb. ’17 RFC 8094 ADD WG

  7. Uses TLS to wrap DNS messages. Dedicated port 853. Stub resolver update needed. Embeds DNS packets into HTTP messages. Shared port 443. More user-space friendly. DNS-over-Encryption: Standard Protocols 7 DNS-over-TLS (DoT, RFC 7858, May 2016) DNS-over-HTTPS (DoH, RFC 8484, Oct 2018)

  8. Issuing DNS-over-TLS queries with kdig. Issuing DNS-over-HTTPS queries in a browser. DNS-over-Encryption: Standard Protocols 8 https://dns.google.com/resolve?name=example.com&type=A $ kdig @1.1.1.1 +tls example.com ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-128-GCM) ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 24012 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

  9. Widely getting support from the industry. The Rapid Development of DoE 9 Public DNS resolvers DNS server software Operating Systems Web Browsers

  10. Recent updates from service providers & vendors. The Rapid Development of DoE 10 Firefox: DoH by default for US users Windows: DoH available for insiders Chrome: DoH support Apple: DoT and DoH support added recently

  11. Questions: from Users’ Perspective How many DoE servers are there? Methodology: Internet-wide scanning. How are the reachability and performance of DoE servers? Methodology: Large-scale client-side measurement. What does the real-world usage of DoE look like? Methodology: Analysis on passive traffic. 11

  12. Q1: How many servers are there?

  13. DoE Server Discovery 13 DNS-over-TLS (DoT) DNS-over-HTTPS (DoH) Runs over dedicated port 853. Uses common URI templates. (e.g., /dns-query) Internet-wide Scan URL database Inspection

  14. DNS-over-TLS Resolvers Internet-wide probing with ZMap, getdns & OpenSSL. 14 Zmap Internet-wide scan Port 853 getdns DoT query OpenSSL Verify certificate chain

  15. DNS-over-TLS Resolvers Several big players dominate in the count of servers. 15 Feb ~ May ’19: ~2K open DoT resolvers in the wild.

  16. DNS-over-TLS Resolvers Several big players dominate in the count of servers. 16 Feb ~ May ’19: ~2K open DoT resolvers in the wild. Jul ’20: rises to 7.8k resolvers operated by 1.2K providers

  17. DoT Resolver Certificates Authentication relies on PKIX certificates [RFC 8310]. Invalid certificates still poses as a problem. 17 Item Jul 01, 2019 Jul 01, 2020 Resolvers that use invalid certificate 230 / 2,179 (10.6%) 2,261 / 7,857 (28.8%) � Providers that have invalid certificate 61 / 234 (26.0%) 224 / 2,261 (9.9%) �

  18. DoT Resolver Certificates Authentication relies on PKIX certificates [RFC 8310]. Invalid certificates still poses as a problem. 18 Self-signed Expired Broken certificate chains ~70% ~15% ~15% Firewalls & TLS inspection devices 1/3 expired before 2020 (As of Jul 01, 2020)

  19. DNS-over-HTTPS Providers Large-scale URL dataset inspection. May ’19: 17 providers found , mostly known in lists. 19 (DoH list maintained by the curl project) Found 2 providers beyond the list: dns.adguard.com dns.233py.com

  20. DNS-over-HTTPS Providers Large-scale URL dataset inspection. May ’19: 17 providers found , mostly known in lists. Jul ’20: 50+ URIs operated by 37 providers. � 20 https://1111.cloudflare-dns.com/dns-query https://8888.google/dns-query https://doh.defaultroutes.de/dns-query https://ns-doh.licoho.de/dns-query Examples: https://doh.360.cn/dns-query https://dohtrial.att.net/dns-query https://public.dns.iij.jp/dns-query https://doh.xfinity.com/dns-query

  21. Q2: Are popular services reachable?

  22. Reachability to DoE Servers Public DNS Proxy Network DoT, DoH DNS/TCP, nodes Exit resolver DoT, DoH 22 DNS/TCP, Proxy Super Client Measurement Measurement platform built on SOCKS5 proxy network. forward

  23. Vantage China Measurement platform built on SOCKS5 proxy network. 23 Reachability to DoE Servers 5 1 (CN) 85,122 (Censored) 2,597 Platform 166 29,622 Global AS Country IP Count of Vantage point: 114K vantage points from 2 proxy networks.

  24. Reachability to DoE Servers 24 Measurement platform built on SOCKS5 proxy network. Vantage point: 114K vantage points from 2 proxy networks. Test items on each vantage: Are public services reachable? Why do they fail? Query a controlled domain via DNS/TCP, DoT & DoH TLS certificate Open ports Webpages

  25. Reachability Test Results - by residential hijacked, e.g., Address 1.1.1.1 99.9% - 1.1% Google China 14.0% 0.2% 0.2% Quad9 0.2% 15.8% DoE is currently less interrupted by in-path devices. Google 0.1% 1.2% 16.5% Cloudflare Global DoH DoT DNS/TCP Query Failure Rate Resolver Vantage 25 ~99% global reachability. network devices.

  26. Reachability Test Results 40 23 179 (BGP) AS9870 Dong-eui University 10 161 (SNMP) AS52532 Speednet Telecomunicacoes Ldta 7 67 (DHCP) AS24835 Vodafone Data 23 (Telnet) DoE is currently less interrupted by in-path devices. AS17488 Hatheway IP Over Cable Internet 28 22 (SSH) Example client AS # Client Port open 26 Examples of 1.1.1.1 route hijacking: ~99% global reachability. AS3269 Telecom Italia S.p.a

  27. Reachability Test Results 0.2% Blocked by small timeout. DNS/53, with a queries to Forward DoH 99.9% - 1.1% Google China 14.0% 0.2% 0.2% Quad9 - DoE is currently less interrupted by in-path devices. DoT ~99% global reachability. 27 Vantage Resolver Query Failure Rate DNS/TCP DoH 15.8% Global Cloudflare 16.5% 1.2% 0.1% Google censorship.

  28. Q3: Is DoE query time tolerable?

  29. DoE lookup performance connections for subsequent lived” connection supported Cloudflare resolver: “long- kdig, Stubby, etc. Stub: supported by dig, sufficient resources.” queries as long as they have SHOULD reuse existing 29 “Clients and servers (RFC 7858, DNS-over-TLS) Implementation Specification A major influence: connection reuse . Aim: measure the relative query time of DNS and DoE. (tens of seconds)

  30. Vantage point: 8,257 proxy nodes from ProxyRack. TCP handshake DNS response DNS query DNS query TLS handshake TLS handshake TCP handshake resolver Connection reuse: only recording DNS transaction time. Public DNS node Proxy Client Measurement 30 DoE lookup performance DNS response

  31. Performance Test Results 31 Tolerable query time overhead with reused connections. On average, extra latency on the order of milliseconds.

  32. Q4: What does DoE traffic scale look like?

  33. DoE Traffic Observation 33 DNS-over-TLS (DoT) DNS-over-HTTPS (DoH) Runs over dedicated port 853. Resolver domain name (e.g., dns.google) In URI templates. ISP NetFlow dataset Passive DNS dataset

  34. DNS-over-TLS Traffic Data: 18-month NetFlow dataset from a large Chinese ISP. Scale: still less than traditional DNS, but growing. 34 DoT: 2 to 3 orders of magnitude less traffic (Early 2019)

  35. DNS-over-TLS Traffic Data: 18-month NetFlow dataset from a large Chinese ISP. > 95% netblocks: > 60% DoT traffic Top 20 netblocks: Active for < one week 35 Scale: still less than traditional DNS, but growing. Clients: centralized clients + temp users. 222.90.*.*/24 �� ����� 139.199.*.*/24 42.203.*… 1.119.*… 60.206.*.*/24 60.190.*… 110.81.*.*/24 221.238… 58.213.*.*/24 123.206… 123.244.*.*/24 218.91… 218.91…

  36. DNS-over-HTTPS Traffic Data: Passive DNS dataset, monthly query volume. Big players dominate. Also a growing trend. 36

  37. Traffic Observed by DNS Providers DoT and DoH usage has grown significantly. 37 Cloudflare: 8% of its queries are encrypted (May 2019) Qihoo 360: 360 DoH used by 1.2M clients (July 2020)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

IETF Measurement Standardization LMAP (touch on IPPM) Large-Scale Measurement of Broadband

IETF Measurement Standardization LMAP (touch on IPPM) Large-Scale Measurement of Broadband

IETF Measurement Standardization LMAP (touch on IPPM) Large-Scale Measurement of Broadband Performance LMAP Standardization History Evolved out of an FCCs MBA Program - 2012 NMASOG (Next-Generation Measurement Architecture

141 views • 13 slides
Large-Scale Measurement Platforms

Large-Scale Measurement Platforms

Large-Scale Measurement Platforms cnds.eecs.jacobs-university.de/slides/2013-aims-large-scale-measurement-platforms.pdf Vaibhav Bajpai and Nikolay Melnikov {v.bajpai, n.melnikov}@jacobs-university.de AIMS 2013 Computer Networks and

817 views • 77 slides
An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come? Chaoyi Lu ,

An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come? Chaoyi Lu ,

An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come? Chaoyi Lu , Baojun Liu, Zhou Li, Shuang Hao, Haixin Duan, Mingming Zhang, Chunying Leng, Ying Liu, Zaifeng Zhang, Jianping Wu The start of Internet activities.

721 views • 37 slides
Power-law revisited: A large scale measurement study of P2P content popularity Gyrgy Dn

Power-law revisited: A large scale measurement study of P2P content popularity Gyrgy Dn

Power-law revisited: A large scale measurement study of P2P content popularity Gyrgy Dn Niklas Carlsson School of Electrical Engineering Department of Computer Science KTH, Royal Institute of Technology University of Calgary Stockholm,

453 views • 18 slides
Understanding the Impact of Network Infrastructure Changes using Large-Scale Measurement Platforms

Understanding the Impact of Network Infrastructure Changes using Large-Scale Measurement Platforms

Understanding the Impact of Network Infrastructure Changes using Large-Scale Measurement Platforms Vaibhav Bajpai and Jrgen Schnwlder {v.bajpai, j.schoenwaelder}@jacobs-university.de AIMS 2013, Barcelona Computer Networks and Distributed

761 views • 19 slides
Large Scale Measurement Machinery ArkQueue and Scamper Tools Justin P. Rohrer Robert Beverly

Large Scale Measurement Machinery ArkQueue and Scamper Tools Justin P. Rohrer Robert Beverly

Large Scale Measurement Machinery ArkQueue and Scamper Tools Justin P. Rohrer Robert Beverly Center for Measurement and Analysis of Network Data @NPS {jprohrer,rbeverly}@nps.edu March 31, 2015 Outline Introduction ArkQueue Scamper

772 views • 33 slides
A Measurement-based Framework for Modeling, Analysis and Control of Large-Scale Power Systems

A Measurement-based Framework for Modeling, Analysis and Control of Large-Scale Power Systems

A Measurement-based Framework for Modeling, Analysis and Control of Large-Scale Power Systems using Synchrophasors Aranya Chakrabortty Electrical &amp; Computer Engineering Department North Carolina State University LCCC Workshop, Lund

666 views • 37 slides
Bridging social and physical measurement: measurement is not scale construction; measurement is

Bridging social and physical measurement: measurement is not scale construction; measurement is

Bridging social and physical measurement: measurement is not scale construction; measurement is not quantification Luca Mari Universit Cattaneo LIUC, Italy lmari@liuc.it Arctic Workshop on Measurement in Economics 14-15 December

822 views • 38 slides
FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large Scale Solar Lead April 2017 CONTENTS 1. Introduction to CEFC 2. Investment trends 3. The future of large scale solar 4. Pathway to sustainable

664 views • 21 slides
Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008

Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008

Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008 WenChuan Earthquake Zhang Huafeng and Jon Pedersen International Blaise Users Conference (IBUC) Baltimore, USA , 1 Introduction Two household

711 views • 22 slides
INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO

INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO

INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO ENVIRONMENTAL CONFLICT RESOLUTION America Speaks presentation to the 2008 ECR Conference Table Introductions Please form groups of 4-5 and give: Your name

848 views • 41 slides
Large-scale production of graphene: Introduction Large-scale production of graphene: what is

Large-scale production of graphene: Introduction Large-scale production of graphene: what is

Large-scale production of graphene: Introduction Large-scale production of graphene: what is graphene? Graphene is a truly 2D system made of Carbon atoms arranged in an honeycomb hexagonal lattice Zero-gap semiconductor with a low-energy linear

268 views • 6 slides
Integrating national items into questionnaires of international large scale studies: The case

Integrating national items into questionnaires of international large scale studies: The case

10 13 September, 2018, Penang, Malaysia Capacity development workshop Conceptualization, Measurement and Use of Contextual Data Integrating national items into questionnaires of international large scale studies: The case of Iran Dr.

217 views • 17 slides
Ethics in Techniques for large-scale data Graham J.L. Kemp TECHNIQUES FOR LARGE-SCALE DATA

Ethics in Techniques for large-scale data Graham J.L. Kemp TECHNIQUES FOR LARGE-SCALE DATA

Ethics in Techniques for large-scale data Graham J.L. Kemp TECHNIQUES FOR LARGE-SCALE DATA Masters level course: Chalmers MPALG and MPSOF programmes (DAT345) GU Applied Data Science programme (DIT871) Learning outcomes include:

305 views • 18 slides
Large-scale patterns of neural activity Hjalmar K. Turesson Laboratory of Sidarta Ribeiro

Large-scale patterns of neural activity Hjalmar K. Turesson Laboratory of Sidarta Ribeiro

Large-scale patterns of neural activity Hjalmar K. Turesson Laboratory of Sidarta Ribeiro Instituto do Crebro UFRN Scales of measurement Neural activity can be measured at multiple scales. What is the best scale for relating neural

284 views • 14 slides
An Email Contact Protocol Experiment in a Large-Scale Survey of U.S. in a Large Scale Survey of

An Email Contact Protocol Experiment in a Large-Scale Survey of U.S. in a Large Scale Survey of

An Email Contact Protocol Experiment in a Large-Scale Survey of U.S. in a Large Scale Survey of U.S. Government Employees DC-AAPOR Summer Conference Preview/Review Bureau of Labor Statistics Conference Center Washington DC Washington, DC

1.17k views • 25 slides
How I Learned to Stop Worrying about Exascale and Love MPI (Yes, MPI is indeed da bomb!) Pavan

How I Learned to Stop Worrying about Exascale and Love MPI (Yes, MPI is indeed da bomb!) Pavan

How I Learned to Stop Worrying about Exascale and Love MPI (Yes, MPI is indeed da bomb!) Pavan Balaji Computer Scientist and Group Lead Argonne National Laboratory Separating the Myths from Real Concerns The race to Exascale started in

357 views • 23 slides
Causal Effect Evaluation and Causal Network Learning Zhi Geng Peking University, China June

Causal Effect Evaluation and Causal Network Learning Zhi Geng Peking University, China June

Causal Effect Evaluation Causal Network Learning Causal Effect Evaluation and Causal Network Learning Zhi Geng Peking University, China June 25, 2014 Zhi Geng Causal Effect Evaluation and Causal Network Learning Causal Effect Evaluation

1.14k views • 85 slides
1 = = ( ) ( ) 1 1 . s s s p s n = = 1 n p prime

1 = = ( ) ( ) 1 1 . s s s p s n = = 1 n p prime

Audrey Terras 3/3/2008 What is the Riemann Hypothesis for Zeta Functions of Irregular Graphs? Audrey Terras Audrey Terras Banff February, 2008 Joint work with H. M. Stark, M. D. Horton, etc. Introduction The Riemann zeta function for

416 views • 12 slides
Spaceland Embedding of Sparse Stochastic Graphs IEEE High Performance Extreme Computing September

Spaceland Embedding of Sparse Stochastic Graphs IEEE High Performance Extreme Computing September

Spaceland Embedding of Sparse Stochastic Graphs IEEE High Performance Extreme Computing September 25, 2019 Nikos Pitsianis 12 Alexandros-S. Iliopoulos 2 Dimitris Floros 1 Xiaobai Sun 2 1 Department of Electrical and Computer Engineering, Aristotle

625 views • 26 slides
ECSS 2017 Lisbon, 25 October Technological Development and Well-Being: Maria Isabel Aldinhas

ECSS 2017 Lisbon, 25 October Technological Development and Well-Being: Maria Isabel Aldinhas

ECSS 2017 Lisbon, 25 October Technological Development and Well-Being: Maria Isabel Aldinhas Ferreira Centre of Philosophy of the University of Lisbon and Institute for Robots and Intelligent Systems/IST University of Lisbon Lisbon. Portugal

286 views • 15 slides
Industry perspectives: What they need, research-wise and code-wise November 13 , 2013 4th NDN

Industry perspectives: What they need, research-wise and code-wise November 13 , 2013 4th NDN

Industry perspectives: What they need, research-wise and code-wise November 13 , 2013 4th NDN Project Retreat Eiichi Muramoto/ Panasonic muramoto.eiichi@jp.panasonic.com Content Who we are (Panasonic) What we did (L4) What we need

466 views • 12 slides
Me Measu sured Approa oaches s to IP IPv6 Ad Addres ess An Anonym ymiz izatio ion an

Me Measu sured Approa oaches s to IP IPv6 Ad Addres ess An Anonym ymiz izatio ion an

Me Measu sured Approa oaches s to IP IPv6 Ad Addres ess An Anonym ymiz izatio ion an and Id Iden entit ity As y Associa ciatio ion CARIS2 Workshop Cambridge, MA, 1 Mar 2019 David Plonka

1.01k views • 60 slides
Ionized Gas in the Inner 2 pc of the Milky Way Wesley Irons University of Texas Senior Advisor:

Ionized Gas in the Inner 2 pc of the Milky Way Wesley Irons University of Texas Senior Advisor:

Ionized Gas in the Inner 2 pc of the Milky Way Wesley Irons University of Texas Senior Advisor: John Lacy The Galactic Center Sgr A* (x) Circumnuclear Disk Mini-spiral Northern Arm (--) Western Arc (--) Eastern

530 views • 12 slides

More recommend