DNS PREFETCHING: WHEN GOOD THINGS GO BAD Srinivas Krishnan and - - PowerPoint PPT Presentation

dns prefetching when good things go bad
SMART_READER_LITE
LIVE PREVIEW

DNS PREFETCHING: WHEN GOOD THINGS GO BAD Srinivas Krishnan and - - PowerPoint PPT Presentation

Dec 07, 2022 121 likes •480 views

DNS PREFETCHING: WHEN GOOD THINGS GO BAD Srinivas Krishnan and Fabian Monrose 1 1 Information quest 1980 1990 2000 2010 Timeline 2 2 Information quest 1980 1990 2000 2010 Latency: Hours Minutes Seconds Timeline 2 2

slide-1
SLIDE 1

DNS PREFETCHING: WHEN GOOD THINGS GO BAD

Srinivas Krishnan and Fabian Monrose

1

1

slide-2
SLIDE 2

Information quest

1980 1990 2000 2010

Timeline

2

2

slide-3
SLIDE 3

Information quest

1980 1990 2000 2010

Timeline

Latency: Hours Minutes Seconds

2

2

slide-4
SLIDE 4

Information quest

1980 1990 2000 2010

Timeline

Latency: Hours Minutes Seconds

2

2

slide-5
SLIDE 5

Information quest

1980 1990 2000 2010

Timeline

Latency: Hours Minutes Seconds Milliseconds

2

2

slide-6
SLIDE 6

Browser Wars

3

Render Scripting

3

slide-7
SLIDE 7

Browsing and DNS

DNS Server

root .

dmtns07.turner.com cnn.com ns2.unc.edu.

unc.edu

bristol.cs.unc.edu. cs.unc.edu

Cache

Cache Cache Cache

unc.edu NS 86400 ns2.unc.edu ns2.unc.edu A 86400 152.2.253.100 unc.edu A 86400 152.19.240.120

<domain> <A, CNAME, NS> <TTL> <meta>

4

www.unc.edu

4

slide-8
SLIDE 8

DNS Optimization

  • Proactive DNS pre-resolutions
  • Two basic approaches:
  • Guess as the user types
  • Fetch <href> links from a rendered page
  • Focus on reducing user perceived latency

5

5

slide-9
SLIDE 9

DNS PRE-RESOLUTION

DNS Server

Cache

www.google.com CNAME 586186 www.l.google.com

www.l.google.com A 60 www.l.google.com

Gambling Addiction

6

6

slide-10
SLIDE 10

DNS PRE-RESOLUTION

DNS Server

Cache

www.google.com CNAME 586186 www.l.google.com

www.l.google.com A 60 www.l.google.com

sac.edu

Gambling Addiction

6

6

slide-11
SLIDE 11

DNS PRE-RESOLUTION

DNS Server

Cache

www.google.com CNAME 586186 www.l.google.com

www.l.google.com A 60 www.l.google.com sac.edu A 73136

sac.edu

Gambling Addiction

6

6

slide-12
SLIDE 12

DNS PRE-RESOLUTION

DNS Server

Cache

www.google.com CNAME 586186 www.l.google.com

www.l.google.com A 60 www.l.google.com sac.edu A 73136

gamblersanonymous.org. A 73416 casinogambling.about.com.CNAME 900 treatment-centers.net. CNAME 3600 robertperkinson.com. A 86400 en.wikipedia.org. CNAME 1052 ncpgambling.org. A 73416, helpguide.org. A 73340 gamblingaddiction.org. A 3600

Prefetching

sac.edu

Gambling Addiction

6

6

slide-13
SLIDE 13

Privacy Threat

  • Reconnaissance of an enterprise
  • Ability to track users
  • Exploit:
  • Ability to probe a DNS server to infer cache hits.
  • Online probes with target search
  • Offline probe with no prior knowledge

7

7

slide-14
SLIDE 14

Online Probing

  • Build a profile of target search
  • Use cache snooping
  • Check for presence of profile
  • Report

8

Was a target search performed by a client ?

8

slide-15
SLIDE 15

Building a Profile

9

www.howstuffworks.com. ama-assn.org learn.genetics.utah.edu. www.humancloning.org. www.time.com. www.ornl.gov. en.wikipedia.org www.globalchange.com www.ncsl.org

9

slide-16
SLIDE 16

Building a Profile

Domains MinTTL

Decay Curve

10

howstuffworks.com. ama-assn.org genetics.utah.edu. humancloning.org. time.com.

  • rnl.gov.

en.wikipedia.org globalchange.com ncsl.org

10

slide-17
SLIDE 17

Building a Profile

Domains MinTTL

Decay Curve

10

ama-assn.org. genetics.utah.edu. humancloning.org.

  • rnl.gov.

globalchange.com ncsl.org

10

slide-18
SLIDE 18

Building a Profile

Domains MinTTL

Decay Curve

10

ama-assn.org. genetics.utah.edu. humancloning.org.

  • rnl.gov.

globalchange.com ncsl.org

ama-assn.org 1800 genetics.utah.edu. 3600 humancloning.org 3600

  • rnl.gov

86400 globalchange.com 600 ncsl.org 86400

.0 .1 .2 .3 .4 .5 .6 .7 .8 .9 1.0 3 10 38 97 209 Human Cloning

A c c u r a c y Time in Cache

10

slide-19
SLIDE 19

Building a Profile

Decay Curve

.0 .1 .2 .3 .4 .5 .6 .7 .8 .9 1.0 3 10 38 97 209 Human Cloning

A c c u r a c y Time in Cache

Get Scan Rate

95% 5 Mins 90% 10 Mins 80% 20 Mins 75% 30 Mins 50% 60 Mins

11

11

slide-20
SLIDE 20

Probe

DNS Server Attacker

genetics.utah.edu ?

Cache Hit

12

ama-assn.org. genetics.utah.edu. humancloning.org.

  • rnl.gov.

globalchange.com ncsl.org

12

slide-21
SLIDE 21

Probe

DNS Server Attacker ama-assn.org. ? genetics.utah.edu.? humancloning.org. ?

  • rnl.gov.

globalchange.com ? ncsl.org ?

12

ama-assn.org. genetics.utah.edu. humancloning.org.

  • rnl.gov.

globalchange.com ncsl.org

12

slide-22
SLIDE 22

Probe

Confidence = % of Elements with same age

12

Domain Current TTL Auth TTL Age

ama-assn.org 1498 1800 302 genetics.utah.edu. 3298 3600 302 humancloning.org 3301 3600 299

  • rnl.gov

86099 86400 301 globalchange.com 298 600 302 ncsl.org 86101 86400 299

12

slide-23
SLIDE 23

13

And if we had access to logs ?

  • Can we extract all searches ?

13

slide-24
SLIDE 24

DNS Cache: privacy leaks

Goal: Reconstruct Search Term from DNS Cache

Cluster By Age

steroid.com 600s

steroidsinbaseball.net 598s baseballsteroidera.com 602s

Extract Keywords

steroid steroid, baseball steroid, baseball, era

Rank Search Term n-Suggest

(1) steroid (2) baseball (3) era steroid baseball steroid baseball baseball steroids steriod baseball era

14

14

slide-25
SLIDE 25

Case I: Preliminary Results

Target DNS Server

~500 Clients

Inject Queries

Control DNS Server

15

  • 50 queries
  • Over 4 hours
  • Variable scan rate

15

slide-26
SLIDE 26

Case I: Preliminary Results

Target DNS Server

~500 Clients

Inject Queries

Control DNS Server

Build Profile

15

  • 50 queries
  • Over 4 hours
  • Variable scan rate

15

slide-27
SLIDE 27

Case I: Preliminary Results

Target DNS Server

~500 Clients

Inject Queries

Control DNS Server

Probe Server @Scan Rate

15

  • 50 queries
  • Over 4 hours
  • Variable scan rate

15

slide-28
SLIDE 28

Selected Results

0.4 0.5 0.6 0.7 0.8 0.9 1 10 20 30 40 50 60 70 80 90

Achieved Accuracy Scan Rate (Minutes)

Gay Rights Gambling Addiction Racism in America Genetic Engineering

16

Scan Rate Average Accuracy 10 Mins 90% 30 Mins 85% 60 Mins 65%

16

slide-29
SLIDE 29

Case II: Preliminary results

Target DNS Server

~500 Clients

Inject Queries

17

  • 50 queries
  • Over 24 hours

Disk

Cache Snaphot @5 mins Collect Data

17

slide-30
SLIDE 30

Case II: Preliminary results

Target DNS Server

~500 Clients

Inject Queries

17

  • 50 queries
  • Over 24 hours

Disk

Cache Snaphot @5 mins Reconstruct

17

slide-31
SLIDE 31

Snapshot of Results

18

gambling addiction gambling age addict alcohol withdrawal symptoms alcoholics anonymous alcohol poisoning gunbroker guns for sale

  • racism america

racism today racism facts biological warfare weapons

  • Gambling Addiction

Alcohol Withdrawal Syndrome Gun Control Racism In America Biological Weapons First Guess Second Guess Third Guess Actual Query

18

slide-32
SLIDE 32

Limitations

  • Current profiles are non-adaptive, hence searches on “hot

topics” will lead to high false negatives

  • Similarly, if majority of prefetched domains do not have

identifiable keywords, search reconstruction will fail

19

19

slide-33
SLIDE 33

Summary

  • Wide-scale study required to fully gauge the effect of DNS

prefetching (w.r.t. its privacy implications)

  • Effect on DNS server load remains unclear
  • Reduction of user-perceived latency at the cost of privacy
  • Primary focus is to foster discussion on the effects of DNS

prefetching

20

20

slide-34
SLIDE 34

Questions

21

21