Privacy-Preserving DNS Analysis of Broadcast, Range Queries and - - PowerPoint PPT Presentation

privacy preserving dns
SMART_READER_LITE
LIVE PREVIEW

Privacy-Preserving DNS Analysis of Broadcast, Range Queries and - - PowerPoint PPT Presentation

Feb 19, 2024 308 likes •559 views

Privacy-Preserving DNS Analysis of Broadcast, Range Queries and Mixes Hannes Federrath, Karl-Peter Fuchs, Dominik Herrmann , Christopher Piosecny University of Hamburg (Germany) 1 Agenda Missing Privacy in DNS Characteristics of DNS Traffic

slide-1
SLIDE 1

1

Privacy-Preserving DNS

Analysis of Broadcast, Range Queries and Mixes

Hannes Federrath, Karl-Peter Fuchs, Dominik Herrmann, Christopher Piosecny University of Hamburg (Germany)

slide-2
SLIDE 2

2

Agenda

Missing Privacy in DNS Characteristics of DNS Traffic DNS Anonymity Service Range Queries

slide-3
SLIDE 3

3

Privacy Issue: DNS Resolver learns queries of all users

[Lu & Tsudik, 2010]

DNS Resolver

slide-4
SLIDE 4

4

Third-party DNS Resolvers are increasing in popularity

Google, OpenDNS, Comodo, Norton DNS, ... Advertised benefits:

slide-5
SLIDE 5

5

Objectives for the DNS Anonymity Service

  • 1. protect privacy of users

– hide relationship between users and queries from resolver

  • 2. practicable and usable solution

– very low latency – compatibility with existing DNS

slide-6
SLIDE 6

6

Agenda

Missing Privacy in DNS Characteristics of DNS Traffic DNS Anonymity Service Range Queries

slide-7
SLIDE 7

7

Overview of our DNS dataset

We obtained real-life DNS traces:

  • DNS query log of a German university campus network
  • >4000 distinct users (on average 2100 active per day)

Example log entry: 1278194041.274 472_1 ad-emea.doubleclick.net A Additionally, for each hostname we have recorded

  • TTL value
  • query and reply size
  • lookup latency (using Google’s DNS Resolver)

User ID

slide-8
SLIDE 8

8

Characteristics of DNS traffic

Requests follow a power-law

1 10 100 1000 10000 100000 1e+06 1e+07 1e+08 1 100 10000 1e+06 Total Number of Requests Rank of Hostname 10 100 1000 10000 100000 0.2 0.4 0.6 0.8 1 TTL [seconds] Fraction of Hostnames

CDF of TTL values

  • 80% of queries are for top 10,000 hostnames
  • regardless of TTL most RRs remain constant for a long time
slide-9
SLIDE 9

9

Characteristics of DNS traffic

  • almost every website visit causes a DNS query burst

en.wikipedia.org geoiplookup.wikimedia.org commons.wikimedia.org el.wikipedia.org en.wikibooks.org en.wikinews.org en.wikiquote.org en.wikisource.org en.wikiversity.org en.wiktionary.org et.wikipedia.org gl.wikipedia.org lists.wikimedia.org simple.wikipedia.org species.wikimedia.org wikimediafoundation.org www.wikilovesmonuments.de en.wikipedia.org upload.wikimedia.org nn.wikipedia.org th.wikipedia.org creativecommons.org www.wikimediafoundation.org www.mediawiki.org

Firefox without prefetching Chrome with prefetching

slide-10
SLIDE 10

10

Agenda

Missing Privacy in DNS Characteristics of DNS Traffic DNS Anonymity Service

  • Broadcast
  • Mixes

Range Queries

slide-11
SLIDE 11

11

Architecture of the proposed DNS Anonymity Service

  • drop-in replacement for DNS Resolver
  • two building blocks

– broadcast mechanism – mixes cascade

slide-12
SLIDE 12

12

Motivation for broadcasting

What if each client had a local copy of the full DNS database?

  • clients get zero lookup latency
  • all DNS queries are unobservable
slide-13
SLIDE 13

13

Motivation for broadcasting

What if each client had a local copy of the full DNS database?

  • clients get zero lookup latency
  • all DNS queries are unobservable

We can exploit the power-law distribution of queries!

  • compromise: local copy for most popular hostnames only

Anonymity Service

  • monitors most popular hostnames for updates
  • provides full copy of database to new clients
  • broadcasts changed resource records to clients

Evaluate implementation in trace-driven simulations not practical Central Update Initial Download

  • Increm. Updates
slide-14
SLIDE 14

14

Broadcasting is promising and practicable

100 entries 40% 10,000 entries 83.9% 100,000 entries 94.5% Hit Rate Required Traffic

slide-15
SLIDE 15

15

Broadcasting is promising and practicable

Central Update 352 MB / day Initial Download 850 KB / client 290 KB with zlib

  • Increm. Updates

2.6 MB / hour and client 1.5 MB with zlib 100 entries 40% 10,000 entries 83.9% 100,000 entries 94.5% Hit Rate Required Traffic

slide-16
SLIDE 16

16

Anonymise remaining queries with mixes

  • Motivation:

– already deployed in practice (Tor, AN.ON) – attacker model of practical systems reasonable for DNS

  • Performance impact: cryptographic operations, network latency
  • Implementation specifics

– channels for low latency (re-established after 60s) – fixed-size messages (queries: 57 bytes, replies: 89 bytes) to counter traffic analysis – Java, BouncyCastle, RSA (2048 bit), AES (128 bit OFB)

Mix Client Resolver Stub Resolver Query Mix 1 Mix 2 Mix 3 Q Q Q Q Q Q Q

slide-17
SLIDE 17

17

Performance evaluation of our implementation

Trace-driven simulation using recorded lookup delays

  • 2082 concurrent users
  • 107 queries/sec
  • DNS traffic increases by 100% (240 KB per day)
  • Latency results are also promising
  • Congestion once >1000 queries/sec issued

percentile 50% 90% without mixes 9.2 ms 46.2 ms 3 mixes (LAN) 10.9 ms 52.0 ms 3 mixes (WAN) 171 ms 274 ms

à à Performance of mixes appears to be satisfactory for DNS

mix-mix RTT 20ms client-mix RTT 80ms

slide-18
SLIDE 18

18

Agenda

Missing Privacy in DNS Characteristics of DNS Traffic DNS Anonymity Service Range Queries

slide-19
SLIDE 19

19

Related Work: Range Queries

  • hide actually desired queries using n–1 dummy queries
  • should offer low latency; but no trace-driven evaluation so far

Also related, but not of interest for us: PPDNS [Lu & Tsudik, 2010]

  • implements cPIR
  • is built on top of CoDoNS

Dummy 1 ... Query Dummy n–1 Range Query Client Resolver Reply 1 Reply 2 ... Reply n

[Zhao, 2007] [Castillo-Perez, 2008]

Stub Resolver Query Reply

slide-20
SLIDE 20

20

Trace-driven evaluation of range queries

  • We implemented a range query simulator

– clients draw n–1 dummies randomly from set of all hostnames – range queries are compressed using zlib – transmitted via TCP to Range Query DNS Resolver

  • Trace-driven simulation using recorded lookup delays
  • Evaluation using our DNS traces

à traffic volume increases x4 for n=10, x24 for n=100

  • Basic implementation

– each reply is returned independently to the client – latencies do not increase considerably – even for n=1000

  • But: attacker can exploit dependencies of consecutive queries!
slide-21
SLIDE 21

21

Timing attack based on traffic bursts

R1 R2 R3 R4 RQ 1a RQ 1b t

likely dummies

slide-22
SLIDE 22

22

Preventing the timing attack

R1 R2 R3 R4 RQ 1a RQ 1b t

likely dummies

R1–4 RQ 1a RQ 1b t RQ 1a RQ 1b t R1 R2 R3 R4 RQ 1b 1. 2. stall desired reply delay consecutive query

slide-23
SLIDE 23

23

Preventing the timing attack is expensive

R1 R2 R3 R4 RQ 1a RQ 1b t

likely dummies

200ms 400ms median latency n=10 R1–4 RQ 1a RQ 1b t stall desired reply RQ 1a RQ 1b t delay consecutive query R1 R2 R3 R4 RQ 1b 1. 2.

Open question: how to prevent semantic intersection attack?

slide-24
SLIDE 24

24

Summary

Missing Privacy in DNS

  • queries leak to DNS Resolver
  • low-latency, practical solution

Characteristics of DNS traffic

  • power-law distribution
  • query bursts

Proposed DNS Anonymity Service

  • broadcast: zero latency + unobservability
  • mixes: satisfactory performance

Evaluation of Range Queries

  • fast for isolated queries
  • preventing timing attack is expensive

Dominik Herrmann herrmann@informatik.uni-hamburg.de