DNS PREFETCHING: WHEN GOOD THINGS GO BAD
Srinivas Krishnan and Fabian Monrose
1
1 Information quest
1980 1990 2000 2010
Timeline
2
2 Information quest
1980 1990 2000 2010 Latency: Hours Minutes Seconds
Timeline
2
2 Information quest
1980 1990 2000 2010 Latency: Hours Minutes Seconds
Timeline
2
2 Information quest
1980 1990 2000 2010 Latency: Hours Minutes Seconds Milliseconds
Timeline
2
2 Browser Wars
Scripting Render
3
3 Browsing and DNS
Cache www.unc.edu
root Cache .
DNS dmtns07.turner.com ns2.unc.edu. Server cnn.com unc.edu
bristol.cs.unc.edu. cs.unc.edu unc.edu NS 86400 ns2.unc.edu Cache Cache ns2.unc.edu A 86400 152.2.253.100 unc.edu A 86400 152.19.240.120
4
4 DNS Optimization
• Proactive DNS pre-resolutions
• Two basic approaches:
• Guess as the user types
• Fetch
• Focus on reducing user perceived latency
5
5 DNS PRE-RESOLUTION Gambling Addiction www.google.com CNAME 586186 www.l.google.com
DNS www.l.google.com A 60 www.l.google.com Server
Cache
6
6 DNS PRE-RESOLUTION Gambling Addiction www.google.com CNAME 586186 www.l.google.com
DNS www.l.google.com A 60 www.l.google.com Server sac.edu
Cache
6
6 DNS PRE-RESOLUTION Gambling Addiction www.google.com CNAME 586186 www.l.google.com
DNS www.l.google.com A 60 www.l.google.com Server sac.edu A 73136 sac.edu
Cache
6
6 DNS PRE-RESOLUTION Gambling Addiction www.google.com CNAME 586186 www.l.google.com
DNS www.l.google.com A 60 www.l.google.com Server sac.edu A 73136 sac.edu gamblersanonymous.org. A 73416 casinogambling.about.com.CNAME 900 treatment-centers.net. CNAME 3600 robertperkinson.com. A 86400 Cache en.wikipedia.org. CNAME 1052 ncpgambling.org. A 73416, helpguide.org. A 73340 gamblingaddiction.org. A 3600
Prefetching
6
6 Privacy Threat
• Reconnaissance of an enterprise
• Ability to track users
• Exploit:
• Ability to probe a DNS server to infer cache hits.
• Online probes with target search
• Offline probe with no prior knowledge
7
7 Online Probing
Was a target search performed by a client ?
• Build a profile of target search
• Use cache snooping
• Check for presence of profile
• Report
8
8 Building a Profile
www.howstuffworks.com. ama-assn.org learn.genetics.utah.edu. www.humancloning.org. www.time.com. www.ornl.gov. en.wikipedia.org www.globalchange.com www.ncsl.org 9
9 Building a Profile
Domains MinTTL Decay Curve howstuffworks.com. ama-assn.org genetics.utah.edu. humancloning.org. time.com. ornl.gov. en.wikipedia.org globalchange.com ncsl.org
10
10 Building a Profile
Domains MinTTL Decay Curve ama-assn.org. genetics.utah.edu. humancloning.org. ornl.gov. globalchange.com ncsl.org
10
10 Building a Profile
Domains MinTTL Decay Curve Human Cloning 1.0 ama-assn.org 1800 ama-assn.org. .9 genetics.utah.edu. 3600 A .8 genetics.utah.edu. c .7 humancloning.org 3600 c humancloning.org. u .6 ornl.gov 86400 r .5 ornl.gov. a globalchange.com 600 c .4 globalchange.com y .3 ncsl.org 86400 ncsl.org .2 .1 .0 0 3 10 38 97 209 Time in Cache
10
10 Building a Profile
Decay Curve Get Scan Rate
Human Cloning 1.0 .9 95% 5 Mins A .8 90% 10 Mins c c .7 80% 20 Mins u .6 r 75% 30 Mins a .5 50% 60 Mins c .4 y .3 .2 .1 .0 0 3 10 38 97 209 Time in Cache
11
11 Probe
Attacker ama-assn.org. genetics.utah.edu ? genetics.utah.edu. DNS Server humancloning.org. ornl.gov. globalchange.com ncsl.org Cache Hit
12
12 Probe ama-assn.org. ? Attacker genetics.utah.edu.? ama-assn.org. humancloning.org. ? genetics.utah.edu. ornl.gov. DNS Server humancloning.org. globalchange.com ? ornl.gov. ncsl.org ? globalchange.com ncsl.org
12
12 Probe
Confidence = % of Elements with same age Current Auth Domain Age TTL TTL ama-assn.org 1498 1800 302 genetics.utah.edu. 3298 3600 302 humancloning.org 3301 3600 299 ornl.gov 86099 86400 301 globalchange.com 298 600 302 ncsl.org 86101 86400 299
12
12 And if we had access to logs ?
•Can we extract all searches ?
13
13 DNS Cache: privacy leaks Goal: Reconstruct Search Term from DNS Cache
Cluster By Extract Search Age Keywords Term Rank n-Suggest steroid.com 600s steroid (1) steroid steroid steroidsinbaseball.net 598s steroid, baseball (2) baseball baseball baseballsteroidera.com 602s steroid, baseball, era (3) era
steroid baseball baseball steroids steriod baseball era
14
14 Case I: Preliminary Results ~500 Clients
Target Control DNS DNS Server Server
•50 queries •Over 4 hours Inject Queries •Variable scan rate
15
15 Case I: Preliminary Results ~500 Clients
Target Control DNS DNS Server Server
Build Profile •50 queries •Over 4 hours Inject Queries •Variable scan rate
15
15 Case I: Preliminary Results ~500 Clients
Target Control DNS DNS Server Server
Probe Server •50 queries @Scan Rate •Over 4 hours Inject Queries •Variable scan rate
15
15 Selected Results
1 Scan Rate Average Gay Rights Gambling Addiction Accuracy Racism in America Genetic Engineering 10 Mins 90% 0.9
30 Mins 85% 0.8
60 Mins 65% 0.7
Achieved Accuracy 0.6
0.5
0.4 0 10 20 30 40 50 60 70 80 90 Scan Rate (Minutes)
16
16 Case II: Preliminary results
~500 Clients Cache Snaphot @5 mins Target DNS Server
Collect Data Disk
•50 queries Inject Queries • Over 24 hours
17
17 Case II: Preliminary results
~500 Clients Cache Snaphot @5 mins Target DNS Server
Disk
•50 queries Over 24 hours Inject Queries • Reconstruct
17
17 Snapshot of Results
First Second Third Actual Query Guess Guess Guess
Gambling Addiction gambling addiction gambling age addict
Alcohol Withdrawal alcohol withdrawal alcoholics anonymous alcohol poisoning Syndrome symptoms
Gun Control gunbroker guns for sale -
Racism In America racism america racism today racism facts
Biological Weapons biological warfare weapons -
18
18 Limitations
• Current profiles are non-adaptive, hence searches on “hot topics” will lead to high false negatives
• Similarly, if majority of prefetched domains do not have identifiable keywords, search reconstruction will fail
19
19 Summary
• Wide-scale study required to fully gauge the effect of DNS prefetching (w.r.t. its privacy implications)
• Effect on DNS server load remains unclear
• Reduction of user-perceived latency at the cost of privacy
• Primary focus is to foster discussion on the effects of DNS prefetching
20
20 Questions
21
21