Bachelor Degree Project Current practices for DNS Privacy - Protection towards pervasive surveillance Author: Songho Lee Supervisor: Ola Flygt Semester: VT 2019 Subject: Computer Science Abstract Current usage of the DNS system is a significant loophole of Internet users’ privacy, as all queries and answers for resolving web address are not protected in most cases. The report elaborates which Internet users’ privacy interests exist, and presents the current technologies to enhance DNS Privacy through a systematic literature review. The report also explores the limitations of the current practices and presents sev- eral proposals such as DNS-over-Tor and methods to change the trusted recursive resolver to mitigate current limitations periodically. Keywords: DNS, DNS-over-HTTPS, DNS-over-TLS, DNS Privacy Sammanfattning Den nuvarande användningen av DNS-systemet är ett signifikant kryphål för inter- netanvändares integritet, eftersom alla frågor och svar som krävs för att konvertera en webbadress till IP-adress inte skyddas i de flesta fall. Rapporten identifierar in- ternetanvändarnas integritetsintressen och presenterar den nuvarande tekniken som syftar till att förbättra DNS-sekretessen genom en systematisk litteraturgranskning. Rapporten undersöker också begränsningarna i den nuvarande praxis och redovisar flera förslag såsom DNS-över-Tor och metoder som möjliggör periodiskt ändring av rekursiva resolvrar, och de metoderna förväntas att minimera integritetsläckor. Nyckelord: DNS, DNS-över-HTTPS, DNS-över-TLS, DNS Sekretess Preface I express my sincere appreciation of the good diplomatic relations between the Kingdom of Sweden and the Republic of Korea that had facilitated human resource exchange, with their agreement on working holiday programme (SÖ 2010:22), and generosity of Swedish legislation regarding the tuition fee as dictated in Ordinance (2010: 543) 2 § sub-section 4. These circumstances and help from my beloved parents enabled the financing of the studies. My gratitude also goes to my manager Patrick and colleagues of UMI team during my time at Ericsson, for having supported me when I decided to finish the degree project. I cannot forget mentioning my friends and family members who have been emotionally supporting me throughout the process, especially Fangyan, Fengyuan, Jieun and Suryeon. Furthermore, the office door of my supervisor, Ola, has always been open for discussions, and I acknowledge Ola for having helped me whenever I faced difficulties throughout the project. Contents 1 Introduction1 1.1 Background.................................1 1.1.1 DNS................................1 1.1.2 DNS Servers............................1 1.1.3 DNS Query process.........................2 1.1.4 EDNS(0) and Client Subnet....................2 1.1.5 CIA-triad..............................2 1.2 Related work................................3 1.3 Problem formulation............................3 1.4 Motivation..................................3 1.5 Objectives..................................4 1.6 Scope/Limitation..............................4 1.7 Target group.................................4 1.8 Outline...................................5 2 Method6 2.1 Systematic literature review.........................6 2.2 Design Science...............................6 2.3 Reliability and Validity...........................6 2.4 Ethical considerations............................7 3 Privacy infringement in scenarios8 3.1 Affected subjects..............................8 3.2 Sensitive information............................8 3.3 Controlled disclosure............................8 3.4 Privacy breaching Scenarios........................8 3.4.1 Metadata in DNS query......................8 3.4.2 Impact on individuals........................9 3.4.3 Impact on corporates/organisations................ 10 3.5 DNS queries as a digital fingerprint..................... 10 4 Status of mitigative methods 11 4.1 Encipherment of communication channels................. 12 4.1.1 Reusing the current secure transport protocols........... 12 4.1.2 Implementing own transport protocols............... 13 4.2 Information redactions........................... 13 4.3 Architectural shift.............................. 14 5 Limitation of DNS Privacy methods 15 5.1 Risk areas of DNS Privacy......................... 15 5.2 Two phases of DNS Query process..................... 15 5.2.1 Insufficient measurements on recursive-to-auth link........ 15 5.2.2 Location of Recursive DNS resolvers............... 16 5.3 Observation on packets’ size........................ 18 5.4 Privacy leaks by Transitive trust...................... 18 5.5 Availability concerns on Oblivious DNS.................. 18 5.6 Prevalence of hierarchical DNS....................... 18 5.7 Privacy limitations of Namecoin...................... 19 5.8 Integrity limitations on decentralised approaches............. 19 5.9 Opportunistic security............................ 20 6 Evaluation of alternative approaches 21 6.1 Use of Traffic anonymisation........................ 21 6.1.1 Lack of UDP support from Tor................... 21 6.1.2 Variation of latency......................... 21 6.1.3 Tor on DNS Query Phase 1..................... 22 6.1.4 Tor on DNS Query Phase 2..................... 22 6.2 Use of multiple trusted recursive resolvers................. 22 6.2.1 Actions required on local DNS Resolver admin.......... 23 6.2.2 Actions required on Network admin................ 23 7 Discussion 24 7.1 Privacy leaking components apart from the DNS.............. 24 7.2 DNS Privacy - possible aids for the criminals............... 24 7.3 Recursive resolver centralisation...................... 25 7.3.1 DNS Privacy promoting the use of Public DNS servers...... 25 7.3.2 Allegations on performance decrease............... 26 7.4 IP as a human identifiable information................... 26 7.5 QNAME minimisation........................... 26 7.6 Vulnerability of Tor............................. 26 8 Conclusion 28 8.1 Scientific contribution............................ 28 8.2 Current milestone.............................. 28 8.3 Future work................................. 28 References 29 A Appendix: Test script for validating DNS PrivacyA A.1 Processing frequently visited web domain list...............A A.2 Script for automating the web traffic simulation..............A A.3 Common based source...........................B B Appendix: Experiment of DNS-over-HTTPSE B.1 Experiment background...........................E B.2 Experiment setup..............................E B.2.1 Hypothesis.............................E B.3 Results....................................E B.3.1 Firefox’s DNS Lookup log.....................F B.4 Evaluation..................................F B.4.1 Possible interference caused by web automation..........F B.4.2 Bootstrap procedure........................F B.4.3 Unexplained causes of DoH query failures.............F B.5 Conclusion of the DoH Experiments....................F 1 Introduction This chapter describes what Domain Name System (DNS) is, and how the legacy design of DNS has become a privacy threat. Before discussing the privacy risks of DNS, the background section introduces relevant structure and mechanisms. Knowledgable readers in DNS and Client subnet function may go to section 1.3. 1.1 Background Digital transformation has brought things used to be done in real life decades ago to the online. At work, people have a video conference call instead of a business trip if not necessary. For shopping goods, people fill in credit card numbers for cross-border payments rather than visiting a bank branch to issue paychecks. In other words, the stage where people work now has been shifted to cyberspace in recent decades, and the Internet has become an essential part of everyday life. Despite the ubiquitousness of the Internet, users’ activities online are collected under pervasive monitoring by different actors. Pervasive monitoring means “widespread attack on privacy [1].” Information collected in such action could lead to a breach of users’ privacy, by re-identifying users based on traffic [2], or could become aids for launching an active form of attacks, such as masquerade and Denial of Service (DoS). Unfortunately, the unsecure architecture of Domain Name System allows pervasive monitoring, and thus it should be mitigated. Before discussing the privacy problems of the DNS, DNS and its components are introduced, since these are important to address. 1.1.1 DNS Every activity on the web most likely begins with entering a human-friendly domain name in the web-browser. Once users enter a domain name for visiting a website, DNS resolves the address to an actual Internet Protocol Address of a web server which hosts the website. In case multiple websites are hosted on a single server, the entered fully qualified domain name(FQDN) is used to differentiate virtual hosts on a web server [3]. Therefore, DNS is a critical component of the Internet. 1.1.2 DNS Servers DNS servers consist of four types: Stub resolver, Recursive resolver, Authoritative server, and Forwarding DNS server. Resolvers refer to programmes that obtain information from name servers upon clients’ requests [4]. Stub resolver is a resolver that serves as an entry-point of querying DNS from applica- tions and directs search request to the nearest recursive resolver [5]. As it cannot complete domain name resolution by itself, stub resolver is dependant on a recursive resolver [6]. The recursive resolver is a server which receives a DNS query from a stub resolver