Holes in the Geofence: Privacy Vulnerabilities in “Smart” DNS Services∗ Rahel A. Fainchtein∗ Adam J. Aviv+ Micah Sherr∗ Stephen Ribaudo∗ Armaan Khullar∗ ∗ Georgetown University + The George Washington University Abstract 1 Introduction Vantage points matter on the Internet. Websites of- Smart DNS ge- (SDNS) services advertise access to ten customize or restrict content for clients based on ofenced content (typically, video streaming sites such their network locations and perceived geographic lo- as Netflix or Hulu) that is normally inaccessible un- cations. This is especially true of media streaming less the client is within a prescribed geographic re- services such as Netflix, Hulu, Pandora, and Ama- gion. SDNS is simple to use and involves no software zon Prime Video, that are contractually obligated to installation. Instead, it requires only that users mod- restrict audio/video content based on their users’ ge- ify their DNS settings to point to an SDNS resolver. ographic locations. Such websites establish so called The SDNS resolver “smartly” identifies geofenced do- geofences that enforce location-based access control mains and, in lieu of their proper DNS resolutions, policies by geolocating clients based on their IP ad- returns IP addresses of proxy servers located within dresses. the geofence. These servers then transparently proxy However, determined users can apply simple meth- traffic between the users and their intended desti- ods to circumvent geography-based blocking by relay- nations, allowing for the bypass of these geographic ing connections through a proxy server located within restrictions. the fence. Commercial VPN providers describe such This paper presents the first academic study of abilities when marketing their services [16, 43]. Free SDNS services. We identify a number of serious and solutions such as Tor [12] and open proxies [40, 54] pervasive privacy vulnerabilities that expose informa- also enable users to bypass geofences. However, pop- tion about the users of these systems. These in- ular existing approaches demand some user expertise clude architectural weaknesses that enable content and often require users to download and operate spe- providers to identify which requesting clients use cialized software. Worse, previous studies show that arXiv:2012.07944v1 [cs.CR] 14 Dec 2020 SDNS. Worse, we identify flaws in the design of some the use of open proxies may incur severe security and SDNS services that allow any arbitrary third party privacy risks [40, 54]. to enumerate these services’ users (by IP address), smart DNS even if said users are currently offline. We present There is a growing industry of (SDNS) mitigation strategies to these attacks that have been providers that enable an interesting and unstudied adopted by at least one SDNS provider in response method of circumventing geofences. SDNS is sim- to our findings. ple and does not require additional software. In- stead, a user reconfigures their computer’s DNS set- tings to use an DNS resolver operated by a SDNS ∗A shorter version of this paper appears in Proceedings on Privacy Enhancing Technologies (PoPETS), July service. The SDNS resolver “smartly” identifies res- 2021. olution requests for restricted domains (hereinafter, 1 fenced sites) and returns proxy servers’ IPs in lieu We also identify a number of authentication and of these domains’ correct IPs. The client’s machine authorization errors, coupled with misconfigurations, then directs its traffic to the specified proxy server that effectively turn some SDNS providers into a dis- (since that is the address to which the domains re- tributed network of open proxy servers. That is, we solve), which is located within the geofence. Fi- find that several SDNS providers fail to authenticate nally, the proxy servers relay the clients’ communica- users who access their proxies, and instead rely only tion to and from these requested domains. For non- on authentication at their DNS resolvers. We present geofenced (hereinafter, unfenced) sites, DNS requests simple methods for enumerating such open proxies are resolved correctly. Thus, the end-user needs only and explain how unscrupulous users could bypass browse as usual; all SDNS proxy management hap- paying for SDNS services while reaping their bene- pens (potentially unnoticed) without additional in- fits. teraction. We further find that some SDNS providers proxy This paper describes an exploration of the privacy more content than advertised. SDNS providers do and security properties of smart DNS services—to this by forwarding traffic for websites, for which they the best of our knowledge, the first such study in the do not advertise support, to proxy IPs. This raises open literature. Through analyzing the architecture the risk of content interception, manipulation, and and behavior of deployed SDNS systems, we provide eavesdropping, both by the SDNS provider and along descriptions of how SDNS services operate. the extended Internet path this traffic now traverses. Our analysis also uncovers several architectural In addition to exploring the privacy and security weaknesses, implementation errors, and system mis- properties of SDNS services, we also study the land- configurations that lead to pernicious privacy leaks, scape of SDNS operators. Our exploration of SDNS and are pervasive in the SDNS ecosystem: services, conducted over more than ten months, We demonstrate a simple technique by which any strongly suggests that the SDNS marketplace may content provider could immediately identify both the be more consolidated that it appears. Several of the use of an SDNS service to access its site, as well as identified 25 SDNS providers are actually the same the actual IP address of the requesting client. (We entity advertising their services under multiple dis- note that numerous content providers have already tinct names and websites. Our probes also exposed sought to crack down on SDNS use, perhaps using the popularity of different content for SDNS providers the technique we describe here.) This would allow as well as the SDNS providers themselves. Applying the content provider to consistently identify the use of current virtual private server (VPS) costs and ad- SDNS, without requiring them to continually discover vertised SDNS plan costs, we estimate the costs and and block proxy servers, and, in so doing, engage in a revenues of SDNS services, and find that they are never-ending “whack-a-mole” arms race with SDNS immensely profitable. providers. More troubling, we describe a design flaw in the Relevance to Privacy. SDNS is provided by architecture of SDNS systems that enables content many existing VPN providers, perhaps due to over- providers to enumerate the IP addresses of an SDNS lap in infrastructure requirements, and SDNS is of- service’s customers, regardless of whether they are ten advertised alongside VPN products. The manner logged in to the service’s web portal, or currently in which SDNS is marketed differs among providers, use one of its SDNS resolvers for their web brows- with some implying (falsely) that SDNS is itself a ing. And, as we show through proof-of-concept at- privacy-enhancing technology [35, 57,1]. We found tacks, the implementations of some SDNS services no instances in which SDNS providers describe any allow any arbitrary third-party to enumerate these added privacy risks. SDNS services’ customers. We discuss in detail the SDNS does not appear to be a niche industry. ethical considerations of our measurements and the At least two SDNS providers (www.ibvpn.com and proof-of-concept attacks we conducted. www.smartdnsproxy.com) state that they have more 2 than one million users. Our own measurements name server and it is contacted in recursive queries largely support this claim. when the answer is not cached by the other DNS re- Our main findings—SDNS customer IP addresses solvers. We found that all SDNS resolvers support can be easily mined by third parties; SDNS substan- only recursive queries. tially increases users’ vulnerability to eavesdropping; While DNS supports both UDP and TCP, the for- and content providers can trivially discover when mer is much more common. DNS is typically nei- users attempt to bypass their geofences—all threaten ther authenticated or encrypted. To address this the privacy and/or security of SDNS customers. Al- and improve privacy and security, there are three though SDNS may not itself be considered a privacy- main extensions to DNS that offer additional privacy preserving technology (although it is sometimes mar- features: DNSSEC, DNS-over-HTTPS (DoH) [31] keted as such), the architectural and implementation and DNS-over-TLS (DoT) [33]. DNSSEC aims to weaknesses we describe in this paper are relevant to ensure the authenticity of DNS data by incorpo- the estimated millions of SDNS users, whose use of rating a PKI and using signed and verifiable zone these systems may constitute significant and (until files. (Friedlander et al. provide a good overview of now) unexplored privacy risks. DNSSEC [22].) DNSSEC does not address confiden- tiality of the DNS request, merely authenticity. DoH 2 Background on DNS and DoT, on the other hand, both provide confiden- DNS [42] is the mechanism by which hostnames are tiality of DNS requests and responses by using TLS. mapped to IP addresses to facilitate Internet rout- Importantly, SDNS is inherently incompatible with ing. DNS is complex with several important nu- DNSSEC (since SDNS returns modified resolution re- ances, but conceptually, DNS can be thought of as sults), and we found no SDNS providers that support a distributed database, with mappings between host- either DoT or DoH. names and their IP addresses stored in zone files. Or- dinarily, the owner of the domain (i.e., the party that 3 Related Work registers the domain) effectively controls this map- There are large, organized efforts at enumerating in- ping. stances of Internet censorship [6, 20, 56] and there is Users resolve—that is, translate a hostname to its considerable work that examines methods of bypass- IP address—by querying a DNS resolver.