DNS Privacy Project

Skip to end of metadata
Go to start of metadata

Why is DNS a privacy concern?

The DNS is one of the most significant leaks of data about an individuals activity on the Internet.

Some of the issues in simple terms:

  • Almost every activity on the Internet starts with a DNS query (and often several). A key function of the DNS is to map human readable names (e.g. example.com) to IP addresses that computers need in order to connect to each other. 

  • Those queries can reveal not only what websites an individual visits but also meta data about other services such as the domains of email contacts or chat services. 

  • Whilst the data in the DNS is public, individual transactions made by an end user should not be public.

  • However DNS queries are sent in clear text (using UDP or TCP) which means passive eavesdroppers can observe all the DNS lookups performed.

  • The DNS is a globally distributed system that crosses international boundaries and often uses servers in many different countries in order to provide resilience.

  • It is well known that the NSA used the MORECOWBELL and QUANTUMDNS tools to perform covert monitoring, mass surveillance and hijacking of DNS traffic.

  • Some ISPs log DNS queries at the resolver and share this information with third-parties in ways not known or obvious to end users. 

  • Some ISPs embed user information (e.g. a user id or MAC address) within DNS queries that go to the ISPs resolver in order to provide services such as Parental Filtering. This allows for fingerprinting of individual users.

  • Some CDNs embed user information (client subnets) in queries from resolvers to authoritative servers (to geo-locate end users). This allows for correlations of queries to particular subnets.

An overview of the problems is given in this Tutorial: DNS Privacy Tutorial.

For an expert review of this topic recommended reading is DNS Privacy Considerations.

The solution?

One proposed solution is to change DNS to use TLS to send queries. TLS is an encrypted protocol (it is the same transport used for HTTPS) which will prevent passive surveillance of the network revealing users' DNS queries. This will also allow users to validate the server they choose for their DNS service to make sure they are using a provider who has a good privacy policy for how they handle user data. However this is a non-trivial change in the way DNS works and will not happen overnight. 

At the moment only a handful of experimental DNS servers support DNS-over-TLS and no desktop or mobile operating systems support DNS-over-TLS as a built-in option yet. (Many users have resorted to using Google Public DNS  on 8.8.8.8 to bypass their local ISP for censorship/surveillance reasons but sadly it doesn't support DNS-over-TLS yet.) Work is in progress on building Apps (e.g. Stubby) for end users that will enable them to choose to use DNS-over-TLS and to select the specific DNS server they want to use. 

It is possible that in future a different transport might be used for DNS (e.g. HTTPS or QUIC) but today the only method standardized by the IETF is DNS-over-TLS.

SNI

Unfortunately the Server Name Indicator header in HTTPS messages also reveals the name of the website contacted by the user so provides a similar leakage channel for web traffic as the DNS queries. However there is work underway to try to encrypt that information too. 


  • No labels
Write a comment…