How Private is Android’s Private DNS Setting? Identifying Apps by Encrypted DNS Traffic

  title={How Private is Android’s Private DNS Setting? Identifying Apps by Encrypted DNS Traffic},
  author={Michael M{\"u}hlhauser and Henning Prid{\"o}hl and Dominik Herrmann},
  journal={Proceedings of the 16th International Conference on Availability, Reliability and Security},
DNS over TLS (DoT) and DNS over HTTPS (DoH) promise to improve privacy and security of DNS by encrypting DNS messages, especially when messages are padded to a uniform size. Firstly, to demonstrate the limitations of recommended padding approaches, we present Segram, a novel app fingerprinting attack that allows adversaries to infer which mobile apps are executed on a device. Secondly, we record traffic traces of 118 Android apps using 10 differnet DoT/DoH resolvers to study the effectiveness… 

A Survey on DNS Encryption: Current Development, Malware Misuse, and Inference Techniques

A survey of the DNS encryption literature published from 2016 to 2021, focusing on its current landscape and how it is misused by malware, and highlighting the existing techniques developed to make inferences from encrypted DNS traffic.



Padding Ain't Enough: Assessing the Privacy Guarantees of Encrypted DNS

This paper proposes a novel traffic analysis method that combines size and timing information to infer the websites a user visits purely based on encrypted and padded DNS traces, and concludes by showing that successful mitigations to such attacks have to remove the entropy of inter-arrival timings between query responses.

Encrypted DNS -> Privacy? A Traffic Analysis Perspective

This paper examines whether encrypting DNS traffic can protect users from traffic analysis-based monitoring and censoring and shows that Tor -- which does not effectively mitigate traffic analysis attacks on web traffic -- is a good defense against DoH traffic analysis.

Recommendations for DNS Privacy Service Operators

This document presents operational, policy, and security considerations for DNS recursive resolver operators who choose to offer DNS Privacy services and presents a framework to assist writers of a DNS Recursive Operator Privacy Statement.

Website fingerprinting: attacking popular privacy enhancing technologies with the multinomial naïve-bayes classifier

A novel method that applies common text mining techniques to the normalised frequency distribution of observable IP packet sizes and outperforms previously known methods like Jaccard's classifier and Naïve Bayes that neglect packet frequencies altogether or rely on absolute frequency values.

An investigation on information leakage of DNS over TLS

A DoT fingerprinting method is developed to analyze DoT traffic and determine if a user has visited websites of interest to adversaries and it is shown that information leakage is still possible even when DoT messages are padded.

Can Android Applications Be Identified Using Only TCP/IP Headers of Their Launch Time Traffic?

It is found that popular Android apps can be identified with 88% accuracy, by using the packet sizes of the first 64 packets they generate, when the learning methods are trained and tested on the data collected from same device.

Effective Attacks and Provable Defenses for Website Fingerprinting

This paper shows how simulatable, deterministic defenses can be provably private, and shows that bandwidth overhead optimality can be achieved for these defenses by using a supersequence over anonymity sets of packet sequences.

A Critical Evaluation of Website Fingerprinting Attacks

It is shown that certain variables, for example, user's browsing habits, differences in location and version of Tor Browser Bundle, that are usually omitted from the current WF model have a significant impact on the efficacy of the attack.

An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come?

This paper performs by far the first end-to-end and large-scale analysis on DNS-over-Encryption by collecting data from Internet scanning, user-end measurement and passive monitoring logs, and gains several unique insights.

Revisiting Assumptions for Website Fingerprinting Attacks

Two new algorithms are proposed to deal with situations when the victim visits one website after another and visits another website in the middle of visiting one website (overlapping visits), and using the proposed "splitting" algorithm, websites can be predicted with an accuracy of 70%.