Oblivious DNS: Practical Privacy for DNS Queries

  title={Oblivious DNS: Practical Privacy for DNS Queries},
  author={Paul Schmitt and Anne Edmundson and Nick Feamster},
  journal={Proceedings on Privacy Enhancing Technologies},
  pages={228 - 244}
Abstract Virtually every Internet communication typically involves a Domain Name System (DNS) lookup for the destination server that the client wants to communicate with. Operators of DNS recursive resolvers—the machines that receive a client’s query for a domain name and resolve it to a corresponding IP address—can learn significant information about client activity. Past work, for example, indicates that DNS queries reveal information ranging from web browsing activity to the types of devices… 

D-DNS: Towards Re-Decentralizing the DNS

The trend towards centralized DNS is revisited and several candidate decentralized architectures are proposed and evaluated, laying the groundwork for future research to explore decentralized, encrypted DNS architectures that strike a balance between privacy and performance.

Oblivious DNS over HTTPS (ODoH): A Practical Privacy Enhancement to DNS

Interoperable instantiations of the Oblivious DNS over HTTPS protocol are implemented, a corresponding formal model and analysis is constructed, and results suggest that ODoH is a practical privacy-enhancing replacement for DNS.

Enhanced Performance and Privacy via Resolver-Less DNS

  • Erik Sy
  • Computer Science
    2021 International Conference on Information Networking (ICOIN)
  • 2021
A novel HTTP response header allowing web server to provide their clients with relevant DNS records allowing user agents to save the DNS lookup time for subsequent connection establishments and improves the privacy posture of the user towards the used recursive resolver.

K-resolver: Towards Decentralizing Encrypted DNS Resolution

K-resolver is proposed, a DNS resolution mechanism that disperses DNS queries across multiple DoH resolvers, reducing the amount of information about a user's browsing activity exposed to each individual resolver.

Decentralization, privacy and performance for DNS

The Domain Name System (DNS) is both key determinant of a users' quality of experience (QoE) and privy to their tastes, preferences, and even the devices they own. Growing concern about user privacy

Comparing the Effects of DNS, DoT, and DoH on Web Performance

This paper measures the effect of Do53, DoT, and DoH on query response times and page load times from five global vantage points and provides several recommendations to improve DNS performance, such as opportunistic partial responses and wire format caching.

Measuring the Availability and Response Times of Public Encrypted DNS Resolvers

This paper explores the performance of a large group of encrypted DNS resolvers supporting DoH by measuring DNS query response times from global vantage points in North America, Europe, and Asia, and shows that many non-mainstream resolver have higher response times than mainstream resolVers, suggesting that users may be able to use a broader set of encrypted resolver than those that are available in current browser configurations.

Leveraging eBPF to preserve user privacy for DNS, DoT, and DoH queries

This paper demonstrates how the extended Berkeley Packet Filter (eBPF) can assist users in maintaining their privacy by leveraging eBPF to provide privacy across standard DNS, DoH, and DoT communications and develops a method that allows users to enforce application-specific DNS servers.

Encrypted DNS -> Privacy? A Traffic Analysis Perspective

This paper examines whether encrypting DNS traffic can protect users from traffic analysis-based monitoring and censoring and shows that Tor -- which does not effectively mitigate traffic analysis attacks on web traffic -- is a good defense against DoH traffic analysis.

Mutualized oblivious DNS (μODNS): Hiding a tree in the wild forest

This paper introduces a new concept of a multiple-relay-based DNS for user anonymity in DNS queries, called the mutualized oblivious DNS (μODNS), by extending the concept of existing relay-based schemes by introducing a small and reasonable assumption that each user has at least one trusted/dedicated relay in a network and mutually shares the dedicated one with others.



Connection-Oriented DNS to Improve Privacy and Security

The contribution is to show that T-DNS significantly improves security and privacy: TCP prevents denial-of-service (DoS) amplification against others, reduces the effects of DoS on the server, and simplifies policy choices about key size.

Pretty Bad Privacy: Pitfalls of DNS Encryption

This work indicates that further study may be required to adjust the proposals for end-to-end encryption to stand up to their security guarantees, and to make them suitable for the common servers' configurations in the DNS infrastructure.

EncDNS: A Lightweight Privacy-Preserving Name Resolution Service

EncDNS, a novel lightweight privacy-preserving name resolution service as a replacement for conventional third-party resolvers, which encapsulates encrypted messages in standards-compliant DNS messages.

Privacy-Preserving DNS: Analysis of Broadcast, Range Queries and Mix-Based Protection Methods

It is shown that broadcasting the 10,000 most frequently queried hostnames allows zero-latency lookups for over 80% of DNS queries at reasonable cost.

Increased DNS forgery resistance through 0x20-bit encoding: security via leet queries

A novel, practical and simple technique to make DNS queries more resistant to poisoning attacks: mix the upper and lower case spelling of the domain name in the query, and makes this DNS encoding system a proposed IETF standard.

DNS performance and the effectiveness of caching

Results suggest that client latency is not as dependent on aggressive caching as is commonly believed, and that the widespread use of dynamic low-TTL A-record bindings should not greatly increase DNS related wide-area network traffic.

The Effect of DNS on Tor's Anonymity

It is shown that an adversary who can mount a DefecTor attack can often determine the website that a Tor user is visiting with perfect precision, particularly for less popular websites where the set of DNS names associated with that website may be unique to the site.

DNS security challenges and best practices to deploy secure DNS with digital signatures

This paper is meant to discuss the DNS security vulnerabilities and best practices to address DNS security challenges. The Domain Name System (DNS) is the foundation of internet which translates user

Measuring the Leakage of Onion at the Root: A measurement of Tor's .onion pseudo-TLD in the global domain name system

This paper will present the state of .onion requests received at the global public DNS A and J root nodes over a longitudinal period of time, a synthesis of Day In The Life of the Internet (DITL) data repository, and potential explanations of the leakage.

Evaluation of Two Privacy-Preserving Protocols for the DNS

This paper evaluates in this paper two DNS privacy-preserving approaches recently presented in the literature and discusses some benefits and limitations of these proposals, and points out the necessity of additional measures to enhance their security.