Padding Ain't Enough: Assessing the Privacy Guarantees of Encrypted DNS

by   Jonas Bushart, et al.

DNS over TLS (DoT) and DNS over HTTPS (DoH) encrypt DNS to guard user privacy by hiding DNS resolutions from passive adversaries. Yet, past attacks have shown that encrypted DNS is still sensitive to traffic analysis. As a consequence, RFC 8467 proposes to pad messages prior to encryption, which heavily reduces the characteristics of encrypted traffic. In this paper, we show that padding alone is insufficient to counter DNS traffic analysis. We propose a novel traffic analysis method that combines size and timing information to infer the websites a user visits purely based on encrypted and padded DNS traces. To this end, we model DNS sequences that capture the complexity of websites that usually trigger dozens of DNS resolutions instead of just a single DNS transaction. A closed world evaluation based on the Alexa top-10k websites reveals that attackers can deanonymize at least half of the test traces in 80.2 32.0 state-of-the-art message padding strategies in DoT/DoH. We conclude by showing that successful mitigations to such attacks have to remove the entropy of inter-arrival timings between query responses.



There are no comments yet.


page 7

page 8

page 9

page 10

page 16


Adaptive Traffic Fingerprinting: Large-scale Inference under Realistic Assumptions

The widespread adoption of encrypted communications (e.g., the TLS proto...

TG-PSM: Tunable Greedy Packet Sequence Morphing Based on Trace Clustering

Common privacy enhancing technologies fail to effectively hide certain s...

Can You Still See Me?: Reconstructing Robot Operations Over End-to-End Encrypted Channels

Connected robots play a key role in Industry 4.0, providing automation a...

White Mirror: Leaking Sensitive Information from Interactive Netflix Movies using Encrypted Traffic Analysis

Privacy leaks from Netflix videos/movies is well researched. Current sta...

Website Fingerprinting on Early QUIC Traffic

Cryptographic protocols have been widely used to protect the user's priv...

Compiling for Encrypted Computing: Obfuscation but Not in Name

Encrypted computing is the emerging science and technology of processors...

SiamHAN: IPv6 Address Correlation Attacks on TLS Encrypted Traffic via Siamese Heterogeneous Graph Attention Network

Unlike IPv4 addresses, which are typically masked by a NAT, IPv6 address...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.