[en] The Domain Name System (DNS), a fundamental protocol that controls how users interact with the Internet, inadequately provides protection for user privacy. Recently, there have been advancements in the field of DNS privacy and security in the form of the DNS over TLS (DoT) and DNS over HTTPS (DoH) protocols. The advent of these protocols and recent advancements in large-scale data processing have drastically altered the threat model for DNS privacy. Users can no longer rely on traditional methods, and must instead take active steps to ensure their privacy. In this paper, we demonstrate how the extended Berkeley Packet Filter (eBPF) can assist users in maintaining their privacy by leveraging eBPF to provide privacy across standard DNS, DoH, and DoT communications. Further, we develop a method that allows users to enforce application-specific DNS servers. Our method provides users with control over their DNS network traffic and privacy without requiring changes to their applications while adding low overhead.
Disciplines :
Computer science
Author, co-author :
Rivera, Sean ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Gurbani, Vijay; Illinois Institute of Technology > Computer Science
Lagraa, Sofiane ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Iannillo, Antonio Ken ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
State, Radu ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
External co-authors :
yes
Language :
English
Title :
Leveraging eBPF to preserve user privacy for DNS, DoT, and DoH queries
Publication date :
August 2020
Event name :
ARES '20
Event organizer :
ACM
Event place :
Virtual Event, Ireland
Event date :
from 25-8-2020 to 28-8-2020
Journal title :
Proceedings of the 15th International Conference on Availability, Reliability and Security
alexa. 2019. Top 500 sites on the web. https://www.alexa.com/topsites
Gilberto Bertin. 2013. XDP in practice: integrating XDP into our DDoS mitigation pipeline. In Technical Conference on Linux Networking, Netdev (Vol. 2).
Leyla Bilge, Engin Kirda, Christopher Kruegel, and Marco Balduzzi. 2011. EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis. In Ndss. 1-17.
Kevin Borgolte, Tithi Chattopadhyay, Nick Feamster, Mihir Kshirsagar, Jordan Holland, Austin Hounsel, and Paul Schmitt. 2019. How DNS over HTTPS is Reshaping Privacy, Performance, and Policy in the Internet Ecosystem. Available at SSRN: https://ssrn.com/abstract=3427563 (2019).
S. Bortzmeyer. 2015. DNS Privacy Considerations. RFC 7626. RFC Editor. https://tools.ietf.org/html/rfc7626
S. Brack, R. Muth, S. Dietzel, and B. Scheuermann. 2018. Anonymous Datagrams over DNS Records. In 2018 IEEE 43rd Conference on Local Computer Networks (LCN). 536-544.
Guy Bruneau and Rick Wanner. 2010. Dns sinkhole. SANS Institute InfoSec Reading Room, Aug 7 (2010).
Jonas Bushart and Christian Rossow. [n. D.]. Padding Ain't Enough: Assessing the Privacy Guarantees of Encrypted DNS. CoRR abs/1907.01317 ([n. D.]). arXiv: 1907.01317 http://arxiv.org/abs/1907.01317
A. Mankin S. Dickinson C. Huitema, M. Shore and J. Iyengar. 2019. Specification of DNS over Dedicated QUIC Connections. https://tools.ietf.org/id/draft-huitema-quic-dnsoquic-06.html [Online; accessed 01-October-2019].
Leblond Eri and Manev Peter. 2019. White paper: Introduction to eBPF and XDP support in Suricata. Technical Report. Paris, France. https://www.stamus-networks.com/wp-content/uploads/2019/07/suricata-ebpf-xdp-1.pdf
Hannes Federrath, Karl-Peter Fuchs, Dominik Herrmann, and Christopher Piosecny. 2011. Privacy-preserving DNS: analysis of broadcast, range queries and mix-based protection methods. In European Symposium on Research in Computer Security. Springer, 665-683.
Edward W Felten and Michael A Schneider. 2000. Timing attacks on web privacy. In Proceedings of the 7th ACM conference on Computer and communications security. 25-32.
Dominik Herrmann, Karl-Peter Fuchs, Jens Lindemann, and Hannes Federrath. 2014. Encdns: A lightweight privacy-preserving name resolution service. In European Symposium on Research in Computer Security. Springer, 37-55.
Dominik Herrmann, Max Maas, and Hannes Federrath. 2014. Evaluating the security of a DNS query obfuscation scheme for private web surfing. In IFIP International Information Security Conference. Springer, 205-219.
P. E. Hoffman and P. McManus. 2018. DNS Queries over HTTPS (DoH). https://www.rfc-editor.org/rfc/rfc8484.txt [Online; accessed 01-October-2019].
Toke Hoiland-Jorgensen, Jesper Dangaard Brouer, Daniel Borkmann, John Fastabend, Tom Herbert, David Ahern, and David Miller. 2018. The eXpress Data Path: Fast Programmable Packet Processing in the Operating System Kernel. In Proceedings of the 14th International Conference on Emerging Networking EXperiments and Technologies (CoNEXT '18).
Austin Hounsel, Kevin Borgolte, Paul Schmitt, Jordan Holland, and Nick Feamster. 2019. Analyzing the Costs (and Benefits) of DNS, DoT, and DoH for the Modern Web. In Proceedings of the Applied Networking Research Workshop (ANRW '19). 20-22.
Facebook Incubator. 2019. A high performance layer 4 load balancer. https://github.com/facebookincubator/katran [Online; accessed 14-October-2019].
Jaeyeon Jung, Emil Sit, Hari Balakrishnan, and Robert Morris. 2002. DNS performance and the effectiveness of caching. IEEE/ACM Transactions on networking 10, 5 (2002), 589-603.
D. Wing K. T. Reddy and P. Patil. 2017. DNS over Datagram Transport Layer Security (DTLS). Technical Report. https://www.rfc-editor.org/rfc/rfc8094.txt [Online; accessed 01-October-2019].
Dae Wook Kim and Junjie Zhang. 2015. You are how you query: Deriving behavioral fingerprints from DNS traffic. In International Conference on Security and Privacy in Communication Systems. Springer, 348-366.
Steven McCanne and Van Jacobson. 1993. The BSD Packet Filter: A New Architecture for User-level Packet Capture (USENIX'93). USENIX Association, Berkeley, CA, USA. http://dl.acm.org/citation.cfm?id=1267303.1267305
Patrick McManus. 2018. Improving DNS privacy in Firefox. https://blog.nightly. mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/[Online; accessed 01-October-2019].
S Pavithirakini, DDMM Bandara, CN Gunawardhana, KKS Perera, BGMM Abeyrathne, and Dhishan Dhammearatchi. 2016. Improve the Capabilities of Wireshark as a tool for Intrusion Detection in DOS Attacks. International Journal of Scientific and Research Publications 6, 4 (2016), 378-384.
Paul Schmitt, Anne Edmundson, Allison Mankin, and Nick Feamster. 2019. Oblivious DNS: Practical privacy for DNS queries. Proceedings on Privacy Enhancing Technologies 2019, 2 (2019), 228-244.
Sandra Siby, Marc Juarez, Claudia Diaz, Narseo Vallina-Rodriguez, and Carmela Troncoso. 2019. Encrypted DNS- Privacy? A Traffic Analysis Perspective. CoRR abs/1906.09682 (2019). arXiv: 1906.09682 http://arxiv.org/abs/1906.09682
Sandra Siby, Marc Juarez, Claudia Diaz, Narseo Vallina-Rodriguez, and Carmela Troncoso. 2019. Encrypted DNS Privacy? A Traffic Analysis Perspective. arXiv preprint arXiv: 1906.09682 (2019).
Bromite Development team. 2019. Bromite. https://www.bromite.org/[Online; accessed 01-October-2019].
Ryu Project Team. 2017. RYU SDN Framework. https://osrg.github.io/ryu/
JHC Van Heugten. 2018. Privacy analysis of DNS resolver solutions. Ph.D. Dissertation. Master's thesis, University of Amsterdam.
DaveWatson. [n. D.]. KTLS: Linux Kernel Transport Layer Security. In netdevconf. https://netdevconf.info/1.2/papers/ktls.pdf
J. Heidemann A. Mankin D. Wessels Z. Hu, L. Zhu and P. E. Hoffman. 2016. Specification for DNS over Transport Layer Security (TLS). https://www.rfc-editor.org/rfc/rfc7858.txt [Online; accessed 01-October-2019].