A Paged Domain Name System for Query Privacy

Abstract

The lack of privacy in DNS and DNSSEC is a problem that has only recently begun to see widespread attention by the Internet and research communities, and the solutions proposed so far only look at a narrow slice of the design space. In this paper we investigate a new approach for a privacy-preserving DNS mechanism that hides query information from root name servers and TLD registries. Our architecture lets TLD registries group the DNS records in their zones together into pages. Resolvers cache all pages locally, and retrieve only small incremental updates to optimize performance. We show that this strategy is particularly effective given the relatively static nature of TLD zone records. We analyze the privacy guarantees to assess the potential and limitations of our approach; we also evaluate the memory overhead for a resolver, and obtain feasibility guarantees through a prototype implementation of the new functionalities for resolvers and registries.

Appendices

A Replication Function

Let \(\mathcal {P}\) be a page of PageDNS containing n records, and let \(k'\) be the rank of a record in \(\mathcal {P}\). For ease of notation, we write \(k' \in \mathcal {P}\), and in general we will often use a domain’s rank to refer to the domain. We assume a total of N domains, thus \(k' \in \{1,\dots ,N\}\), where \(k'=1\) is the highest rank. We consider a random variable K indicating the rank of a domain chosen at random (by a generic client) according to a Zipf distribution with parameter \(s=0.91\), i.e., such that:

$$\begin{aligned} \Pr (K = k) = f(k; s, N) = \frac{1}{k^{s} H_{N,s}} \quad \;\text {with}\ H_{N,s} = \sum _{k=1}^{N} \frac{1}{k^s} \end{aligned}$$

(10)

To simplify the notation, we will write f(k) to mean f(k; s, N) and H for \(H_{N,s}\).

Now we try to analytically express the probability that an adversary would assign to \(k'\) being the target domain having observed a request to \(\mathcal {P}\), which is equal to the probability that \(K = k'\) given that K is restricted to \(\mathcal {P}\). By applying Bayes theorem, we obtain the following equation:

$$\begin{aligned} \Pr (K=k' \mid K\in \mathcal {P}) = \frac{\Pr (K\in \mathcal {P}\mid K=k') \Pr (K=k')}{\sum _{k\in \mathcal {P}} \Pr (K\in \mathcal {P}\mid K=k) \Pr (K=k)} \end{aligned}$$

(11)

Probability \(\Pr (K\in \mathcal {P}\mid K=k)\) is equal to 1 if k is not replicated, since we are assuming that \(k\in \mathcal {P}\). More generally, if k has a replication degree of r(k) (i.e., the record for domain k exists on r(k) pages), then the probability of choosing the replica in \(\mathcal {P}\) is 1 / r(k). We can therefore rewrite Eq. 11 as follows:

$$\begin{aligned} \Pr (K=k' \mid K\in \mathcal {P}) = \frac{f(k')/r(k')}{\sum _{k\in \mathcal {P}} f(k)/r(k)} \end{aligned}$$

(12)

Now let \(k''\) be another domain on the same page, i.e., \(k''\in \mathcal {P}\). Ideally, we would like the replication function to be such that \(\Pr (K=k' \mid K\in \mathcal {P}) = \Pr (K=k'' \mid K\in \mathcal {P})\) for all possible choices of \(k'\) and \(k''\). Unfortunately, it is possible to see that the only scenario where this could theoretically be achieved is one where the number of pages is equal to the number of domains, and the cost of replication would be excessive (the total size of all PageDNS pages would increase by almost a hundredfold). Instead, we try to get the ratio of those probabilities as close to 1 as possible. Since we also want to minimize the cost of replication, we do not replicate the least popular domain (i.e., \(r(N)=1\)): replication should only help to reduce the probability in Eq. 11 for high-rank domains, to get it closer to the probability of the more unpopular domains. It is reasonable therefore for the ratio to be at its maximum when \(k'=1\) and \(k''=N\).

$$\begin{aligned} \rho _{ MAX }= \frac{\Pr (K=1 \mid K\in \mathcal {P})}{\Pr (K=N \mid K\in \mathcal {P})} = \frac{f(1)/r(1)}{f(N)/r(N)} \end{aligned}$$

(13)

Denoting with R the replication degree of the most popular domain (\(r(1) = R\)), and since \(r(N)=1\), Eq. 13 becomes the following:

$$\begin{aligned} \rho _{ MAX }= \frac{f(1)/R}{f(N)} = \frac{H^{-1}/R}{N^{-s} H^{-1}} = \frac{N^s}{R} \end{aligned}$$

(14)

All other domains should be replicated in order not to increase this ratio further. From this requirement, we obtain the following bound \(\forall k\).

$$\begin{aligned}&\frac{\Pr (K=k \mid K\in \mathcal {P})}{\Pr (K=N \mid K\in \mathcal {P})}&\le \rho _{ MAX }\end{aligned}$$

(15)

$$\begin{aligned}&\implies \quad&\frac{f(k)/r(k)}{f(N)/r(N)} = \frac{k^{-s}H^{-1}/r(k)}{N^{-s} H^{-1}} = \frac{N^s}{k^s r(k)}&\le \frac{N^s}{R}\end{aligned}$$

(16)

$$\begin{aligned}&\implies \quad&r(k)&\ge \frac{R}{k^s} \end{aligned}$$

(17)

We derived the bound in Eq. 17 for the worst case of the page containing both the most and the least popular domains, so by applying it generally to the replication for all k-s we ensure that on no page there will be two domains for which the ratio of their identification probabilities (Eq. 11) exceeds \(\rho _{ MAX }\). Furthermore, with the approximation that the denominator in Eq. 12, \(\sum _{k\in \mathcal {P}} f(k)/r(k)\), has the same value for all pages, the bound in Eq. 17 actually guarantees the following for any two pages \(\mathcal {P}\), \(\mathcal {P}'\):

$$\begin{aligned} \forall k\in \mathcal {P}, \forall k'\in \mathcal {P}'\quad \frac{\Pr (K=k \mid K\in \mathcal {P})}{\Pr (K=k' \mid K\in \mathcal {P}')} \le \rho _{ MAX }\end{aligned}$$

(18)

Fig. 5.

Replication degree of domain names according to their rank.

Since we desire to minimize the cost of replication, we try to match the bound of Eq. 17 as closely as possible (rounding it to the nearest integer), with the additional constraint that replication of any domain be at least 1. Thus the replication function we use is the following:

$$\begin{aligned} r(k) = max\{1, round (R k^{-s})\} \end{aligned}$$

(19)

In Fig. 5 we plot the function. Note how only the most popular domains with rank from 1 to \(k^{*}\) are replicated: these will all have approximately (because of rounding) the same identification probability, while for less popular domains the probability will be lower. We also point out that in our scenario \(R\le m\), where m is the number of pages, and that the best (lowest) probabilities are obtained for the equality: in this case, we have the most popular domain replicated on all pages. For realistic values (\(m = 10,000\) and \(s=0.91\)), we obtain \(k^{*} \simeq 200,000\).

B Page-Size Variance

We can think of the size of a page P as the sum of N random variables \(X_{k}\), each assuming value 1 if the k-th domain is assigned by the hash function to page P, and value 0 otherwise. The size of page P is thus \(X = \sum _{k=1}^{N} X_{k}\). Assuming that the hash function behaves as a random function, and considering a set of m pages, we can easily compute the expected value of the size of the generic page P as follows:

(20)

Since X is the sum of independent random variables with values in the set \(\{0,1\}\), we can apply the multiplicative Chernoff bound to estimate the probability that the size of a specific page will deviate from the expected value \(\mu \) by a certain factor \((1-\delta )\) (we aim to find a lower bound). The bound has the following form.

$$\begin{aligned} \Pr (X \le (1-\delta )\mu ) \le e^{-\frac{\delta ^2\mu }{2}} \end{aligned}$$

(21)

Considering for the parameters the values \(N = 10^9\) and \(m = 10^5\), as we have done throughout the paper, we obtain from Eq. 20 that \(\mu = 10^4\). Setting \(\delta = 0.1\) for a deviation of at least 10% from the mean, Eq. 21 yields the following bound:

$$\begin{aligned} \Pr (X \le 0.9 \mu ) \le e^{-\frac{10^{-2}10^4}{2}} = e^{-50} \simeq 2\cdot 10^{-22} \end{aligned}$$

(22)

We see from these numbers that the probability of having pages significantly smaller than the average is clearly negligible. Another Chernoff bound can be used to find similar limitations for the probability of pages to be 10% larger than the average.

Replicas Distribution. To determine the distribution of the number of replicas per page, we find that Chernoff bounds are not effective, as they do not allow us to rule out extreme cases such as having only 2 or 3 replicas on some page. Instead, we use a simulation over \(10^6\) pages, and find that the median is 25 records per page, though it can be as low as 7 in exceptional cases.