Abstract
The edns-client-subnet (ECS) is a new extension for the Domain Name System (DNS) that delivers a “faster Internet” with the help of client-specific DNS answers. Under ECS, recursive DNS servers (recursives) provide client network address information to upstream authorities, permitting topologically localized answers for content delivery networks (CDNs). This optimization, however, comes with a privacy penalty that has not yet been studied. Our analysis concludes that ECS makes DNS communications less private: the potential for mass surveillance is greater, and stealthy, highly targeted DNS poisoning attacks become possible.
Despite being an experimental extension, ECS is already deployed, and users are expected to “opt out” on their own. Yet, there are no available client-side tools to do so. We describe a configuration of an experimental recursive tool to reduce the privacy leak from ECS queries in order to immediately allow users to protect their privacy. We recommend the protocol change from “opt out” to “opt in”, given the experimental nature of the extension and its privacy implications.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
References
Antonakakis, M., Dagon, D., Luo, X., Perdisci, R., Lee, W., Bellmor, J.: A centralized monitoring infrastructure for improving DNS security. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 18–37. Springer, Heidelberg (2010)
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: DNS Security Introduction and Requirements. RFC 4033 (Proposed Standard), March 2005. http://www.ietf.org/rfc/rfc4033.txt, updated by RFCs 6014, 6840
Bortzmeyer, S.: DNS Privacy Considerations, April 2014. https://tools.ietf.org/id/draft-bortzmeyer-dnsop-dns-privacy-02.txt
Calder, M., Fan, X., Hu, Z., Katz-Bassett, E., Heidemann, J., Govindan, R.: Mapping the expansion of Google’s serving infrastructure. In: Proceedings of the 2013 Conference on Internet Measurement Conference, IMC 2013, pp. 313–326. ACM, New York (2013). http://doi.acm.org/10.1145/2504730.2504754
Contavalli, C., Gaast, W.V.D., Leach, S., Rodden, D.: Client Subnet in DNS Requests (draft-vandergaast-edns-client-subnet-00) (2011). https://www.ietf.org/archive/id/draft-vandergaast-edns-client-subnet-00.txt
Contavalli, C., Leach, S., Lewis, E., Gaast, W.V.D.: Client subnet in DNS requests (2013)
Contavalli, C., Leach, S., Lewis, E., Gaast, W.V.D.: Client Subnet in DNS Requests (draft-vandergaast-edns-client-subnet-02) (2014). https://datatracker.ietf.org/doc/draft-ietf-dnsop-edns-client-subnet/
Dagon, D., Antonakakis, M., Vixie, P., Jinmei, T., Lee, W.: Increased DNS forgery resistance through 0x20-bit encoding: security via leet queries. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 211–222. ACM (2008)
Electronic Frontier Foundation: Mass Surveillance Technologies (2015). https://www.eff.org/issues/mass-surveillance-technologies
Federrath, H., Fuchs, K.-P., Herrmann, D., Piosecny, C.: Privacy-preserving DNS: analysis of broadcast, range queries and mix-based protection methods. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 665–683. Springer, Heidelberg (2011)
Google: Introduction to Google Public DNS. https://developers.google.com/speed/public-dns/docs/intro. Accessed 07 Apr 2015
Guha, S., Francis, P.: Identity trail: covert surveillance using DNS. In: Borisov, N., Golle, P. (eds.) PET 2007. LNCS, vol. 4776, pp. 153–166. Springer, Heidelberg (2007)
Kaminsky, D.: Black ops 2008: It’s the end of the cache as we know it. Black Hat USA (2008)
Krishnan, S., Monrose, F.: DNS prefetching and its privacy implications: when good things go bad. In: Proceedings of the 3rd USENIX Conference on Large-scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More, p. 10. USENIX Association (2010)
Mockapetris, P.: Domain names - implementation and specification. RFC 1035 (INTERNET STANDARD), November 1987. http://www.ietf.org/rfc/rfc1035.txt
OpenDNS: The OpenDNS Global Network Delivers a Secure Connection Every Time, Everywhere (2010). http://info.opendns.com/rs/opendns/images/TD-Umbrella-Delivery-Platform.pdf
OpenDNS: A Faster Internet (2011). http://www.afasterinternet.com
Otto, J.S., Sánchez, M.A., Rula, J.P., Bustamante, F.E.: Content delivery and the natural evolution of DNS: remote DNS trends, performance issues and alternative solutions. In: Proceedings of the 2012 ACM Conference on Internet Measurement Conference, pp. 523–536. ACM (2012)
Perdisci, R., Antonakakis, M., Luo, X., Lee, W.: WSEC DNS: protecting recursive DNS resolvers from poisoning attacks. In: IEEE/IFIP International Conference on Dependable Systems & Networks 2009, DSN 2009, pp. 3–12. IEEE (2009)
Stewart, J.: DNS cache poisoning-the next generation (2003)
Streibelt, F., Böttger, J., Chatzis, N., Smaragdakis, G., Feldmann, A.: Exploring EDNS-client-subnet adopters in your free time. In: Proceedings of the 2013 Conference on Internet Measurement Conference, pp. 305–312. ACM (2013)
Zhao, F., Hori, Y., Sakurai, K.: Analysis of privacy disclosure in DNS query. In: International Conference on Multimedia and Ubiquitous Engineering, 2007, MUE 2007, pp. 952–957. IEEE (2007)
Acknowledgments
This material is based upon work supported in part by the US Department of Commerce under grant no. 2106DEK and Sandia National Laboratories grant no. 2106DMU. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the US Department of Commerce nor Sandia National Laboratories.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Kintis, P., Nadji, Y., Dagon, D., Farrell, M., Antonakakis, M. (2016). Understanding the Privacy Implications of ECS. In: Caballero, J., Zurutuza, U., Rodríguez, R. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2016. Lecture Notes in Computer Science(), vol 9721. Springer, Cham. https://doi.org/10.1007/978-3-319-40667-1_17
Download citation
DOI: https://doi.org/10.1007/978-3-319-40667-1_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-40666-4
Online ISBN: 978-3-319-40667-1
eBook Packages: Computer ScienceComputer Science (R0)