ABSTRACT
Plaintext-based DNS domain name resolution poses significant privacy risks. Therefore, encrypting DNS communication across all pathways is essential for privacy preservation. The IETF has standardized DoT, DoH, and DoQ to achieve encryption between end terminals and DNS full-service resolvers. Currently, an Internet-Draft has been published for encrypted communication between DNS full-service resolvers and authoritative DNS servers. However, the probing policy on the Internet-Draft prioritizes compatibility and conducts plaintext communication until it discovers authoritative DNS servers that support encrypted communication. Therefore, the Internet-Draft's probing policy does not provide complete privacy preservation. In this paper, we propose a novel authoritative DNS server discovery approach that achieves privacy preservation while ensuring compatibility.
- Stéphane Bortzmeyer, Ralph Dolmans, and Paul E. Hoffman. 2021. DNS query name minimisation to Improve Privacy. IETF RFC9156. https://doi.org/10.17487/RFC9156Google ScholarDigital Library
- Daniel Kahn Gillmor, Joey Salazar, and Paul E. Hoffman. 2023. Unilateral Opportunistic Deployment of Encrypted Recursive-to-Authoritative DNS. https://datatracker.ietf.org/doc/draft-ietf-dprive-unilateral-probing/ (Accessed on 20 Sep. 2023).Google Scholar
- Basileal Imana, Aleksandra Korolova, and John Heidemann. 2021. Institutional Privacy Risks in Sharing DNS Data. In Proceedings of the Applied Networking Research Workshop (Virtual Event, USA) (ANRW '21). Association for Computing Machinery, New York, NY, USA, 69--75. https://doi.org/10.1145/3472305.3472324Google ScholarDigital Library
Index Terms
- Authoritative DNS Server Discovery Method to Enhance DNS Privacy Preservation
Recommendations
Securing DNS: Extending DNS Servers with a DNSSEC Validator
DNS Security Extensions (DNSSEC) is a proposed standard for securely authenticating information in the Domain Name System. DNSSEC validators check the digital signatures on DNS data. However, designing a validator worth the operational costs is a ...
Authority server selection in DNS caching resolvers
Operators of high-profile DNS zones utilize multiple authority servers for performance and robustness. We conducted a series of trace-driven measurements to understand how current caching resolver implementations distribute queries among a set of ...
Practical Challenge-Response for DNS
ANRW '18: Proceedings of the Applied Networking Research WorkshopAuthoritative DNS nameservers are vulnerable to being used in denial of service attacks whereby an attacker sends DNS queries while masquerading as a victim---hence coaxing the DNS server to send the responses to the victim. Reflecting off innocent DNS ...
Comments