Home / Blogs

Thinking Ahead on Privacy in the Domain Name System

Burt Kaliski

Earlier this year, I wrote about a recent enhancement to privacy in the Domain Name System (DNS) called qname-minimization. Following the principle of minimum disclosure, this enhancement reduces the information content of a DNS query to the minimum necessary to get either an authoritative response from a name server, or a referral to another name server.

In typical DNS deployments, queries sent to an authoritative name server originate at a recursive name server that acts on behalf of a community of users, for instance, employees at a company or subscribers at an Internet Service Provider (ISP). A recursive name server maintains a cache of previous responses, and only sends queries to an authoritative name server when it doesn't have a recent response in its cache. As a result, DNS query traffic from a recursive name server to an authoritative name server corresponds to samples of a community's browsing patterns. Therefore, qname-minimization may be an adequate starting point to address privacy concerns for these exchanges, both in terms of information available to outside parties and to the authoritative name server.

DNS query traffic from a client to a recursive name server, in contrast, corresponds to individual users' browsing patterns. To the extent that that these exchanges present a privacy concern, a complementary privacy enhancement, DNS-over-TLS (Transport Layer Security), may be an appropriate mitigation. Just as Web traffic is typically protected by establishing a TLS connection between client and server, DNS traffic can be encrypted by running the DNS protocol over TLS. The encryption takes away any direct information about the query from outside parties, while still maintaining full information at the recursive name server so that it can respond to the client's request.

(There are also some more sophisticated methods, such as described by Haya Shulman in her recent paper, whereby other parties can get indirect "side" information from the timing or size of encrypted queries. However, the primary risk of direct access to query information is effectively mitigated by the encryption.)

Privacy has received a significant increase in attention within the Internet Engineering Task Force (IETF) over the past two years as a result of concerns about security and pervasive monitoring. The DNS PRIVate Exchange (DPRIVE) working group was formed during this time and, among other documents, has produced an Informational RFC (Request for Comments) on DNS privacy considerations, and is also developing specifications for the enhancements just described.

The session "Protecting Privacy at the Infrastructure Level: The Evolution of Domain Name System Security" at the Privacy.Security.Risk 2015 conference gives an overview of these enhancements and how privacy professionals can integrate them into their portfolio of privacy risk mitigations. Broadly speaking, privacy risks in a DNS-based system can be organized into four categories, depending on where unauthorized disclosure of DNS traffic may occur:

  1. Between client and recursive
  2. At recursive name server
  3. Between recursive and authoritative
  4. At authoritative name server

In addition, unauthorized modification of DNS traffic can present a privacy risk if a client is misdirected to a resource controlled by an adversary.

Mitigations to the disclosure risks include qname-minimization and DNS-over-TLS, as already mentioned, as well as data handling policies, technologies and audits at the various components involved. The modification risk can also be addressed by DNS-over-TLS (because TLS authenticates as well as encrypts traffic), proper data handling, and domain name security extensions (DNSSEC) and DNS-based Authentication of Named Entities (DANE).

Similar to the way privacy risks elsewhere in an information system are assessed and mitigated, privacy professionals should consider these steps when considering DNS-based systems:

  • Ask if these risks apply
  • Ask if existing mitigations are sufficient
  • Consider how these mitigations can help
  • Ask your DNS provider about its privacy practices

DNS privacy will be getting more attention over the coming years, as attacks as well as defenses move from the application to the network layer. It's good to see efforts like DPRIVE looking ahead and Verisign will continue to support them with practical contributions.

What privacy concerns do you see in your DNS-based systems, and how do you see privacy enhancements such as qname-minimization and DNS-over-TLS playing out?

By Burt Kaliski, Chief Technology Officer at Verisign
Follow CircleID on
Related topics: Cybersecurity, DNS, DNS Security, Privacy
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

To post comments, please login or create an account.

Related

Topics

New TLDs

Sponsored byAfilias

Whois

Sponsored byWhoisXML API

DNS Security

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC

Cybercrime

Sponsored byThreat Intelligence Platform

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign