Home / Blogs

Thinking Ahead on Privacy in the Domain Name System

Earlier this year, I wrote about a recent enhancement to privacy in the Domain Name System (DNS) called qname-minimization. Following the principle of minimum disclosure, this enhancement reduces the information content of a DNS query to the minimum necessary to get either an authoritative response from a name server, or a referral to another name server.

In typical DNS deployments, queries sent to an authoritative name server originate at a recursive name server that acts on behalf of a community of users, for instance, employees at a company or subscribers at an Internet Service Provider (ISP). A recursive name server maintains a cache of previous responses, and only sends queries to an authoritative name server when it doesn’t have a recent response in its cache. As a result, DNS query traffic from a recursive name server to an authoritative name server corresponds to samples of a community’s browsing patterns. Therefore, qname-minimization may be an adequate starting point to address privacy concerns for these exchanges, both in terms of information available to outside parties and to the authoritative name server.

DNS query traffic from a client to a recursive name server, in contrast, corresponds to individual users’ browsing patterns. To the extent that that these exchanges present a privacy concern, a complementary privacy enhancement, DNS-over-TLS (Transport Layer Security), may be an appropriate mitigation. Just as Web traffic is typically protected by establishing a TLS connection between client and server, DNS traffic can be encrypted by running the DNS protocol over TLS. The encryption takes away any direct information about the query from outside parties, while still maintaining full information at the recursive name server so that it can respond to the client’s request.

(There are also some more sophisticated methods, such as described by Haya Shulman in her recent paper, whereby other parties can get indirect “side” information from the timing or size of encrypted queries. However, the primary risk of direct access to query information is effectively mitigated by the encryption.)

Privacy has received a significant increase in attention within the Internet Engineering Task Force (IETF) over the past two years as a result of concerns about security and pervasive monitoring. The DNS PRIVate Exchange (DPRIVE) working group was formed during this time and, among other documents, has produced an Informational RFC (Request for Comments) on DNS privacy considerations, and is also developing specifications for the enhancements just described.

The session “Protecting Privacy at the Infrastructure Level: The Evolution of Domain Name System Security” at the Privacy.Security.Risk 2015 conference gives an overview of these enhancements and how privacy professionals can integrate them into their portfolio of privacy risk mitigations. Broadly speaking, privacy risks in a DNS-based system can be organized into four categories, depending on where unauthorized disclosure of DNS traffic may occur:

  1. Between client and recursive
  2. At recursive name server
  3. Between recursive and authoritative
  4. At authoritative name server

In addition, unauthorized modification of DNS traffic can present a privacy risk if a client is misdirected to a resource controlled by an adversary.

Mitigations to the disclosure risks include qname-minimization and DNS-over-TLS, as already mentioned, as well as data handling policies, technologies and audits at the various components involved. The modification risk can also be addressed by DNS-over-TLS (because TLS authenticates as well as encrypts traffic), proper data handling, and domain name security extensions (DNSSEC) and DNS-based Authentication of Named Entities (DANE).

Similar to the way privacy risks elsewhere in an information system are assessed and mitigated, privacy professionals should consider these steps when considering DNS-based systems:

  • Ask if these risks apply
  • Ask if existing mitigations are sufficient
  • Consider how these mitigations can help
  • Ask your DNS provider about its privacy practices

DNS privacy will be getting more attention over the coming years, as attacks as well as defenses move from the application to the network layer. It’s good to see efforts like DPRIVE looking ahead and Verisign will continue to support them with practical contributions.

What privacy concerns do you see in your DNS-based systems, and how do you see privacy enhancements such as qname-minimization and DNS-over-TLS playing out?

By Dr. Burt Kaliski Jr., Senior VP and Chief Technology Officer at Verisign

He leads Verisign’s long-term research program. Through the program’s innovation initiatives, the CTO organization, in collaboration with business and technology leaders across the company, explores emerging technologies, assesses their impact on the company’s business, prototypes and evaluates new concepts, and recommends new strategies and solutions. Burt is also responsible for the company’s industry standards engagements, university collaborations and technical community programs.

Visit Page

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

DNS

Sponsored byDNIB.com

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC