Litcius/Paper detail

Privacy of DNS-over-HTTPS: Requiem for a Dream?

Levente Csikor, Himanshu Singh, Min Suk Kang, Dinil Mon Divakaran

202125 citationsDOI

Abstract

The recently proposed DNS-over-HTTPS (DoH) protocol is becoming increasingly popular in addressing the privacy concerns of exchanging plain-text DNS messages over potentially malicious transit networks (e.g., mass surveillance at ISPs). By employing HTTPS to encrypt DNS communications, DoH traffic inherently becomes indistinguishable from regular encrypted Web traffic, rendering active disruption (e.g., downgrading to the plain-text DNS) by transit networks extremely hard. In this work, we investigate whether DoH traffic is indeed indistinguishable from encrypted Web traffic. To this end, we collect several DoH traffic traces corresponding to 25 resolvers (including major ones, e.g., Google and Cloudftare) by visiting thousands of domains in Alexa's list of top-ranked websites at different geographical locations and environments. Based on the collected traffic, we train a machine learning model to classify HTTPS traffic as either Web or DoH. With our DoH identification model in place, we show that an authoritarian ISP can identify ∼97.4% (∼90%) of the DoH packets correctly in a closed-world (open-world) setting while only misclassifying 1 in 10,000 Web packets. To counter this DoH identification model, we propose an effective mitigation technique, making the identification model impractical for ISPs to filter and consequently downgrade DoH to plain-text DNS communications.

Topics & Concepts

Computer scienceEncryptionNetwork packetBloom filterComputer securityWeb trafficWorld Wide WebThe InternetComputer networkInternet Traffic Analysis and Secure E-votingNetwork Security and Intrusion DetectionSpam and Phishing Detection
Privacy of DNS-over-HTTPS: Requiem for a Dream? | Litcius