Earlier this year, I wrote about a recent enhancement to privacy in the Domain Name System (DNS) called qname-minimization. Following the principle of minimum disclosure, this enhancement reduces the information content of a DNS query to the minimum necessary to get either an authoritative response from a name server, or a referral to another name server. This is some additional text.
In typical DNS deployments, queries sent to an authoritative name server originate at a recursive name server that acts on behalf of a community of users, for instance, employees at a company or subscribers at an Internet Service Provider (ISP). A recursive name server maintains a cache of previous responses, and only sends queries to an authoritative name server when it doesn’t have a recent response in its cache. As a result, DNS query traffic from a recursive name server to an authoritative name server corresponds to samples of a community’s browsing patterns. Therefore, qname-minimization may be an adequate starting point to address privacy concerns for these exchanges, both in terms of information available to outside parties and to the authoritative name server.
DNS query traffic from a client to a recursive name server, in contrast, corresponds to individual users’ browsing patterns. To the extent that that these exchanges present a privacy concern, a complementary privacy enhancement, DNS-over-TLS (Transport Layer Security), may be an appropriate mitigation. Just as Web traffic is typically protected by establishing a TLS connection between client and server, DNS traffic can be encrypted by running the DNS protocol over TLS. The encryption takes away any direct information about the query from outside parties, while still maintaining full information at the recursive name server so that it can respond to the client’s request.
(There are also some more sophisticated methods, such as described by Haya Shulman in her recent paper, whereby other parties can get indirect “side” information from the timing or size of encrypted queries. However, the primary risk of direct access to query information is effectively mitigated by the encryption.)
Privacy has received a significant increase in attention within the Internet Engineering Task Force (IETF) over the past two years as a result of concerns about security and pervasive monitoring. The DNS PRIVate Exchange (DPRIVE) working group was formed during this time and, among other documents, has produced an Informational RFC (Request for Comments) on DNS privacy considerations, and is also developing specifications for the enhancements just described.
The session “Protecting Privacy at the Infrastructure Level: The Evolution of Domain Name System Security” at the Privacy.Security.Risk 2015 conference gives an overview of these enhancements and how privacy professionals can integrate them into their portfolio of privacy risk mitigations. Broadly speaking, privacy risks in a DNS-based system can be organized into four categories, depending on where unauthorized disclosure of DNS traffic may occur:
- Between client and recursive
- At recursive name server
- Between recursive and authoritative
- At authoritative name server
In addition, unauthorized modification of DNS traffic can present a privacy risk if a client is misdirected to a resource controlled by an adversary.
Mitigations to the disclosure risks include qname-minimization and DNS-over-TLS, as already mentioned, as well as data handling policies, technologies and audits at the various components involved. The modification risk can also be addressed by DNS-over-TLS (because TLS authenticates as well as encrypts traffic), proper data handling, and domain name security extensions (DNSSEC) and DNS-based Authentication of Named Entities (DANE).
Similar to the way privacy risks elsewhere in an information system are assessed and mitigated, privacy professionals should consider these steps when considering DNS-based systems:
- Ask if these risks apply
- Ask if existing mitigations are sufficient
- Consider how these mitigations can help
- Ask your DNS provider about its privacy practices
DNS privacy will be getting more attention over the coming years, as attacks as well as defenses move from the application to the network layer. It’s good to see efforts like DPRIVE looking ahead and Verisign will continue to support them with practical contributions.
What privacy concerns do you see in your DNS-based systems, and how do you see privacy enhancements such as qname-minimization and DNS-over-TLS playing out?