Abstract
Encrypted DNS protocols—DNS-over-TLS (DoT), DNS-over-HTTPS (DoH), and DNS-over-QUIC (DoQ), have been standardized and widely embraced by the industry to enhance the security and privacy of DNS transmissions. As more software and devices support encrypted DNS protocols, adopting encrypted DNS is fast becoming the prevailing trend in domain name resolution. Despite this growing trend, the dependencies within the encrypted DNS infrastructures remain largely unexplored. Key questions arise regarding the server components and third-party DNS providers that encrypted DNS servers rely on during the resolution process. Understanding these dependencies is essential for gaining a comprehensive view of the encrypted DNS ecosystem and revealing potential vulnerabilities or points of centralization that could impact the robustness and reliability of DNS services.
This paper analyzes the dependencies from two critical aspects: the server components and the DNS resolution process. To this end, we perform large-scale measurements on encrypted DNS infrastructures and distinguish the role of servers. Based on the classification results, we extract fingerprints to identify the server components and measure the upstream DNS resolver leveraging the resolution footprints. Our findings show that (i) an encrypted DNS resolver can encompass multiple components that cooperate in the resolution process; (ii) despite the dispersed nature of encrypted DNS entrances, 75.24% of all encrypted DNS resolvers rely on the top 10 DNS providers. The concentration of query forwarding towards specific upstream resolvers signifies a growing concern related to dependencies and centralization in encrypted DNS.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
AdGuard DNS — ad-blocking DNS server. https://adguard-dns.io/en/public-dns.html
Alexa top 1m domains list. https://s3.amazonaws.com/alexa-static/top-1m.csv.zip
BuiltWith top 1m rank. https://builtwith.com/top-1m
CIDR report. https://www.cidr-report.org/as2.0/
Cisco umbrella top 1m domains list. https://www.trisul.org/devzone/doku.php/cisco_umbrella_top-1m_domains_list
Cloudflare radar. https://radar.cloudflare.com/
DNS over HTTPS (aka DoH). https://www.chromium.org/developers/dns-over-https/
dnspython. https://github.com/rthalley/dnspython, original-date: 2011-08-24T11:36:39Z
Encrypt DNS traffic \(\cdot \) cloudflare 1.1.1.1 docs. https://developers.cloudflare.com/1.1.1.1/encryption/
Encrypted DNS. https://quad9.net/de/support/set-up-guides/encrypted-dns
Firefox DNS-over-HTTPS | Firefox Help. https://support.mozilla.org/en-US/kb/firefox-dns-over-https
Majestic million. https://majestic.com/reports/majestic-million
Microsoft Edge Privacy Whitepaper - Microsoft Edge Development | Microsoft Docs. https://docs.microsoft.com/en-us/microsoft-edge/privacy-whitepaper/
A research-oriented top sites ranking hardened against manipulation - tranco. https://tranco-list.eu/
Secure transports for DNS | public DNS | google for developers. https://developers.google.com/speed/public-dns/docs/secure-transports
Routeviews prefix to AS mappings dataset (pfx2as) for IPv4 and IPv6 (2008). https://www.caida.org/catalog/datasets/routeviews-prefix2as/
B-root offers experimental support for DNS over TLS (2023). https://b.root-servers.org/news/2023/02/28/tls.html
New addresses for b.root-servers.net (2023). https://b.root-servers.org/news/2023/05/16/new-addresses.html
Böttger, T., et al.: An empirical study of the cost of DNS-over-HTTPS. In: Proceedings of the Internet Measurement Conference, pp. 15–21. IMC ’19, Association for Computing Machinery. https://doi.org/10.1145/3355369.3355575
Deccio, C., Davis, J.: DNS privacy in practice and preparation, pp. 138–143. CoNEXT ’19, Association for Computing Machinery, New York, NY, USA (2019). https://doi.org/10.1145/3359989.3365435
Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: 22nd USENIX Security Symposium (USENIX Security 13), pp. 605–620. USENIX Association, Washington, D.C. (2013). https://www.usenix.org/conference/usenixsecurity13/technical-sessions/paper/durumeric
García, S., Bogado, J., Hynek, K., Vekshin, D., Čejka, T., Wasicek, A.: Large scale analysis of DoH deployment on the internet. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds.) Computer Security – ESORICS 2022. ESORICS 2022. LNCS, vol. 13556. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-17143-7_8
Hoffman, P., McManus, P.: DNS queries over HTTPS (DoH). https://doi.org/10.17487/RFC8484, https://www.rfc-editor.org/info/rfc8484
Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., Hoffman, P.E.: Specification for DNS over Transport Layer Security (TLS). RFC 7858 (2016). https://doi.org/10.17487/RFC7858, https://www.rfc-editor.org/info/rfc7858
Huitema, C., Dickinson, S., Mankin, A.: DNS over Dedicated QUIC Connections. RFC 9250 (2022). https://doi.org/10.17487/RFC9250, https://www.rfc-editor.org/info/rfc9250
Kosek, M., Doan, T.V., Granderath, M., Bajpai, V.: One to rule them all? A first look at DNS over QUIC. In: Hohlfeld, O., Moura, G., Pelsser, C. (eds.) PAM 2022. LNCS, vol. 13210, pp. 537–551. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-98785-5_24
Kührer, M., Hupperich, T., Bushart, J., Rossow, C., Holz, T.: Going wild: large-scale classification of open DNS resolvers. In: Proceedings of the 2015 Internet Measurement Conference, pp. 355–368. IMC ’15, Association for Computing Machinery, New York, NY, USA (2015). https://doi.org/10.1145/2815675.2815683
Li, R., et al.: A longitudinal and comprehensive measurement of DNS strict privacy. IEEE/ACM Trans. Netw. 1–16 (2023). https://doi.org/10.1109/TNET.2023.3262651
Li, R., et al.: A longitudinal and comprehensive measurement of DNS strict privacy. IEEE/ACM Trans. Networking 31(6), 2793–2808 (2023). https://doi.org/10.1109/TNET.2023.3262651
Luo, M., Yao, Y., Xin, L., Jiang, Z., Wang, Q., Shi, W.: Measurement for encrypted open resolvers: applications and security. Comput. Netw. 213, 109081 (2022). https://doi.org/10.1016/j.comnet.2022.109081, https://www.sciencedirect.com/science/article/pii/S1389128622002183
Nisenoff, A., Sharma, R., Feamster, N.: User Awareness and Behaviors Concerning Encrypted DNS Settings in Web Browsers, pp. 3117–3133 (2023). https://www.usenix.org/conference/usenixsecurity23/presentation/nisenoff-awareness
Park, J., Jang, R., Mohaisen, M., Mohaisen, D.: A large-scale behavioral analysis of the open DNS resolvers on the internet. IEEE/ACM Trans. Netw. 30(1), 76–89 (2022). https://doi.org/10.1109/TNET.2021.3105599
Partridge, C., Allman, M.: Addressing ethical considerations in network measurement papers: Abstract. In: Proceedings of the 2015 ACM SIGCOMM Workshop on Ethics in Networked Systems Research, pp. 33. NS Ethics ’15, Association for Computing Machinery, New York, NY, USA (2015). https://doi.org/10.1145/2793013.2793014
Schomp, K., Callahan, T., Rabinovich, M., Allman, M.: On measuring the client-side DNS infrastructure. In: Proceedings of the 2013 conference on Internet measurement conference, pp. 77–90. IMC ’13, Association for Computing Machinery (2013). https://doi.org/10.1145/2504730.2504734
Wan, G., et al.: On the origin of scanning: the impact of location on internet-wide scans. In: Proceedings of the ACM Internet Measurement Conference, pp. 662–679. IMC ’20, Association for Computing Machinery (2020). https://doi.org/10.1145/3419394.3424214
Xu, C., et al.: Measuring the centrality of DNS infrastructure in the wild 13(9), 5739. https://doi.org/10.3390/app13095739
Zirngibl, J., Buschmann, P., Sattler, P., Jaeger, B., Aulbach, J., Carle, G.: It’s over 9000: analyzing early QUIC deployments with the standardization on the horizon. In: Proceedings of the 21st ACM Internet Measurement Conference, pp. 261–275. IMC ’21, Association for Computing Machinery, New York, NY, USA (2021). https://doi.org/10.1145/3487552.3487826
Acknowledgements
The authors would like to thank the anonymous reviewers for their valuable comments and helpful suggestions. This work is supported by the Scaling Program of the Institute of Information Engineering, CAS (No. E3Z0191101, No. E3Z0041101).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Li, B. et al. (2024). From Fingerprint to Footprint: Characterizing the Dependencies in Encrypted DNS Infrastructures. In: Garcia-Alfaro, J., Kozik, R., Choraś, M., Katsikas, S. (eds) Computer Security – ESORICS 2024. ESORICS 2024. Lecture Notes in Computer Science, vol 14983. Springer, Cham. https://doi.org/10.1007/978-3-031-70890-9_3
Download citation
DOI: https://doi.org/10.1007/978-3-031-70890-9_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-70889-3
Online ISBN: 978-3-031-70890-9
eBook Packages: Computer ScienceComputer Science (R0)