A Worldwide View on the Reachability of Encrypted DNS Services
Pages 1193 - 1202
Editorial Notes
The authors have requested minor, non-substantive changes to the VoR and, in accordance with ACM policies, a Corrected VoR was published on July 29, 2024. For reference purposes the VoR may still be accessed via the Supplemental Material section on this page.
Abstract
To protect user DNS privacy, four DNS over Encryption (DoE) protocols have been proposed, including DNS over TLS (DoT), DNS over HTTPS (DoH), DNS over QUIC (DoQ), and DNS over HTTP/3 (DoH3). Ensuring reachability stands as a prominent prerequisite for the proper functionality of these DoE protocols, driving considerable efforts in this domain. However, existing studies predominantly concentrate on a limited number of DoT/DoH domains or employ a restricted subset of vantage points (VPs).
In this paper, we present the first comprehensive worldwide view of DoE service reachability. By collecting data from our 15-month-long scan, we elaborately built a list of 1302 operational DoE domains as measurement targets, 448 of which support IPv6. Then we performed 10M DoE over IPv4 (DoEv4) and 570K DoE over IPv6 (DoEv6) queries from 5K VPs over two months, encompassing 102 countries/regions. Our results reveal that the reachability of DoE services is poor in some countries/regions. Specifically, 592K (5.92%) DoEv4 queries and 28K (4.91%) DoEv6 queries are blocked. In countries/regions with strict Internet control, DoEv4 service blocking often occurs during TCP connection and QUIC version negotiation. Compared to DoEv4, the reachability of DoEv6 services is better. In particular, some DoE blocking policies target only specific IP addresses or DoE protocols, providing clients with the opportunity to access blocked DoE domains. Our study highlights the need for the DNS community to pay attention and improve the reachability of DoE services.
Supplemental Material
MP4 File
Supplemental video
- Download
- 207.30 MB
PDF File - 3645539-VoR
Version of Record for "A Worldwide View on the Reachability of Encrypted DNS Services" by Li et al., Proceedings of the ACM on Web Conference 2024 (WWW '24).
- Download
- 5.83 MB
References
[1]
Cloudflare 1.1.1.1. 2023. Backend IP address of Cloudflare DNS server. https: //www.cloudflare.com/zh-cn/ips/
[2]
Google 8.8.8.8. 2023. Backend IP address of Google DNS server. https://www.gsta tic.com/ipranges/publicdns.json
[3]
AdGuard. 2022. DNS-over-QUIC is now officially a proposed standard. https: //adguard.com/en/blog/dns-over-quic-official-standard.html
[4]
S. Basso. 2020. DNS over TLS blocked in Iran. https://ooni.org/post/2020-iran-dot/
[5]
S. Basso. 2021. Measuring DoT/DoH blocking using OONI probe: a preliminary study. In NDSS DNS Privacy Workshop.
[6]
S. Bortzmeyer. 2015. DNS Privacy Considerations. RFC 7626.
[7]
R. Chhabra, P. Murley, D. Kumar, M. Bailey, and G. Wang. 2021. Measuring DNS-over-HTTPS performance around the world. In IMC. ACM, 351--365.
[8]
Chrome. 2019. Chrome DNS-over-HTTPS. https://groups.google.com/a/chromi um.org/g/net-dev/c/lIm9esAFjQ0/m/MyfjWzwlBgAJ
[9]
chromium. 2023. DoH providers recognized by Chrome. https://source.chromium. org/chromium/chromium/src//HEAD:net/dns/public/doh_provider_entry.cc
[10]
C. Cimpanu. 2019. UK ISP group names Mozilla 'Internet Villain' for supporting 'DNS-over-HTTPS'. https://www.zdnet.com/article/uk-isp-group-namesmozilla- internet-villain-for-supporting-dns-over-https/
[11]
D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, and W. Polk. 2008. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280.
[12]
Github curl. 2023. Publicly available servers. https://github.com/curl/curl/wiki/ DNS-over-HTTPS#publicly-available-servers
[13]
C. T. Deccio and J. Davis. [n. d.]. DNS privacy in practice and preparation. In CoNEXT 2019. 138--143.
[14]
T. Viet Doan, I. Tsareva, and V. Bajpai. 2021. Measuring DNS over TLS from the Edge: Adoption, Reliability, and Response Times. In PAM. 192--209.
[15]
Z. Durumeric, E.Wustrow, and J. Alex Halderman. 2013. ZMap: Fast Internet-wide Scanning and Its Security Applications. In USENIX. 605--620.
[16]
K. Elmenhorst, B. Schütz, N. Aschenbruck, and S. Basso. 2021. Web censorship measurements of HTTP/3 over QUIC. In IMC. ACM, 276--282.
[17]
Ernie. 2014. The Multi-CDN Strategy. https://www.bizety.com/2014/05/09/multicdn- strategy/
[18]
FortiGate. 2023. Network Firewalls for Small Businesses. https://www.fortinet.c om/solutions/small-business/firewall
[19]
S. García, K. Hynek, D. Vekshin, T. Cejka, and A. Wasicek. 2021. Large Scale Measurement on the Adoption of Encrypted DNS. (2021). arXiv:2107.04436
[20]
D. K. Gillmor, J. Salazar, and P. Hoffman. 2023. Unilateral Opportunistic Deployment of Encrypted Recursive-to-Authoritative DNS. draft-ietf-dprive-unilateralprobing- 11.
[21]
Google. 2022. DNS-over-HTTP/3 in Android. https://security.googleblog.com/20 22/07/dns-over-http3-in-android.html
[22]
N. Hoang, M. Polychronakis, and P. Gill. 2022. Measuring the Accessibility of Domain Name Encryption and Its Impact on Internet Filtering. In PAM, Vol. 13210. 518--536.
[23]
P. Hoffman and P. McManus. 2018. DNS Queries over HTTPS (DoH). RFC 8484.
[24]
Freedom House. 2022. Internet Freedom Status. https://freedomhouse.org/count ries/freedom-net/scores
[25]
Z. Hu, L. Zhu, J. Heidemann, A. Mankin, D. Wessels, and P. Hoffman. 2016. Specification for DNS over Transport Layer Security (TLS). RFC 7858.
[26]
C. Huitema, S. Dickinson, and A. Mankin. 2022. DNS over Dedicated QUIC Connections. RFC 9250.
[27]
ip api. 2023. IP Geolocation API. https://ip-api.com/
[28]
ipinfo.io. 2023. Bogon IP Address Ranges. https://ipinfo.io/bogon
[29]
T. Jensen. 2019. Windows will improve user privacy with DNS over HTTPS. https: //techcommunity.microsoft.com/t5/networking-blog/windows-will-improveuser- privacy-with-dns-over-https/ba-p/1014229
[30]
L. Jin, S. Hao, H. Wang, and C. Cotton. 2021. Understanding the Impact of Encrypted DNS on Internet Censorship. In WWW. 484--495.
[31]
M. Kosek, T. Viet Doan, M. Granderath, and V. Bajpai. 2022. One to Rule Them All? A First Look at DNS over QUIC. In PAM, Vol. 13210. 537--551.
[32]
M. Kosek, L. Schumann, R. Marx, T. Viet Doan, and V. Bajpai. 2022. DNS privacy with speed?: evaluating DNS over QUIC and its impact on web performance. In IMC. 44--50.
[33]
R. Li, X. Jia, Z. Zhang, J. Shao, R. Lu, J. Lin, X. Jia, and G.Wei. 2023. A Longitudinal and Comprehensive Measurement of DNS Strict Privacy. IEEE/ACM Transactions on Networking (2023).
[34]
C. Lu, B. Liu, Z. Li, S. Hao, H. Duan, M. Zhang, C. Leng, Y. Liu, Z. Zhang, and J. Wu. 2019. An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come?. In IMC. 22--35.
[35]
M. Luo, Y. Yao, L. Xin, Z. Jiang, Q. Wang, and W. Shi. 2022. Measurement for encrypted open resolvers: Applications and security. Comput. Networks 213 (2022), 109081.
[36]
P. Mockapetris. 1987. DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION. RFC 1035.
[37]
Mozilla. 2019. Firefox DNS-over-HTTPS. https://support.mozilla.org/en- US/kb/firefox-dns-over-https
[38]
NextDNS. 2021. What is DNS over TLS (DoT), DNS over Quic (DoQ) and DNS over HTTPS (DoH/DoH3)? https://help.nextdns.io/t/x2hmvas/what-is-dns-over-tlsdot- dns-over-quic-doq-and-dns-over-https-doh-doh3
[39]
NextDNS. 2023. The new firewall for the modern Internet. https://nextdns.io
[40]
A. Niaki, S. Cho, Z.Weinberg, N. Hoang, A. Razaghpanah, N. Christin, and P. Gill. 2020. ICLab: A Global, Longitudinal Internet Censorship Measurement Platform. In IEEE Symposium on Security and Privacy. 135--151.
[41]
NordVPN. 2023. VPN provider. https://nordvpn.com/
[42]
Opera. 2019. Changelog for 67. https://blogs.opera.com/desktop/changelog-for- 67/#b3575.2
[43]
T. Pauly, E. Kinnear, C. A. Wood, P. McManus, and T. Jensen. 2022. Discovery of Designated Resolvers. draft-ietf-add-ddr-10.
[44]
Censored Planet. 2022. assets-censoredplanet. https://assets.censoredplanet.org/
[45]
DNS Privacy Project. 2023. PUBLIC RESOLVERS. https://dnsprivacy.org/public_ resolvers/
[46]
QuoIntelligence. 2021. How DNS-over-HTTPS (DoH) has Changed the Threat Landscape For Companies. https://quointelligence.eu/2021/02/dns-over-httpsdoh/
[47]
R. Raman, A. Stoll, J. Dalek, R. Ramesh, W. Scott, and R. Ensafi. 2020. Measuring the Deployment of Network Censorship Filters at Global Scale. In NDSS.
[48]
R. Ramesh, L. Evdokimov, D. Xue, and R. Ensafi. 2022. VPNalyzer: systematic investigation of the VPN ecosystem. In Network and Distributed System Security. 24--28.
[49]
E. Rescorla, K. Oku, N. Sullivan, and C. Wood. 2023. TLS Encrypted Client Hello. draft-ietf-tls-esni-16.
[50]
S. Samat. 2019. Android 9 Pie: Powered by AI for a smarter, simpler experience that adapts to you. https://www.blog.google/products/android/introducing-android- 9-pie/
[51]
Surfshark. 2023. VPN provider. https://surfshark.com/
[52]
E. Tsai, D. Kumar, R. Raman, G. Li, Y. Eiger, and R. Ensafi. 2023. CERTainty: Detecting DNS Manipulation at Scale using TLS Certificates. Proc. Priv. Enhancing Technol. 2023, 3 (2023), 122--137.
[53]
M. Vale. 2019. Google Public DNS now supports DNS-over-TLS. https://security.g oogleblog.com/2019/01/google-public-dns-now-supports-dns-over.html
[54]
Mullvad VPN. 2023. Free the internet from mass surveillance. https://mullvad.net/
Index Terms
- A Worldwide View on the Reachability of Encrypted DNS Services
Recommendations
Measurement for encrypted open resolvers: Applications and security
AbstractEncrypted DNS has been proposed to mitigate the vulnerability of traditional DNS to surveillance and tampering. Some encrypted DNS protocols, like DNS over HTTPS (DoH) and DNS over TLS (DoT), have been promoted by the community and ...
Silence is not Golden: Disrupting the Load Balancing of Authoritative DNS Servers
CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications SecurityAuthoritative nameservers are delegated to provide the final resource record. Since the security and robustness of DNS are critical to the general operation of the Internet, domain name owners are required to deploy multiple candidate nameservers for ...
Securing DNS: Extending DNS Servers with a DNSSEC Validator
DNS Security Extensions (DNSSEC) is a proposed standard for securely authenticating information in the Domain Name System. DNSSEC validators check the digital signatures on DNS data. However, designing a validator worth the operational costs is a ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
May 2024
4826 pages
ISBN:9798400701719
DOI:10.1145/3589334
- General Chairs:
- Tat-Seng Chua,
- Chong-Wah Ngo,
- Proceedings Chair:
- Roy Ka-Wei Lee,
- Program Chairs:
- Ravi Kumar,
- Hady W. Lauw
Copyright © 2024 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 13 May 2024
Check for updates
Badges
Author Tags
Qualifiers
- Research-article
Conference
WWW '24
Sponsor:
Acceptance Rates
Overall Acceptance Rate 1,899 of 8,196 submissions, 23%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 238Total Downloads
- Downloads (Last 12 months)238
- Downloads (Last 6 weeks)18
Reflects downloads up to 13 Dec 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in