TY - GEN
T1 - Oblivious DNS
T2 - 2019 Applied Networking Research Workshop, ANRW 2019
AU - Schmitt, Paul
AU - Edmundson, Anne
AU - Mankin, Allison
AU - Feamster, Nick
PY - 2019/7/22
Y1 - 2019/7/22
N2 - Virtually every Internet communication typically involves a Domain Name System (DNS) lookup for the destination server that the client wants to communicate with. Operators of DNS recursive resolvers - the machines that receive a client's query for a domain name and resolve it to a corresponding IP address - can learn significant information about client activity. Recognizing the privacy vulnerabilities associated with DNS queries, various third parties have created alternate DNS services that obscure a user's DNS queries from his or her Internet service provider. Yet, these systems merely transfer trust to a different third party. We argue that no single party ought to be able to associate DNS queries with a client IP address that issues those queries. To this end, we present Oblivious DNS (ODNS), which introduces an additional layer of obfuscation between clients and their queries. To do so, ODNS uses its own authoritative namespace; the authoritative servers for the ODNS namespace act as recursive resolvers for the DNS queries that they receive, but they never see the IP addresses for the clients that initiated these queries. Our experiments using a prototype show that ODNS introduces minimal performance overhead, both for individual queries and for web page loads. Critically, we design ODNS to be compatible with existing DNS infrastructure.
AB - Virtually every Internet communication typically involves a Domain Name System (DNS) lookup for the destination server that the client wants to communicate with. Operators of DNS recursive resolvers - the machines that receive a client's query for a domain name and resolve it to a corresponding IP address - can learn significant information about client activity. Recognizing the privacy vulnerabilities associated with DNS queries, various third parties have created alternate DNS services that obscure a user's DNS queries from his or her Internet service provider. Yet, these systems merely transfer trust to a different third party. We argue that no single party ought to be able to associate DNS queries with a client IP address that issues those queries. To this end, we present Oblivious DNS (ODNS), which introduces an additional layer of obfuscation between clients and their queries. To do so, ODNS uses its own authoritative namespace; the authoritative servers for the ODNS namespace act as recursive resolvers for the DNS queries that they receive, but they never see the IP addresses for the clients that initiated these queries. Our experiments using a prototype show that ODNS introduces minimal performance overhead, both for individual queries and for web page loads. Critically, we design ODNS to be compatible with existing DNS infrastructure.
UR - http://www.scopus.com/inward/record.url?scp=85074450774&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85074450774&partnerID=8YFLogxK
U2 - 10.1145/3340301.3341128
DO - 10.1145/3340301.3341128
M3 - Conference contribution
T3 - ANRW 2019 - Proceedings of the 2019 Applied Networking Research Workshop
SP - 17
EP - 19
BT - ANRW 2019 - Proceedings of the 2019 Applied Networking Research Workshop
PB - Association for Computing Machinery, Inc
Y2 - 22 July 2019
ER -