Zusammenfassung
The ongoing discourse on Internet privacy tends to focus on how to ensure that personal data at endpoints, i.e. either on user devices or on servers in domains under the control of service providers, are collected and processed according to user's privacy expectations and existing privacy regulations. However, one important yet often missing aspect from public debates on privacy is the impact of the underlying, for users often hidden, Internet infrastructure to the fundamental right to informational self-determination. A key critical infrastructure component of the Internet is the Domain Name System (DNS).
As the so-called "address book of the Internet", DNS provides name resolution functions for Internet services, the most important of which is translating domain names into Internet Protocol (IP) addresses, and vice versa. Although an ever-growing number of Internet services are switching to encrypted communication hiding sensitive information from eavesdroppers, the unencrypted and unauthenticated DNS protocol remains a crucial privacy and cyber-security weak spot in the overall Internet infrastructure. The hierarchical and centralized design of the DNS allows various entities, including commercial and state entities to monitor online activities of Internet users and draw sensitive inferences about them, thus ultimately undermining individuals' right to privacy. At the same time, existing countermeasures are either theoretical, in an early stage of development or just not widely deployed or adopted. This paper focuses on privacy issues in DNS. We begin by providing a brief overview of how DNS works and a review of the different adversaries in the DNS infrastructure. Based on this analysis, we discuss resulting privacy threats to the end user and analyze related countermeasures from academia and standardization bodies.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Literatur
Ali, Muneeb et al. »Blockstack: A Global Naming and Storage System Secured by Blockchains«. In: 2016 USENIX Annual Technical Conference (USENIX ATC 16). Denver, CO: USENIX Association, June 2016. URL: https://www.usenix.org/conference/atc16/technical-sessions/presentation/ali.
Alieyan, Kamal et al. »A survey of botnet detection based on DNS«. In: Neural Computing and Applications 28.7 (July 2015), pp. 1541–1558. https://doi.org/10.1007/s0052.
Anagnostopoulos, Marios et al. »DNSSEC vs. DNSCurve: A side-by-side comparison«. In: Situational Awareness in Computer Network Defense: Principles, Methods and Applications. Ed. by Cyril Onwubiko and Thomas Owens. IGI Global, 2012. Chap. 12, pp. 201–220.
Appelbaum, Jacob and Alec Muffett. The “.onion” Special-Use Domain Name. Request for Comments (RFC) 7686. Internet Engineering Task Force (IETF), Oct. 2015. URL: https://tools.ietf.org/html/rfc7686 (visited on 12/15/2017).
Arends, Roy et al. DNS security introduction and requirements. Request for Comments (RFC) 4033. Network Working Group, Mar. 2005. URL: https://tools.ietf.org/html/rfc4033 (visited on 12/15/2017).
Arends, Roy et al. Protocol modifications for the DNS security extensions. 4035. Network Working Group, Mar. 2005. URL: https://tools.ietf.org/html/rfc4035 (visited on 12/15/2017).
Arends, Roy et al. Resource records for the DNS security extensions. Request for Comments (RFC) 4034. Network Working Group, Mar. 2005. URL: https://tools.ietf.org/html/rfc4034 (visited on 12/15/2017).
Atkins, Derek and Rob Austein. Threat analysis of the domain name system (DNS). Request for Comments (RFC) 3833. Network Working Group, Aug. 2004. URL: https://tools.ietf.org/html/rfc3833 (visited on 12/15/2017).
Banu, M Nazreen and S Munawara Banu. »A comprehensive study of phishing attacks«. In: International Journal of Computer Science and Information Technologies 4.6 (2013), pp. 783–786.
Barbosa, Kaio R.S. et al. »Identifying and Classifying Suspicious Network Behavior Using Passive DNS Analysis«. In: 2015 IEEE International Conference on Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing (CIT/IUCC/DASC/PICOM). IEEE, Oct. 2015. https://doi.org/10.1109/cit/iucc/dasc/picom.2015.25.
Barnes, Richard, Olaf Kolkman, et al. Technical Considerations for Internet Service Blocking and Filtering. Request for Comments (RFC) 7754. Internet Architecture Board (IAB), Mar. 2016. URL: https://tools.ietf.org/html/rfc7754 (visited on 12/15/2017).
Barnes, Richard, Bruce Schneier, et al. Confidentiality in the Face of Pervasive Surveillance: A Threat Model and Problem Statement. Request for Comments (RFC) 7624. Internet Architecture Board (IAB), Aug. 2015. URL: https://tools.ietf.org/html/rfc7624 (visited on 12/15/2017).
Bau, Jason and John C. Mitchell. »A Security Evaluation of DNSSEC with NSEC3«. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2010, San Diego, California, USA, 28th February - 3rd March 2010. The Internet Society, 2010. URL: http://www.isoc.org/isoc/conferences/ndss/10/pdf/17.pdf.
»Belgacom attack: Britain’s GCHQ hacked Belgian telecoms firm«. In: Spiegel Online (Sept. 20, 2013). URL: http://www.spiegel.de/international/europe/%20british-spy-agency-gchq-hacked-belgian-telecoms-firm-a-923406.html (visited on 12/15/2017).
Bellis, Ray. DNS Transport over TCP - Implementation Requirements. Request for Comments (RFC) 5966. Internet Engineering Task Force (IETF), Aug. 2010. URL: https://tools.ietf.org/html/rfc5966 (visited on 12/15/2017).
Bellovin, Steven M. »Security problems in the TCP/IP protocol suite«. In: ACM SIGCOMM Computer Communication Review 19.2 (1989), pp. 32–48.
Bellovin, Steven M. »Using the Domain Name System for System Break-ins«. In: Proceedings of the 5th Conference on USENIX UNIX Security Symposium - Volume 5. SSYM’95. Salt Lake City, Utah: USENIX Association, 1995.
Bernstein, Daniel J. »Curve25519: new Diffie-Hellman speed records«. In: Public Key Cryptography - PKC 2006. Ed. by M. Yung et al. Vol. 3958. Lecture Notes in Computer Science. Springer. Berlin and Heidelberg, 2006, pp. 207–228.
Bernstein, Daniel J. DNSCurve: Usable security for DNS. https://dnscurve.org. 2009. (Visited on 09/13/2016).
Bortzmeyer, Stephane. DNS privacy considerations. Request for Comments (RFC) 7626. Internet Engineering Task Force (IETF), Aug. 2015. URL: https://tools.ietf.org/html/rfc7626 (visited on 12/15/2017).
Bortzmeyer, Stephane. DNS Query Name Minimisation to Improve Privacy. Request for Comments (RFC) 7816. Internet Engineering Task Force (IETF), Mar. 2016. URL: https://tools.ietf.org/html/rfc7816 (visited on 12/15/2017).
Bortzmeyer, Stephane. Next step for DPRIVE: resolver-to-auth link. Internet-Draft draft-bortzmeyerdprive-step-2-05. Work in Progress. Internet Engineering Task Force, Dec. 2016. 10 pp. URL: https://tools.ietf.org/html/draft-bortzmeyer-dprive-step-2-05 (visited on 12/15/2017).
Buczak, Anna L and Erhan Guven. »A survey of data mining and machine learning methods for cyber security intrusion detection«. In: IEEE Communications Surveys & Tutorials 18.2 (2016), pp. 1153–1176.
CAIDA. State of IP Spoofing. San Diego, Oct. 11, 2017. URL: https://spoofer.caida.org/summary.php (visited on 11/10/2017).
Castillo-Perez, Sergio and Joaquin Garcia-Alfaro. »Anonymous resolution of DSNS queries«. In: On the Move to Meaningful Internet Systems: OTM 2008. Ed. by Robert Meersman and Zahir Tari. Vol. 5332. Lecture Notes in Computer Science. Springer, 2008, pp. 987–1000.
Castillo-Perez, Sergio and Joaquin Garcia-Alfaro. »Evaluation of two privacy-preserving protocols for the DNS«. In: Information Technology: New Generations, 2009. ITNG’09. Sixth International Conference on. IEEE. 2009, pp. 411–416.
Contavalli, C. et al. Client Subnet in DNS Queries. Request for Comments (RFC) 7871. Internet Engineering Task Force (IETF), May 2016. URL: https://tools.ietf.org/html/rfc7871 (visited on 12/15/2017).
Denis, Frank. DNSCrypt version 2 protocol specification. https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/DNSCRYPT-V2-PROTOCOL.txt. (Visited on 09/13/2016).
Dickinson, J. et al. DNS Transport over TCP-Implementation Requirements. Request for Comments (RFC) 7766. Internet Engineering Task Force (IETF), Mar. 2016. URL: https://tools.ietf.org/html/rfc7766 (visited on 12/15/2017).
Dickinson, Sara, Daniel Kahn Gillmor, and Tirumaleswar Reddy. Authentication and (D)TLS Profile for DNS-over-(D)TLS. Internet-Draft draft-ietf-dprive-dtls-and-tls-profiles-03.Work in Progress. Internet Engineering Task Force, July 2016. 21 pp. URL: https://tools.ietf.org/html/draft-ietf-dprive-dtls-and-tls-profiles-03 (visited on 12/15/2017).
Dixon, Lucas, Thomas Ristenpart, and Thomas Shrimpton. »Network Traffic Obfuscation and Automated Internet Censorship«. In: IEEE Security & Privacy 14.6 (2016), pp. 43–53.
Eastlake, Donald. Domain name system security extensions. Request for Comments (RFC) 2535. Network Working Group, Mar. 1999. URL: https://tools.ietf.org/html/rfc2535 (visited on 12/15/2017).
Eckert, Claudia. IT-Sicherheit: Konzepte-Verfahren-Protokolle. 8. Aufl. München: de Gruyter, 2013.
Falcon, Ernesto. Repealing Broadband Privacy Rules, Congress Sides with the Cable and Telephone Industry. Electronic Frontier Foundation, Mar. 28, 2017. URL: https://www.eff.org/de/deeplinks/2017/03/congress-sides-cable-andtelephone-industry (visited on 11/10/2017).
Farrell, Stephen and Hannes Tschofenig. Pervasive monitoring is an attack. Request for Comments (RFC) 7258. Internet Engineering Task Force (IETF), May 2014. URL: https://tools.ietf.org/html/rfc7258.html (visited on 12/15/2017).
Federrath, Hannes et al. »Privacy-preserving DNS: analysis of broadcast, range queries and mix-based protection methods«. In: Computer Security – ESORICS 2011: 16th European Symposium on Research in Computer Security, Leuven, Belgium, September 12-14, 2011. Proceedings. Ed. by Vijay Atluri and Claudia Diaz. Vol. 6879. Lecture Notes in Computer Science. Berlin: Springer, 2011, pp. 665–683.
Gilad, Yossi and Amir Herzberg. »Off-path TCP injection attacks«. In: ACM Transactions on Information and System Security (TISSEC) 16.4 (2014), p. 13.
Gilens, Naomi. New Justice Department Documents Show Huge Increase in Warrantless Electronic Surveillance. American Civil Liberties Union. Sept. 27, 2012. URL: https://www.aclu.org/blog/national-security/new-justice-departmentdocuments-show-huge-increase-warrantless-electronic (visited on 11/10/2017).
Grangeia, Luis. DNS Cache Snooping or Snooping the Cache for Fun and Profit. Version 1.1. Lisbon: SysValue, Feb. 2004. URL: http://cs.unc.edu/~fabian/course_papers/cache_snooping.pdf (visited on 11/10/2017).
Greenwald, Glenn. »XKeyscore: NSA tool collects ’nearly everything a user does on the internet’«. In: The Guardian (July 31, 2013). URL: https://www.theguardian.com/world/2013/jul/31/nsa-top-secret-program-online-data (visited on09/12/2016).
Greenwald, Glenn and Ewen MacAskill. »NSA Prism program taps in to user data of Apple, Google and others«. In: The Guardian (June 7, 2013). URL: https://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data (visited on 12/15/2017).
Greschbach, Benjamin et al. »The Effect of DNS on Tor’s Anonymity«. In: arXiv:1609.08187 (Sept. 26, 2016).
Greschbach, Benjamin et al. »The Effect of DNS on Tor’s Anonymity«. In: Proceedings 2017 Network and Distributed System Security Symposium. Internet Society, 2017. https://doi.org/10.14722/ndss.2017.23311.
Guha, Saikat and Paul Francis. »Identity trail: Covert surveillance using DNS«. In: Privacy Enhancing Technologies: 7th International Symposium, PET 2007 Ottawa, Canada, June 20-22, 2007 Revised Selected Papers. Ed. by Nikita Borisov and Philippe Golle. Vol. 4776. Lecture Notes in Computer Science. Springer. Berlin and Heidelberg, 2007, pp. 153–166. https://doi.org/10.1007/978-3-540-75551-7_10.
Hao, Shuang, Nick Feamster, and Ramakant Pandrangi. »Monitoring the initial DNS behavior of malicious domains«. In: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference. ACM. 2011, pp. 269–278.
Herrmann, Dominik. Beobachtungsmöglichkeiten im Domain Name System: Angriffe auf die Privatsphäre und Techniken zum Selbstdatenschutz. Wiesbaden: Springer Vieweg, 2016. https://doi.org/10.1007/978-3-658-13263-7.
Herrmann, Dominik. »Privacy issues in the Domain Name System and techniques for self-defense«. In: it-Information Technology 57.6 (2015), pp. 388–393. https://doi.org/10.1515/itit-2015-0038.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Fachmedien Wiesbaden GmbH, ein Teil von Springer Nature
About this chapter
Cite this chapter
Kelpen, K., Simo, H. (2018). Privacy and Data Protection in the Domain Name System. In: Friedewald, M. (eds) Privatheit und selbstbestimmtes Leben in der digitalen Welt. DuD-Fachbeiträge. Springer Vieweg, Wiesbaden. https://doi.org/10.1007/978-3-658-21384-8_8
Download citation
DOI: https://doi.org/10.1007/978-3-658-21384-8_8
Published:
Publisher Name: Springer Vieweg, Wiesbaden
Print ISBN: 978-3-658-21383-1
Online ISBN: 978-3-658-21384-8
eBook Packages: Computer Science and Engineering (German Language)