微信服务号

微信订阅号

2025-4-6- 7
Home > Archive>Volume 35, Issue 1, 2024 >309-332. DOI:10.13328/j.cnki.jos.006898
PDF HTML XML Export Cite reminder
Encryption Technologies for DNS Channel Transmission: Status, Trends and Challenges
Author:
Affiliation:

  • Article
    • | |
  • Metrics
    • |
  • Reference [111]
    • |
  • Related [20]
    • | | |
  • Comments
    Abstract:

    As critical Internet infrastructure, DNS brings many privacy and security risks due to its plaintext transmission. Many encryption technologies for DNS channel transmission, such as DoH, DoT, and DoQ, are committed to preventing DNS data from leaking or tampering and ensuring the reliability of DNS message sources. Firstly, this study analyzes the privacy and security problems of plaintext DNS from six aspects, including the DNS message format, data storage and management, and system architecture and deployment, and then summarizes the existing related technologies and protocols. Secondly, the implementation principles and the application statuses of the encryption protocols for DNS channel transmission are analyzed, and the performance of each encryption protocol under different network conditions is discussed with multi-angle evaluation indicators. Meanwhile, it discusses the privacy protection effects of the encryption technologies for DNS channel transmission through the limitations of the padding mechanism, the encrypted traffic identification, and the fingerprint-based encryption activity analysis. In addition, the problems and challenges faced by encryption technologies for DNS channel transmission are summarized from the aspects of the deployment specifications, the illegal use of encryption technologies by malicious traffic and its attack on them, the contradiction between privacy and network security management, and other factors affecting privacy and security after encryption. Relevant solutions are also presented. Finally, it summarizes the highlights of future research, such as the discovery of the encrypted DNS service, server-side privacy protection, the encryption between recursive resolvers and authoritative servers, and DNS over HTTP/3.

    Reference
    [1] CrowdStrike. Widespread DNS hijacking activity targets multiple sectors. 2019. https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/
    [2] Fouchereau R. IDC 2022 global DNS threat report. 2022. https://www.efficientip.com/resources/idc-dns-threat-report-2022/
    [3] Help Net Security. Healthcare suffering from DNS attacks more than other industries. 2021. https://www.helpnetsecurity.com/2021/07/15/healthcare-dns-attacks/
    [4] McCarthy K. Internet’s root servers take hit in DDoS attack. 2015. https://www.theregister.com/2015/12/08/internet_root_servers_ddos/
    [5] Hesselman C, Kaeo M, Chapin L, Claffy K, Seiden M, Mcpherson D, Piscitello D, Mcconachie A, April T, Latour J, Rasmussen R. The DNS in IoT: Opportunities, risks, and challenges. IEEE Internet Computing, 2020, 24(4): 23–32. [doi: 10.1109/MIC.2020.3005388]
    [6] DNSmezzo. DNSmezzo form AFNIC project DNSwitness. 2022. https://github.com/dsutto/DNSmezzo
    [7] The Tcpdump Group. Tcpdump. 2021. https://www.tcpdump.org/
    [8] 王文通, 胡宁, 刘波, 刘欣, 李树栋. DNS安全防护技术研究综述. 软件学报, 2020, 31(7): 2205–2220. http://www.jos.org.cn/1000-9825/6046.htm
    Wang WT, Hu N, Liu B, Liu X, Li SD. Survey on technology of security enhancement for DNS. Ruan Jian Xue Bao/Journal of Software, 2020, 31(7): 2205–2220 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/6046.htm
    [9] 黄锴, 孔宁. DNS隐私问题现状的研究. 计算机工程与应用, 2018, 54(9): 28–36. [doi: 10.3778/j.issn.1002-8331.1801-0101]
    Huang K, Kong N. Research on status of DNS privacy. Computer Engineering and Applications, 2018, 54(9): 28–36 (in Chinese with English abstract). [doi: 10.3778/j.issn.1002-8331.1801-0101]
    [10] DNSCrypt. 2021. https://dnscrypt.info/
    [11] DNSCurve: Usable security for DNS. 2021. https://dnscurve.org/
    [12] Bortzmeyer S. RFC 7816 DNS query name minimisation to improve privacy. 2016. https://www.rfc-editor.org/info/rfc7816
    [13] Arends R, Austein R, Larson M, Massey D, Rose S. RFC 4033 DNS security introduction and requirements. 2005. https://www.rfc-editor.org/info/rfc4033
    [14] Arends R, Austein R, Larson M, Massey D, Rose S. RFC 4034 Resource records for the DNS security extensions. 2005. https://www.rfc-editor.org/info/rfc4034
    [15] DNSSEC deployment report. 2023. https://rick.eng.br/dnssecstat/
    [16] Hoffman P, Schlyter J. RFC 6698 The DNS-based authentication of named entities (DANE) transport layer security (TLS) protocol: TLSA. 2012. https://www.rfc-editor.org/info/rfc6698
    [17] Daigle L. RFC 3912 WHOIS protocol specification. 2004. https://www.rfc-editor.org/info/rfc3912
    [18] Newton A, Ellacott B, Kong N. RFC 7480 HTTP usage in the registration data access protocol (RDAP). 2015. https://www.rfc-editor.org/info/rfc7480
    [19] Hollenbeck S, Kong N. RFC 7481 Security services for the registration data access protocol (RDAP). 2015. https://www.rfc-editor.org/info/rfc7481
    [20] Loibl A. Namecoin. In: Proc. of the 2014 Seminars FI/IITM SS Network Architectures and Services. 2014. 107–113.
    [21] Ali M, Nelson J, Shea R, Freedman MJ. Blockstack: A global naming and storage system secured by blockchains. In: Proc. of the 2016 USENIX Annual Technical Conf. Denver: USENIX Association, 2016. 181–194.
    [22] Bloackstack name service. 2021. https://docs.blockstack.org/core/naming/introduction.html
    [23] Handshake. 2021. https://handshake.org/files/handshake.txt
    [24] Ethereum Name Service Document. 2021. https://docs.ens.domains/
    [25] The Ethereum Name Service Constitution. 2021. https://ensdao.eth.limo/constitution.pdf
    [26] Schanzenbach M, Grothoff C, Fix B. The GNU name system. 2022. https://datatracker.ietf.org/doc/html/draft-schanzen-gns-19
    [27] The GNU name system. 2022. https://www.gnunet.org/en/gns.html
    [28] Wicinski T. RFC 9076 DNS privacy considerations. 2021. https://www.rfc-editor.org/info/rfc9076
    [29] Hoffman P, McManus P. RFC 8484 DNS Queries over HTTPS (DoH). 2018. https://www.rfc-editor.org/info/rfc8484
    [30] Curl. Publicly available servers. 2021. https://github.com/curl/curl/wiki/DNS-over-HTTPS
    [31] Hu Z, Zhu L, Heidemann J, Mankin A, Wessels D, Hoffman P. RFC 7858 specification for DNS over transport layer security (TLS). 2016. https://www.rfc-editor.org/info/rfc7858
    [32] Dickinson S, Gillmor D, Reddy T. RFC 8310 usage profiles for DNS over TLS and DNS over DTLS. 2018. https://www.rfc-editor.org/info/rfc8310
    [33] Reddy T, Wing D, Patil P. RFC 8094 DNS over datagram transport layer security (DTLS). 2017. https://www.rfc-editor.org/info/rfc8094
    [34] Toorop W, Dickinson S, Sahib S, Aras P, Mankin A. RFC 9103 DNS zone transfer over TLS. 2021. https://www.rfc-editor.org/info/rfc9103
    [35] Iyengar J, Thomson M. RFC 9000 QUIC: A UDP-based multiplexed and secure transport. 2021. https://www.rfc-editor.org/info/rfc9000
    [36] Thomson M, Turner S. RFC 9001 using TLS to secure QUIC. 2021. https://www.rfc-editor.org/info/rfc9001
    [37] Iyengar J, Swett I. RFC 9002 QUIC loss detection and congestion control. 2021. https://www.rfc-editor.org/info/rfc9002
    [38] Bishop M. RFC 9114 HTTP/3. 2022. https://www.rfc-editor.org/info/rfc9114
    [39] Huitema C, Dickinson S, Mankin A. RFC 9250 DNS over dedicated QUIC connections. 2022. https://www.rfc-editor.org/info/rfc9250
    [40] Dierks T, Rescorla E. RFC 5246 The transport layer security (TLS) protocol version 1.2. 2008. https://www.rfc-editor.org/info/rfc5246
    [41] Rescorla E. RFC 8446 The transport layer security (TLS) protocol version 1.3. 2018. https://www.rfc-editor.org/info/rfc8446
    [42] Duckett C. Google public DNS gets DNS-over-TLS treatment. 2019. https://www.zdnet.com/article/google-public-dns-gets-dns-over-tls-treatment/
    [43] Deckelmann S. Firefox continues push to bring DNS over HTTPS by default for US users. 2020. https://blog.mozilla.org/blog/2020/02/25/firefox-continues-push-to-bring-dns-over-https-by-default-for-us-users/
    [44] Chromium blog: A safer and more private browsing experience with secure DNS. 2020. https://blog.chromium.org/2020/05/a-safer-and-more-private-browsing-DoH.html
    [45] Apple enable encrypted DNS. 2020. https://developer.apple.com/videos/play/wwdc2020/10047/
    [46] DNS over TLS support in Android developer preview. 2018. https://android-developers.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html
    [47] Improving DNS configuration in Settings. 2020. https://blogs.windows.com/windows-insider/2020/08/05/announcing-windows-10-insider-preview-build-20185/
    [48] Luo M, Yao YP, Xin LL, Jiang ZW, Wang QY, Shi WC. Measurement for encrypted open resolvers: Applications and security. Computer Networks, 2022, 213: 109081. [doi: 10.1016/j.comnet.2022.109081]
    [49] Lu CY, Liu BJ, Li Z, Hao S, Duan HX, Zhang MM, Leng CY, Liu Y, Zhang ZF, Wu JP. An end-to-end, large-scale measurement of DNS-over-encryption: How far have we come? In: Proc. of the 2019 Internet Measurement Conf. Amsterdam: ACM, 2019. 22–35.
    [50] García S, Hynek K, Vekshin D, Čejka T, Wasicek A. Large scale measurement on the adoption of encrypted DNS. arXiv:2107.04436, 2021.
    [51] Kosek M, Doan TV, Granderath M, Bajpai V. One to rule them all? A first look at DNS over QUIC. In: Proc. of the 23rd Int’l Conf. on Passive and Active Network Measurement. Springer, 2022. 537–551.
    [52] Böttger T, Cuadrado F, Antichi G, Fernandes EL, Tyson G, Castro I, Uhlig S. An empirical study of the cost of DNS-over-HTTPS. In: Proc. of the 2019 Internet Measurement Conf. Amsterdam: ACM, 2019. 15–21.
    [53] Firefox nightly secure DNS experimental results. 2018. https://blog.nightly.mozilla.org/2018/08/28/firefox-nightly-secure-dns-experimental-results/
    [54] Hounsel A, Schmitt P, Borgolte K, Feamster N. Can encrypted DNS be fast? In: Proc. of the 22nd Int’l Conf. on Passive and Active Network Measurement. Springer, 2021. 444–459.
    [55] Doan TV, Tsareva I, Bajpai V. Measuring DNS over TLS from the edge: Adoption, reliability, and response times. In: Proc. of the 22nd Int’l Conf. on Passive and Active Network Measurement. Springer, 2021. 192–209.
    [56] Hounsel A, Borgolte K, Schmitt P, Holland J, Feamster N. Comparing the effects of DNS, DoT, and DoH on Web performance. In: Proc. of the 2020 Web Conf. Taipei: ACM, 2020. 562–572.
    [57] Deccio C, Davis J. DNS privacy in practice and preparation. In: Proc. of the 15th Int’l Conf. on Emerging Networking Experiments and Technologies. Orlando: ACM, 2019. 138–143.
    [58] Borgolte K, Chattopadhyay T, Feamster N, Feamster N, Kshirsagar M, Holland J, Hounsel A, Schmitt P. How DNS over HTTPS is reshaping privacy, performance, and policy in the Internet ecosystem. In: Proc. of the 47th Research Conf. on Communications, Information and Internet Policy. 2019.
    [59] Mayrhofer A. RFC 7830 The EDNS(0) padding option. 2016. https://www.rfc-editor.org/info/rfc7830
    [60] Mayrhofer A. RFC 8467 Padding policies for extension mechanisms for DNS (EDNS(0)). 2018. https://www.rfc-editor.org/info/rfc8467
    [61] Mühlhauser M, Pridöhl H, Herrmann D. How private is Android’s private DNS setting? Identifying apps by encrypted DNS traffic. In: Proc. of the 16th Int’l Conf. on Availability, Reliability and Security. New York: ACM, 2021. 1–10.
    [62] Hynek K, Cejka T. Privacy illusion: Beware of unpadded DoH. In: Proc. of the 11th IEEE Annual Information Technology, Electronics and Mobile Communication Conf. Vancouver: IEEE, 2020. 621–628. .
    [63] Bushart J, Rossow C. Padding ain’t enough: Assessing the privacy guarantees of encrypted DNS. In: Proc. of the 10th USENIX Workshop on Free and Open Communications on the Internet. Santa Clara: USENIX Association, 2020.
    [64] Houser R, Li Z, Cotton C, Wang HN. An investigation on information leakage of DNS over TLS. In: Proc. of the 15th Int’l Conf. on Emerging Networking Experiments and Technologies. Orlando: ACM, 2019. 123–137.
    [65] Vekshin D, Hynek K, Cejka T. DoH insight: Detecting DNS over HTTPS by machine learning. In: Proc. of the 15th Int’l Conf. on Availability, Reliability and Security. ACM, 2020. 87.
    [66] 孟德超, 邹福泰. DNS隐私保护安全性分析. 通信技术, 2020, 53(2): 445–449. [doi: 10.3969/j.issn.1002-0802.2020.02.028]
    Meng DC, Zou FT. DNS privacy protection security analysis. Communications Technology, 2020, 53(2): 445–449 (in Chinese with English abstract).
    [67] Siby S, Juarez M, Diaz C, Vallina-Rodriguez N, Troncoso C. Encrypted DNS→privacy? A traffic analysis perspective. In: Proc. of the 27th Annual Network and Distributed System Security Symp. San Diego: The Internet Society, 2020.
    [68] Hoang NP, Niaki AA, Gill P, Polychronakis M. Domain name encryption is not enough: Privacy leakage via IP-based website fingerprinting. Proceedings on Privacy Enhancing Technologies, 2021, 2021(4): 420–440. [doi: 10.2478/popets-2021-0078]
    [69] Jin L, Hao S, Wang HN, Cotton C. Understanding the impact of encrypted DNS on internet censorship. In: Proc. of the 2021 Web Conf. Ljubljana: ACM, 2021. 484–495.
    [70] Rescorla E, Oku K, Sullivan N, Wood CA. TLS encrypted client hello. 2022. https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-14
    [71] Hoang NP, Niaki AA, Borisov N, Gill P, Polychronakis M. Assessing the privacy benefits of domain name encryption. In: Proc. of the 15th ACM Asia Conf. on Computer and Communications Security. Taipei: ACM, 2020. 290–304.
    [72] Contavalli C, van der Gaast W, Lawrence D, Kumari W. RFC 7871 client subnet in DNS queries. 2016. https://www.rfc-editor.org/info/rfc7871
    [73] How we made DNS both fast and private with ECS. 2021. https://medium.com/nextdns/how-we-made-dns-both-fast-and-private-with-ecs-4970d70401e5
    [74] Moura GCM, Castro S, Hardaker W, Wullink M, Hesselman C. Clouding up the Internet: How centralized is DNS traffic becoming? In: Proc. of the 2020 ACM Internet Measurement Conf. ACM, 2020. 42–49.
    [75] Final DoH letter. 2019. https://www.ncta.com/sites/default/files/2019-09/Final%20DOH%20LETTER%209-19-19.pdf
    [76] Hounsel A, Schmitt P, Borgolte K, Feamster N. Encryption without centralization: Distributing DNS queries across recursive resolvers. In: Proc. of the 2021 Applied Networking Research Workshop. ACM, 2021. 62–68.
    [77] Hoang NP, Lin I, Ghavamnia S, Polychronakis M. K-resolver: Towards decentralizing encrypted DNS resolution. In: Proc. of the 2020 NDSS Workshop on Measurements, Attacks, and Defenses for the Web. San Diego: Internet Society. 2020.
    [78] Turing A, Ye GS. An analysis of Godlua backdoor. 2019. https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/
    [79] Cimpanu C. Iranian hacker group becomes first known APT to weaponize DNS-over-HTTPS (DoH). 2020. https://www.zdnet.com/article/iranian-hacker-group-becomes-first-known-apt-to-weaponize-dns-over-https-doh/
    [80] Bumanglag K, Kettani H. On the impact of DNS over HTTPS paradigm on cyber systems. In: Proc. of the 3rd Int’l Conf. on Information and Computer Technologies. San Jose: IEEE, 2020. 494–499.
    [81] Patsakis C, Casino F, Katos V. Encrypted and covert DNS queries for botnets: Challenges and countermeasures. Computers & Security, 2020, 88: 101614. [doi: 10.1016/j.cose.2019.101614]
    [82] 张千帆, 郭晓军, 周鹏举. 基于DoH流量的DGA识别方法. 计算机技术与发展, 2021, 31(12): 122–127. [doi: 10.3969/j.issn.1673-629X.2021.12.021]
    Zhang QF, Guo XJ, Zhou PJ. DGA identification method based on DoH traffic. Computer Technology and Development, 2021, 31(12): 122–127 (in Chinese with English abstract). [doi: 10.3969/j.issn.1673-629X.2021.12.021]
    [83] Banadaki YM. Detecting malicious DNS over HTTPS traffic in domain name system using machine learning classifiers. Journal of Computer Sciences and Applications, 2020, 8(2): 46–55.
    [84] MontazeriShatoori M, Davidson L, Kaur G, Lashkari AH. Detection of DoH tunnels using time-series classification of encrypted traffic. In: Proc. of the 2020 IEEE Int’l Conf. on Dependable, Autonomic and Secure Computing, Int’l Conf. on Pervasive Intelligence and Computing, Int’l Conf. on Cloud and Big Data Computing, Int’l Conf. on Cyber Science and Technology Congress. Calgary: IEEE, 2020. 63–70.
    [85] Singh SK, Roy PK. Detecting malicious DNS over HTTPS traffic using machine learning. In: Proc. of the 2020 Int’l Conf. on Innovation and Intelligence for Informatics, Computing and Technologies. Sakheer: IEEE, 2020. 1–6.
    [86] Kwan C, Janiszewski P, Qiu SL, Wang C, Bocovich C. Exploring simple detection techniques for DNS-over-HTTPS tunnels. In: Proc. of the 2021 ACM SIGCOMM Workshop on Free and Open Communications on the Internet. New York: Association for Computing Machinery, 2021. 37–42.
    [87] Zhan MQ, Li Y, Yu GX, Li B, Wang WP. Detecting DNS over HTTPS based data exfiltration. Computer Networks, 2022, 209: 108919.
    [88] Ding S, Zhang DQ, Ge JG, Yuan XW, Du XH. Encrypt DNS traffic: Automated feature learning method for detecting DNS tunnels. In: Proc. of the 2021 IEEE Int’l Conf. on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking. New York: IEEE, 2021. 352–359.
    [89] Nguyen TA, Park M. DoH tunneling detection system for enterprise network using deep learning technique. Applied Sciences, 2022, 12(5): 2416. [doi: 10.3390/app12052416]
    [90] Huang Q, Chang DL, Li Z. A comprehensive study of DNS-over-HTTPS downgrade attack. In: Proc. of the 10th USENIX Workshop on Free and Open Communications on the Internet. USENIX Association, 2020. 1–8.
    [91] 章坚武, 安彦军, 邓黄燕. DNS攻击检测与安全防护研究综述. 电信科学, 2022, 38(9): 1–17. [doi: 10.11959/j.issn.1000-0801.2022248]
    Zhang JW, An YJ, Deng HY. A survey on DNS attack detection and security protection. Telecommunications Science, 2022, 38(9): 1–17 (in Chinese with English abstract). [doi: 10.11959/j.issn.1000-0801.2022248]
    [92] 胡宁, 邓文平, 姚苏. 互联网DNS安全研究现状与挑战. 网络与信息安全学报, 2017, 3(3): 13–21. [doi: 10.11959/j.issn.2096-109x.2017.00154]
    Hu N, Deng WP, Yao S. Issues and challenges of Internet DNS security. Chinese Journal of Network and Information Security, 2017, 3(3): 13–21 (in Chinese with English abstract). [doi: 10.11959/j.issn.2096-109x.2017.00154]
    [93] Pearce P, Jones B, Li F, Ensafi R, Feamster N, Weaver N, Paxson V. Global measurement of DNS manipulation. In: Proc. of the 26th USENIX Conf. on Security Symp. Vancouver: USENIX Association, 2017. 307–323.
    [94] Pauly T, Kinnear E, Wood CA, McManus P, Jensen T. Discovery of designated resolvers. 2022. https://www.ietf.org/archive/id/draft-ietf-add-ddr-10.html
    [95] Boucadair M, Reddy T, Wing D, Cook N, Jensen T. DHCP and router advertisement options for the discovery of network-designated resolvers. 2023. https://www.ietf.org/archive/id/draft-ietf-add-dnr-16.html
    [96] Schwartz B, Box C. Discovery of designated resolvers in the presence of legacy forwarders. 2021. https://www.ietf.org/archive/id/draft-schwartz-add-ddr-forwarders-01.html
    [97] Statement on DNS Encryption. 2021. https://root-servers.org/media/news/Statement_on_DNS_Encryption.pdf
    [98] Kumari W, Hoffman P. RFC 8806 running a root server local to a resolver. 2020. https://www.rfc-editor.org/info/rfc8806
    [99] Gillmor DK, Salazar J, Hoffman P. Unilateral opportunistic deployment of encrypted recursive-to-authoritative DNS. 2023. https://www.ietf.org/archive/id/draft-ietf-dprive-unilateral-probing-06.html
    [100] Security/DoH-resolver-policy. 2021. https://wiki.mozilla.org/Security/DOH-resolver-policy
    [101] Kinnear E, McManus P, Pauly T, Verma T, Wood CA. RFC 9230 oblivious DNS over HTTPS. 2022. https://www.rfc-editor.org/info/rfc9230
    [102] Singanamalla S, Chunhapanya S, Hoyland J, Vavruša M, Verma T, Wu P, Fayed M, Heimerl K, Sullivan N, Wood C. Oblivious DNS over HTTPS (ODoH): A practical privacy enhancement to DNS. Proc. on Privacy Enhancing Technologies, 2021, 2021(4): 575–592.
    [103] Alecmuffett. Dohot: Making practical use of DNS over HTTPS over Tor. 2020. https://github.com/alecmuffett/dohot/blob/master/papers/no-port-53-who-dis-paper-3.1.pdf
    [104] How Facebook is bringing QUIC to billions. 2020. https://engineering.fb.com/2020/10/21/networking-traffic/how-facebook-is-bringing-quic-to-billions/
    [105] DNS over HTTP3 in Android. 2022. https://security.googleblog.com/2022/07/dns-over-http3-in-android.html
    Cited by
    Comments
    Comments
    分享到微博
    Submit
Get Citation

张曼,姚健康,李洪涛,董科军,延志伟. DNS信道传输加密技术: 现状、趋势和挑战.软件学报,2024,35(1):309-332

Copy
Share
Article Metrics
  • Abstract:1143
  • PDF: 4160
  • HTML: 2628
  • Cited by: 0
History
  • Received:August 02,2022
  • Revised:September 16,2022
  • Online: June 28,2023
  • Published: January 06,2024
Links:Institute of Software, CASChina Computer FederationCASNSFC
You are the first2033307Visitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address:4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code:100190
Phone:010-62562563 Fax:010-62562533 Email:jos@iscas.ac.cn
Technical Support:Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063