Look-Aside at your own risk: Privacy implications of dnssec look-Aside validation

Aziz Mohaisen, Zhongshu Gu, Kui Ren, Zhenhua Li, Charles A. Kamhoua, Laurent L. Njilla, Dae Hun Nyang

Research output: Contribution to journalArticlepeer-review

1 Scopus citations


The Domain Name System Security Extension (DNSSEC) leverages public-key cryptography to provide data integrity, source authentication, and denial of existence for DNS responses. To complement DNSSEC operations, DNSSEC Look-Aside Validation (DLV) is designed for alternative off-path validation. Although DNS privacy attracts a lot of attention, the privacy implications of DLV are not fully investigated and understood. In this paper, we take a first in-depth look into DLV, highlighting its lax specifications and privacy implications. By performing extensive experiments over datasets of domain names under comprehensive experimental settings, our findings firmly confirm the privacy leakages caused by DLV. We discover that a large number of domains that should not be sent to DLV servers are being leaked. We explore the root causes, including the lax specifications of DLV. We also propose two approaches to fix the privacy leakages. Our approaches require trivial modifications to the existing DNS standards, and we demonstrate their cost in terms of latency and communication.

Original languageEnglish
Article number8316923
Pages (from-to)745-759
Number of pages15
JournalIEEE Transactions on Dependable and Secure Computing
Issue number4
StatePublished - 1 Jul 2020

Bibliographical note

Publisher Copyright:
© 2004-2012 IEEE.


  • Domain name system
  • defenses
  • privacy leakage


Dive into the research topics of 'Look-Aside at your own risk: Privacy implications of dnssec look-Aside validation'. Together they form a unique fingerprint.

Cite this