Understanding the Privacy Implications of DNSSEC Look-Aside Validation

Aziz Mohaisen; Zhongshu Gu; Kui Ren; Laurent Njilla; Charles Kamhoua; Dae Hun Nyang

doi:10.1109/PAC.2017.38

Understanding the Privacy Implications of DNSSEC Look-Aside Validation

Aziz Mohaisen, Zhongshu Gu, Kui Ren, Laurent Njilla, Charles Kamhoua, Dae Hun Nyang

Cyber Security

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

DNSSEC Look-aside Validation (DLV) is examined, highlighting its lax specifications and privacy implications. By performing extensive experiments over datasets of domain names under comprehensive experimental settings, our findings firmly confirm the privacy leakages caused by DLV. We discover that a large number of domains that should not be sent to DLV servers are being leaked. We explore the root causes, and propose two approaches to fix the privacy leakages.

Original language	English
Title of host publication	Proceedings - 2017 IEEE Symposium on Privacy-Aware Computing, PAC 2017
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	208-209
Number of pages	2
ISBN (Electronic)	9781538610275
DOIs	https://doi.org/10.1109/PAC.2017.38
State	Published - 4 Dec 2017
Event	1st IEEE Symposium on Privacy-Aware Computing, PAC 2017 - Washington, United States Duration: 1 Aug 2017 → 3 Aug 2017

Publication series

Name	Proceedings - 2017 IEEE Symposium on Privacy-Aware Computing, PAC 2017
Volume	2017-January

Conference

Conference	1st IEEE Symposium on Privacy-Aware Computing, PAC 2017
Country/Territory	United States
City	Washington
Period	1/08/17 → 3/08/17

Keywords

DNS
Privacy

Access to Document

10.1109/PAC.2017.38

Cite this

Mohaisen, A., Gu, Z., Ren, K., Njilla, L., Kamhoua, C., & Nyang, D. H. (2017). Understanding the Privacy Implications of DNSSEC Look-Aside Validation. In Proceedings - 2017 IEEE Symposium on Privacy-Aware Computing, PAC 2017 (pp. 208-209). (Proceedings - 2017 IEEE Symposium on Privacy-Aware Computing, PAC 2017; Vol. 2017-January). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/PAC.2017.38

@inproceedings{1788e8b0aea24aa3a7d0db7ef30509e9,

title = "Understanding the Privacy Implications of DNSSEC Look-Aside Validation",

abstract = "DNSSEC Look-aside Validation (DLV) is examined, highlighting its lax specifications and privacy implications. By performing extensive experiments over datasets of domain names under comprehensive experimental settings, our findings firmly confirm the privacy leakages caused by DLV. We discover that a large number of domains that should not be sent to DLV servers are being leaked. We explore the root causes, and propose two approaches to fix the privacy leakages.",

keywords = "DNS, Privacy",

author = "Aziz Mohaisen and Zhongshu Gu and Kui Ren and Laurent Njilla and Charles Kamhoua and Nyang, {Dae Hun}",

note = "Funding Information: Supported by NSF grant CNS-1643207 and NRF grant number 2016K1A1A2912757 (Global Research Lab). See [4]. Approved for public release: distribution unlimited 88ABW-2017-2413, dated 17 May 2017. Funding Information: 2) Privacy-Preserving DLV: The second remedy involves changing the data format provided for both DLV registration and query. On DLV record registration, instead of depositing (domain_name, DNSKEY), we compute $digest = crypto_hash(domain_name) and deposit (domain_name, DNSKEY, $digest) to the DLV server. On DLV query, the resolver only sends the computed hash instead of the domain to the DLV server. Acknowledgement. Supported by NSF grant CNS-1643207 and NRF grant number 2016K1A1A2912757 (Global Research Lab). See [4]. Approved for public release: distribution unlimited 88ABW-2017-2413, dated 17 May 2017. REFERENCES Publisher Copyright: {\textcopyright} 2017 IEEE.; null ; Conference date: 01-08-2017 Through 03-08-2017",

year = "2017",

month = dec,

day = "4",

doi = "10.1109/PAC.2017.38",

language = "English",

series = "Proceedings - 2017 IEEE Symposium on Privacy-Aware Computing, PAC 2017",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "208--209",

booktitle = "Proceedings - 2017 IEEE Symposium on Privacy-Aware Computing, PAC 2017",

}

Mohaisen, A, Gu, Z, Ren, K, Njilla, L, Kamhoua, C & Nyang, DH 2017, Understanding the Privacy Implications of DNSSEC Look-Aside Validation. in Proceedings - 2017 IEEE Symposium on Privacy-Aware Computing, PAC 2017. Proceedings - 2017 IEEE Symposium on Privacy-Aware Computing, PAC 2017, vol. 2017-January, Institute of Electrical and Electronics Engineers Inc., pp. 208-209, 1st IEEE Symposium on Privacy-Aware Computing, PAC 2017, Washington, United States, 1/08/17. https://doi.org/10.1109/PAC.2017.38

Understanding the Privacy Implications of DNSSEC Look-Aside Validation. / Mohaisen, Aziz; Gu, Zhongshu; Ren, Kui et al.

Proceedings - 2017 IEEE Symposium on Privacy-Aware Computing, PAC 2017. Institute of Electrical and Electronics Engineers Inc., 2017. p. 208-209 (Proceedings - 2017 IEEE Symposium on Privacy-Aware Computing, PAC 2017; Vol. 2017-January).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Understanding the Privacy Implications of DNSSEC Look-Aside Validation

AU - Mohaisen, Aziz

AU - Gu, Zhongshu

AU - Ren, Kui

AU - Njilla, Laurent

AU - Kamhoua, Charles

AU - Nyang, Dae Hun

N1 - Funding Information: Supported by NSF grant CNS-1643207 and NRF grant number 2016K1A1A2912757 (Global Research Lab). See [4]. Approved for public release: distribution unlimited 88ABW-2017-2413, dated 17 May 2017. Funding Information: 2) Privacy-Preserving DLV: The second remedy involves changing the data format provided for both DLV registration and query. On DLV record registration, instead of depositing (domain_name, DNSKEY), we compute $digest = crypto_hash(domain_name) and deposit (domain_name, DNSKEY, $digest) to the DLV server. On DLV query, the resolver only sends the computed hash instead of the domain to the DLV server. Acknowledgement. Supported by NSF grant CNS-1643207 and NRF grant number 2016K1A1A2912757 (Global Research Lab). See [4]. Approved for public release: distribution unlimited 88ABW-2017-2413, dated 17 May 2017. REFERENCES Publisher Copyright: © 2017 IEEE.

PY - 2017/12/4

Y1 - 2017/12/4

N2 - DNSSEC Look-aside Validation (DLV) is examined, highlighting its lax specifications and privacy implications. By performing extensive experiments over datasets of domain names under comprehensive experimental settings, our findings firmly confirm the privacy leakages caused by DLV. We discover that a large number of domains that should not be sent to DLV servers are being leaked. We explore the root causes, and propose two approaches to fix the privacy leakages.

AB - DNSSEC Look-aside Validation (DLV) is examined, highlighting its lax specifications and privacy implications. By performing extensive experiments over datasets of domain names under comprehensive experimental settings, our findings firmly confirm the privacy leakages caused by DLV. We discover that a large number of domains that should not be sent to DLV servers are being leaked. We explore the root causes, and propose two approaches to fix the privacy leakages.

KW - DNS

KW - Privacy

UR - http://www.scopus.com/inward/record.url?scp=85046554724&partnerID=8YFLogxK

U2 - 10.1109/PAC.2017.38

DO - 10.1109/PAC.2017.38

M3 - Conference contribution

AN - SCOPUS:85046554724

T3 - Proceedings - 2017 IEEE Symposium on Privacy-Aware Computing, PAC 2017

SP - 208

EP - 209

BT - Proceedings - 2017 IEEE Symposium on Privacy-Aware Computing, PAC 2017

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 1 August 2017 through 3 August 2017

ER -

Mohaisen A, Gu Z, Ren K, Njilla L, Kamhoua C, Nyang DH. Understanding the Privacy Implications of DNSSEC Look-Aside Validation. In Proceedings - 2017 IEEE Symposium on Privacy-Aware Computing, PAC 2017. Institute of Electrical and Electronics Engineers Inc. 2017. p. 208-209. (Proceedings - 2017 IEEE Symposium on Privacy-Aware Computing, PAC 2017). doi: 10.1109/PAC.2017.38

Understanding the Privacy Implications of DNSSEC Look-Aside Validation

Abstract

Publication series

Conference

Keywords

Access to Document

Fingerprint

Cite this