Understanding the Privacy Implications of DNSSEC Look-Aside Validation

Aziz Mohaisen, Zhongshu Gu, Kui Ren, Laurent Njilla, Charles Kamhoua, Dae Hun Nyang

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

DNSSEC Look-aside Validation (DLV) is examined, highlighting its lax specifications and privacy implications. By performing extensive experiments over datasets of domain names under comprehensive experimental settings, our findings firmly confirm the privacy leakages caused by DLV. We discover that a large number of domains that should not be sent to DLV servers are being leaked. We explore the root causes, and propose two approaches to fix the privacy leakages.

Original languageEnglish
Title of host publicationProceedings - 2017 IEEE Symposium on Privacy-Aware Computing, PAC 2017
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages208-209
Number of pages2
ISBN (Electronic)9781538610275
DOIs
StatePublished - 4 Dec 2017
Event1st IEEE Symposium on Privacy-Aware Computing, PAC 2017 - Washington, United States
Duration: 1 Aug 20173 Aug 2017

Publication series

NameProceedings - 2017 IEEE Symposium on Privacy-Aware Computing, PAC 2017
Volume2017-January

Conference

Conference1st IEEE Symposium on Privacy-Aware Computing, PAC 2017
Country/TerritoryUnited States
CityWashington
Period1/08/173/08/17

Bibliographical note

Funding Information:
Supported by NSF grant CNS-1643207 and NRF grant number 2016K1A1A2912757 (Global Research Lab). See [4]. Approved for public release: distribution unlimited 88ABW-2017-2413, dated 17 May 2017.

Funding Information:
2) Privacy-Preserving DLV: The second remedy involves changing the data format provided for both DLV registration and query. On DLV record registration, instead of depositing (domain_name, DNSKEY), we compute $digest = crypto_hash(domain_name) and deposit (domain_name, DNSKEY, $digest) to the DLV server. On DLV query, the resolver only sends the computed hash instead of the domain to the DLV server. Acknowledgement. Supported by NSF grant CNS-1643207 and NRF grant number 2016K1A1A2912757 (Global Research Lab). See [4]. Approved for public release: distribution unlimited 88ABW-2017-2413, dated 17 May 2017. REFERENCES

Publisher Copyright:
© 2017 IEEE.

Keywords

  • DNS
  • Privacy

Fingerprint

Dive into the research topics of 'Understanding the Privacy Implications of DNSSEC Look-Aside Validation'. Together they form a unique fingerprint.

Cite this