nach oben

Erschienen in:

2019 | OriginalPaper | Buchkapitel

A First Look at QNAME Minimization in the Domain Name System

verfasst von : Wouter B. de Vries, Quirin Scheitle, Moritz Müller, Willem Toorop, Ralph Dolmans, Roland van Rijswijk-Deij

Erschienen in: Passive and Active Measurement

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

The Domain Name System (DNS) is a critical part of network and Internet infrastructure; DNS lookups precede almost any user request. DNS lookups may contain private information about the sites and services a user contacts, which has spawned efforts to protect privacy of users, such as transport encryption through DNS-over-TLS or DNS-over-HTTPS.

In this work, we provide a first look on the resolver-side technique of query name minimization (qmin), which was standardized in March 2016 as RFC 7816. qmin aims to only send minimal information to authoritative name servers, reducing the number of servers that full DNS query names are exposed to. Using passive and active measurements, we show a slow but steady adoption of qmin on the Internet, with a surprising variety in implementations of the standard. Using controlled experiments in a test-bed, we validate lookup behavior of various resolvers, and quantify that qmin both increases the number of DNS lookups by up to 26%, and also leads to up to 5% more failed lookups. We conclude our work with a discussion of qmin’s risks and benefits, and give advice for future use.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Mapping an Enterprise Network by Analyzing DNS Traffic

Nächstes Kapitel Clustering and the Weekend Effect: Recommendations for the Use of Top Domain Lists in Security Research

We turn DNSSEC validation off to achieve comparable behavior (validating DNSSEC requires more queries to be sent); we also note that the combination of qmin and DNSSEC may induce further complexities beyond the scope of this work.

RIPE Atlas measurement for a.b.qnamemin-test.internet.nlTXT (2017). https://atlas.ripe.net/measurements/8310250/

RIPE Atlas measurement for o-o.myaddr.l.google.comTXT (2017). https://atlas.ripe.net/measurements/8310237/

RIPE Atlas measurement for ripe-hackathon6.nlnetlabs.nlAAAA (2017). https://atlas.ripe.net/measurements/8310366/

RIPE Atlas measurement for ripe-hackathon6.nlnetlabs.nlAAAA. Ripe MSM IDs: 16428213, 16428214, 16428215, 16428216, 16428217, 16428218, 16428219, 16428220, 16428221, 16428222 (2017)

RIPE Atlas measurement for whoami.akamai.netA (2017). https://atlas.ripe.net/measurements/8310245/

Bortzmeyer, S.: DNS privacy considerations. RFC 7626 (Informational), August 2015. https://www.rfc-editor.org/rfc/rfc7626.txt

Bortzmeyer, S.: DNS query name minimisation to improve privacy. RFC 7816 (Experimental), March 2016. https://www.rfc-editor.org/rfc/rfc7816.txt

Bortzmeyer, S., Huque, S.: NXDOMAIN: there really is nothing underneath. RFC 8020 (Proposed Standard), November 2016. https://www.rfc-editor.org/rfc/rfc8020.txt

Bortzmeyer, S.: PowerDNS - add qname minimisation (2015). https://github.com/PowerDNS/pdns/issues/2311

10.

Castro, S., Wessels, D., Fomenkov, M., Claffy, K.: A day at the root of the internet. ACM SIGCOMM Comput. Commun. Rev. 38(5), 41–46 (2008)CrossRef

11.

Cisco: Cisco Umbrella Top 1M List, September 14–30 2018. https://s3-us-west-1.amazonaws.com/umbrella-static/index.html

12.

Cooper, A., et al.: Privacy Considerations for Internet Protocols. RFC 6973, July 2013. https://rfc-editor.org/rfc/rfc6973.txt

13.

CZ.NIC: Knot resolver 1.0.0 released (2016). https://www.knot-resolver.cz/2016-05-30-knot-resolver-1.0.0.html

14.

Dittrich, D., Kenneally, E., et al.: The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research. US Department of Homeland Security (2012)

15.

DNS OARC: Day In The Life of the Internet (2017 and 2018). https://www.dns-oarc.net/oarc/data/ditl

16.

Dolmans, R.: QNAME Minimization in Unbound, RIPE 72 (2016). https://ripe72.ripe.net/wp-content/uploads/presentations/120-unbound_qnamemin_ripe72.pdf

17.

Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: USENIX Security (2013)

18.

Fujiwara, K., Kato, A., Kumari, W.: Aggressive Use of DNSSEC-Validated Cache. RFC 8198 (Proposed Standard), July 2017. https://www.rfc-editor.org/rfc/rfc8198.txt

19.

Hardaker, W.: Analyzing and mitigating privacy with the DNS root service. In: NDSS: DNS Privacy Workshop, 2018 (2018)

20.

Hoffman, P.E., McManus, P.: DNS queries over HTTPS (DoH). RFC 8484, October 2018. https://rfc-editor.org/rfc/rfc8484.txt

21.

Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., Hoffman, P.E.: Specification for DNS over transport layer security (TLS). RFC 7858, May 2016. https://rfc-editor.org/rfc/rfc7858.txt

22.

Imana, B., Korolova, A., Heidemann, J.: Enumerating privacy leaks in DNS data collected above the recursive. In: NDSS: DNS Privacy Workshop, 2018. San Diego, California, USA, Feburary 2018. https://www.isi.edu/%7ejohnh/PAPERS/Imana18a.html

23.

ISC: Release notes for bind version 9.13.2 (2018). https://ftp.isc.org/isc/bind9/9.13.2/RELEASE-NOTES-bind-9.13.2.txt

24.

Mockapetris, P.: Domain names - concepts and facilities. RFC 1034, November 1987. https://rfc-editor.org/rfc/rfc1034.txt

25.

NLnet Labs: Nlnet labs: Unbound chanelog (2018). https://nlnetlabs.nl/svn/unbound/tags/release-1.8.0/doc/Changelog

26.

Pappas, V., Wessels, D., Massey, D., Lu, S., Terzis, A., Zhang, L.: Impact of configuration errors on DNS robustness. IEEE J. Sel. Areas Commun. 27(3), 275–290 (2009)CrossRef

27.

Partridge, C., Allman, M.: Ethical considerations in network measurement papers. Commun. ACM 59, 58–64 (2016)CrossRef

28.

Rose, S., Larson, M., Massey, D., Austein, R., Arends, R.: DNS security introduction and requirements. RFC 4033, March 2005. https://rfc-editor.org/rfc/rfc4033.txt

29.

Rose, S., Larson, M., Massey, D., Austein, R., Arends, R.: Protocol modifications for the DNS security extensions. RFC 4035, March 2005. https://rfc-editor.org/rfc/rfc4035.txt

30.

Rose, S., Larson, M., Massey, D., Austein, R., Arends, R.: Resource records for the DNS security extensions. RFC 4034, March 2005. https://rfc-editor.org/rfc/rfc4034.txt

31.

Scheitle, Q., et al.: A long way to the top: significance, structure, and stability of internet top lists. In: IMC 2018, Boston, USA. arXiv:1805.11506 November 2018

32.

Schmitt, P., Edmundson, A., Feamster, N.: Oblivious DNS: practical privacy for DNS queries. arXiv:1806.00276 (2018)

33.

de Vries, W.B., Scheitle, Q., Müller, M., Toorop, W., Dolmans, R., van Rijswijk-Deij, R.: Datasets and Scripts (2019). https://www.simpleweb.org/wiki/index.php/Traces#A_First_Look_at_QNAME_Minimization_in_the_Domain_Name_System

34.

Wang, Z.: Understanding the performance and challenges of DNS query name minimization. In: 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), pp. 1115–1120. IEEE (2018)

35.

Wullink, M., Moura, G.C., Müller, M., Hesselman, C.: ENTRADA: a high-performance network traffic data streaming warehouse. In: 2016 IEEE/IFIP Network Operations and Management Symposium (NOMS), pp. 913–918. IEEE (2016)

Titel: A First Look at QNAME Minimization in the Domain Name System
verfasst von: Wouter B. de Vries
Quirin Scheitle
Moritz Müller
Willem Toorop
Ralph Dolmans
Roland van Rijswijk-Deij
Verlag: Springer International Publishing
Buch: Passive and Active Measurement
Print ISBN: 978-3-030-15985-6

Electronic ISBN: 978-3-030-15986-3

Copyright-Jahr: 2019
DOI: https://doi.org/10.1007/978-3-030-15986-3_10

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"