Evaluating the Security of a DNS Query Obfuscation Scheme for Private Web Surfing

TL;DR

This paper evaluates a DNS query obfuscation scheme in real-world web surfing, revealing it insufficiently protects privacy due to identifiable query patterns, and discusses how to improve security.

Contribution

The study provides the first real-world security evaluation of a DNS query obfuscation scheme, highlighting its vulnerabilities and practical challenges.

Findings

The scheme fails to sufficiently obscure query patterns.

Adversaries can identify visited websites using characteristic query features.

Practical challenges exist in implementing effective obfuscation.

Abstract

The Domain Name System (DNS) does not provide query privacy. Query obfuscation schemes have been proposed to overcome this limitation, but, so far, they have not been evaluated in a realistic setting. In this paper we evaluate the security of a random set range query scheme in a real-world web surfing scenario. We demonstrate that the scheme does not sufficiently obfuscate characteristic query patterns, which can be used by an adversary to determine the visited websites. We also illustrate how to thwart the attack and discuss practical challenges. Our results suggest that previously published evaluations of range queries may give a false sense of the attainable security, because they do not account for any interdependencies between queries.