Holes in the Geofence: Privacy Vulnerabilities in "Smart" DNS Services

TL;DR

This paper investigates privacy vulnerabilities in Smart DNS services, revealing how they can expose user identities and enable third-party user enumeration, and proposes mitigation strategies to address these issues.

Contribution

First academic analysis of SDNS services uncovering critical privacy flaws and proposing effective mitigation strategies.

Findings

Content providers can identify SDNS users.

Third parties can enumerate users by IP address.

Mitigation strategies can prevent user enumeration.

Abstract

Smart DNS (SDNS) services advertise access to "geofenced" content (typically, video streaming sites such as Netflix or Hulu) that is normally inaccessible unless the client is within a prescribed geographic region. SDNS is simple to use and involves no software installation. Instead, it requires only that users modify their DNS settings to point to an SDNS resolver. The SDNS resolver "smartly" identifies geofenced domains and, in lieu of their proper DNS resolutions, returns IP addresses of proxy servers located within the geofence. These servers then transparently proxy traffic between the users and their intended destinations, allowing for the bypass of these geographic restrictions. This paper presents the first academic study of SDNS services. We identify a number of serious and pervasive privacy vulnerabilities that expose information about the users of these systems. These include architectural weaknesses that enable content providers to identify which requesting clients use SDNS. Worse, we identify flaws in the design of some SDNS services that allow {\em any} arbitrary third party to enumerate these services' users (by IP address), even if said users are currently offline. We present mitigation strategies to these attacks that have been adopted by at least one SDNS provider in response to our findings.