How Private is Android's Private DNS Setting? Identifying Apps by Encrypted DNS Traffic

TL;DR

This paper demonstrates that encrypted DNS traffic, even with padding, can be used to identify Android apps with high accuracy, revealing privacy limitations of current DoT/DoH implementations.

Contribution

The paper introduces Segram, a novel app fingerprinting attack that is effective with less computational effort and evaluates the prevalence of padding in privacy-focused resolvers.

Findings

Segram achieves up to 72% accuracy in app identification.

Many resolvers do not enable padding, reducing privacy protections.

Padding approaches are less effective than expected in real-world scenarios.

Abstract

DNS over TLS (DoT) and DNS over HTTPS (DoH) promise to improve privacy and security of DNS by encrypting DNS messages, especially when messages are padded to a uniform size. Firstly, to demonstrate the limitations of recommended padding approaches, we present Segram, a novel app fingerprinting attack that allows adversaries to infer which mobile apps are executed on a device. Secondly, we record traffic traces of 118 Android apps using 10 different DoT/DoH resolvers to study the effectiveness of Segram under different conditions. According to our results, Segram identifies apps with accuracies of up to 72% with padding in a controlled closed world setting. The effectiveness of Segram is comparable with state-of-the-art techniques but Segram requires less computational effort. We release our datasets and code. Thirdly, we study the prevalence of padding among privacy-focused DoT/DoH resolvers, finding that up to 81% of our sample fail to enable padding. Our results suggest that recommended padding approaches are less effective than expected and that resolver operators are not sufficiently aware about this feature.