Saving Brian's Privacy: the Perils of Privacy Exposure through Reverse DNS

TL;DR

This paper investigates privacy risks arising from reverse DNS records linked to DHCP exchanges, revealing how such records can expose device presence, network activity, and individual identities, even when other privacy measures are in place.

Contribution

It is the first study to analyze the privacy exposure through reverse DNS records related to DHCP, demonstrating the potential for tracking and identifying individuals and network dynamics.

Findings

Reverse DNS records often linger for less than an hour.

Clients' presence and network activity can be inferred from DNS records.

Patterns in DNS data can reveal personal and organizational behaviors.

Abstract

Given the importance of privacy, many Internet protocols are nowadays designed with privacy in mind (e.g., using TLS for confidentiality). Foreseeing all privacy issues at the time of protocol design is, however, challenging and may become near impossible when interaction out of protocol bounds occurs. One demonstrably not well understood interaction occurs when DHCP exchanges are accompanied by automated changes to the global DNS (e.g., to dynamically add hostnames for allocated IP addresses). As we will substantiate, this is a privacy risk: one may be able to infer device presence and network dynamics from virtually anywhere on the Internet -- and even identify and track individuals -- even if other mechanisms to limit tracking by outsiders (e.g., blocking pings) are in place. We present a first of its kind study into this risk. We identify networks that expose client identifiers in reverse DNS records and study the relation between the presence of clients and said records. Our results show a strong link: in 9 out of 10 cases, records linger for at most an hour, for a selection of academic, enterprise and ISP networks alike. We also demonstrate how client patterns and network dynamics can be learned, by tracking devices owned by persons named Brian over time, revealing shifts in work patterns caused by COVID-19 related work-from-home measures, and by determining a good time to stage a heist.