NinjaDoH: A Censorship-Resistant Moving Target DoH Server Using Hyperscalers and IPNS

TL;DR

NinjaDoH is a censorship-resistant DNS over HTTPS system that uses IPNS and hyperscalers to dynamically change network identifiers, making it difficult for censors to block without disrupting other traffic.

Contribution

It introduces NinjaDoH, a novel moving target DoH protocol utilizing IPNS and cloud infrastructure to evade censorship and detection.

Findings

NinjaDoH effectively evades commercial and machine learning detection.

The protocol maintains acceptable DNS query latency.

Operational costs are quantified for practical deployment.

Abstract

We introduce NinjaDoH, a novel DNS over HTTPS (DoH) protocol that leverages the InterPlanetary Name System (IPNS), along with public cloud infrastructure, to create a censorship-resistant moving target DoH service. NinjaDoH is specifically designed to evade traditional censorship methods that involve blocking DoH servers by IP addresses or domains by continually altering the server's network identifiers, significantly increasing the complexity of effectively censoring NinjaDoH traffic without disruption of other web traffic. We also present an analysis that quantifies the DNS query latency and financial costs of running our implementation of this protocol as a service. Further tests assess the ability of NinjaDoH to elude detection mechanisms, including both commercial firewall products and advanced machine learning-based detection systems. The results broadly support NinjaDoH's efficacy as a robust, moving target DNS solution that can ensure continuous and secure internet access in environments with heavy DNS-based censorship.