Stories
Slash Boxes
Comments

SoylentNews is people

How's That Encryption Coming, Buddy? DNS Requests Routinely Spied on, Boffins Claim

posted by chromas on Thursday August 23 2018, @03:03AM   Printer-friendly

Arthur T Knackerbracket has found the following story:

Most people's DNS queries – by which browsers and other software resolve domain names into IP addresses – remain unprotected while flowing over the internet.

And that's because, you may not be surprised to know, the proposed standards to safeguard DNS traffic – such as DNSSEC and DNS-over-HTTPS – have yet to be fully baked and aren't yet widely adopted.

DNSSEC, for one, aims to prevent miscreants tampering with intercepted domain-name lookups by digital signing the answers – making any forgeries obvious to software. DNS-over-TLS and DNS-over-HTTPS aim to do this, too, and encrypt the queries so eavesdroppers on the network can't snoop on what sites you're visiting.

Without these safeguards in wide (or any) use, DNS traffic remains unencrypted and unauthenticated, meaning they can be potentially spied on and meddled with to redirect people to malicious websites masquerading as legit sites.

Researchers from universities in China and the US recently decided to check whether or not this is actually happening, and found that traffic interception a reality for a small but significant portion of DNS queries – 0.66 per cent of DNS requests over TCP – across a global sample of residential and cellular IP addresses.

The boffins [...] describe the results of their inquiry in a paper presented at this week's USENIX Security Symposium.

The paper, "Who Is Answering My Queries: Understanding and Characterizing Interception of the DNS Resolution Path," describes how the researchers set up a system to measure DNS interception across 148,478 residential and cellular IP addresses around the world.

Internet users may choose their own DNS resolvers, by manually pointing their applications and operating systems at, say, Google Public DNS (8.8.8.8) or Cloudflare (1.1.1.1). Usually, however, people accept whatever DNS resolver the network or their ISP automatically provides.

If an intermediary intercepts a DNS request, that isn't necessarily nefarious, but it could lead to undesirable consequences. At the very least, it deprives those using the internet of choice and privacy.

The researchers looked for providers spoofing the IP addresses of users' specified DNS resolvers to intercept DNS traffic covertly. They designed their study to focus on registered domains and to omit sensitive keywords, to avoid the influence of content censorship mechanisms.

They found DNS query interception in 259 of the 3,047 service provider AS collections tested, or 8.5 per cent. (The research paper uses the term "ASes," which stands for Autonomous Systems, networking terminology for a collection of IP address blocks assigned to ISPs and other organizations.)

[...] For internet users interested in checking whether their DNS resolver points where it should, the researchers created an online test, hosted at whatismydnsresolver.com. Alas, it's not https.

-- submitted from IRC

Original Submission

 
This discussion has been archived. No new comments can be posted.
How's That Encryption Coming, Buddy? DNS Requests Routinely Spied on, Boffins Claim | Log In/Create an Account | Top | 27 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Insightful) by mhajicek on Thursday August 23 2018, @03:29AM (7 children)

    by mhajicek (51) on Thursday August 23 2018, @03:29AM (#725045)

    That seems quite unacceptably high. Imagine fatally crashing your car 0.66% of the time you drive. How many DNS lookups do you make per day?

    --
    The spacelike surfaces of time foliations can have a cusp at the surface of discontinuity. - P. Hajicek
    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 2) by legont on Thursday August 23 2018, @05:03AM

    by legont (4179) on Thursday August 23 2018, @05:03AM (#725079)

    How much of it is governments doing? I expected way more.

    --
    "Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.

  • (Score: 3, Insightful) by isostatic on Thursday August 23 2018, @07:41AM (5 children)

    by isostatic (365) on Thursday August 23 2018, @07:41AM (#725098) Journal

    Unlikely it will be 0.66% of your DNS requests, more likely there's a 0.66% chance of it being every DNS request - i.e. 1 in 150 are affected.

    • (Score: 4, Informative) by zocalo on Thursday August 23 2018, @08:01AM (4 children)

      by zocalo (302) on Thursday August 23 2018, @08:01AM (#725105)
      Pretty much. Some of the larger UK ISPs use DNS based blocklists usually under some reasonable sounding banner like "Safe Surfing" rather than anything implying potential government controlled censorship because guess who gets to decide what is fraudulent, terror related, porn, (and soon, no doubt, "fake news"), or whatever? That means that unless a user opts out of *all* of the filtering (assuming the ISP even lets them - some don't), or uses an alternative DNS service that the ISP can't/doesn't intercept, then 100% of that ISP customer's will be having their DNS traffic intercepted.
      --
      UNIX? They're not even circumcised! Savages!

      • (Score: 2) by isostatic on Thursday August 23 2018, @09:54AM (3 children)

        by isostatic (365) on Thursday August 23 2018, @09:54AM (#725129) Journal

        Do many ISPs *actually* MITM DNS, or is it that the default routers simply give out ISP dns entries?

        I've seen two ISPs that actually MITM HTTPS traffic! The first was a network provider at the european athletics in Glasgow. The second was the onboard wifi on transpennine express.

        • (Score: 0) by Anonymous Coward on Thursday August 23 2018, @10:56AM (1 child)

          by Anonymous Coward on Thursday August 23 2018, @10:56AM (#725138)

          I've seen two ISPs that actually MITM HTTPS traffic! The first was a network provider at the european athletics in Glasgow.

          I live not a million miles away from Glasgow, I've caught my ISP selectively MITM HTTPS traffic a couple of times, as to DNS...yes, they've tried MITM on that as well.

             

          • (Score: 0) by Anonymous Coward on Sunday August 26 2018, @06:28AM

            by Anonymous Coward on Sunday August 26 2018, @06:28AM (#726459)

            Yes, I've seen an edge router application that held a static table and would mitm DNS on TCP or simply falsify a UDP response.

        • (Score: 2) by zocalo on Thursday August 23 2018, @02:40PM

          by zocalo (302) on Thursday August 23 2018, @02:40PM (#725217)
          I've seen DNS MITM done, but generally they're doing the filtering queries on their own DNS (and web URLs via proxy servers), which are then pushed as the defaults on their supplied routers, DHCP configs, support pages, and so on. Switch to Google, CloudFlare, Quad9, or even setup your own DNS server, then all the "blocked" sites start working again. Take up might not be great, but enough sites are doing DNSSec that trying to MITM it is challenging enough to make most ISP look for an easier approach.
          --
          UNIX? They're not even circumcised! Savages!