Stories
Slash Boxes
Comments

SoylentNews is people

How's That Encryption Coming, Buddy? DNS Requests Routinely Spied on, Boffins Claim

posted by chromas on Thursday August 23 2018, @03:03AM   Printer-friendly

Arthur T Knackerbracket has found the following story:

Most people's DNS queries – by which browsers and other software resolve domain names into IP addresses – remain unprotected while flowing over the internet.

And that's because, you may not be surprised to know, the proposed standards to safeguard DNS traffic – such as DNSSEC and DNS-over-HTTPS – have yet to be fully baked and aren't yet widely adopted.

DNSSEC, for one, aims to prevent miscreants tampering with intercepted domain-name lookups by digital signing the answers – making any forgeries obvious to software. DNS-over-TLS and DNS-over-HTTPS aim to do this, too, and encrypt the queries so eavesdroppers on the network can't snoop on what sites you're visiting.

Without these safeguards in wide (or any) use, DNS traffic remains unencrypted and unauthenticated, meaning they can be potentially spied on and meddled with to redirect people to malicious websites masquerading as legit sites.

Researchers from universities in China and the US recently decided to check whether or not this is actually happening, and found that traffic interception a reality for a small but significant portion of DNS queries – 0.66 per cent of DNS requests over TCP – across a global sample of residential and cellular IP addresses.

The boffins [...] describe the results of their inquiry in a paper presented at this week's USENIX Security Symposium.

The paper, "Who Is Answering My Queries: Understanding and Characterizing Interception of the DNS Resolution Path," describes how the researchers set up a system to measure DNS interception across 148,478 residential and cellular IP addresses around the world.

Internet users may choose their own DNS resolvers, by manually pointing their applications and operating systems at, say, Google Public DNS (8.8.8.8) or Cloudflare (1.1.1.1). Usually, however, people accept whatever DNS resolver the network or their ISP automatically provides.

If an intermediary intercepts a DNS request, that isn't necessarily nefarious, but it could lead to undesirable consequences. At the very least, it deprives those using the internet of choice and privacy.

The researchers looked for providers spoofing the IP addresses of users' specified DNS resolvers to intercept DNS traffic covertly. They designed their study to focus on registered domains and to omit sensitive keywords, to avoid the influence of content censorship mechanisms.

They found DNS query interception in 259 of the 3,047 service provider AS collections tested, or 8.5 per cent. (The research paper uses the term "ASes," which stands for Autonomous Systems, networking terminology for a collection of IP address blocks assigned to ISPs and other organizations.)

[...] For internet users interested in checking whether their DNS resolver points where it should, the researchers created an online test, hosted at whatismydnsresolver.com. Alas, it's not https.

-- submitted from IRC

Original Submission

 
This discussion has been archived. No new comments can be posted.
How's That Encryption Coming, Buddy? DNS Requests Routinely Spied on, Boffins Claim | Log In/Create an Account | Top | 27 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1) by Mike on Thursday August 23 2018, @05:52PM (1 child)

    by Mike (823) on Thursday August 23 2018, @05:52PM (#725303)

    Without a ton of extra software outside the scope of email (you can say PGP but I could just PGP a Post-It and send that to you, it doesn't mean the Post-It or mail service is a secure transport medium).

    Your looking for a solution to send authentic/encrypted messages between users. The users don't control the transport and the vast,vast majority of the time not the server end points.

    I think you are going to have an extremely difficult time coming up with an end-to-end security solution that does not have the encryption/authentication of a message under the control of the end user. That solution is either going to look something like PGP (or S/MIME) or it will require individual communication serves (.e.g email servers) that authenticated/encrypted connections directly to other user's servers. I think between the choice of having each user run their own server or use something like PGP, the something like PGP is going to be the winner.

  • (Score: 2) by driverless on Thursday August 23 2018, @11:41PM

    by driverless (4770) on Thursday August 23 2018, @11:41PM (#725474)

    the something like PGP is going to be the winner

    PGP has been around for more than a quarter of a century. Outside the hardcore geek community, it's use is essentially nonexistent. Heck, I barely use it because it's such a pain, and I am a hardcore geek who communicates mostly with other hardcore geeks. On the receiving end I get maybe two or three PGP-encrypted emails a year, and invariably zero of them actually needed encryption, they were just being sent by an even more extreme geek than myself.

    So I'm going to have to disagree with you there on PGP, or S/MIME, or anything else where the user is exposed to key management and signatures and all that other crap being a winner. STARTTLS is a winner. WhatsApp and Signal are winners. Encrypted/signed email isn't even an also-ran, it's lost in the noise margin.