A Framework for Institutional Privacy Considered Full DNS Over HTTPS Architecture

Abstract

Read online

Domain Name System (DNS) has become an indispensable infrastructure for domain name resolution, which is essential for using Internet services today. Until now, privacy protection in DNS has mainly focused on the end user side, encrypting traffic between end terminals and DNS full-service resolvers, and the communication between DNS full-service resolvers and authoritative DNS servers still occurs in clear text. A DNS query from a DNS full-service resolver to an authoritative DNS server does not typically pose a privacy issue because the source IP address originates from the DNS full-service resolver. However, several recent reports have indicated that privacy leaks can occur at the institutional level by wiretapping the DNS communication or analyzing the domain name resolution logs of authoritative DNS servers. In order to further strengthen privacy in DNS, we propose a framework for domain name resolution that considers institutional privacy: full-DoH DNS architecture. The evaluation results on the prototype system confirmed that the end user privacy leakage risk on DNS communication between the end terminal and authoritative DNS servers could be significantly mitigated, and the overhead was acceptable for using Internet services. The main contributions of this paper can be summarized as follows: 1) we proposed a novel domain name resolution framework enabling end user preferences considering institutional privacy; 2) the evaluation results confirmed deployment in a local network environment and real-world Internet; and 3) we discussed the related issues of the proposed framework with respect to operations in a real network environment.

Keywords

• DNS
• DNS over HTTPS
• DoH
• privacy protection
• full-DoH
• end user intent