Abstract
DNS cache probing infers whether users of a DNS resolver have recently issued a query for a domain name, by determining whether the corresponding resource record (RR) is present in the resolver’s cache. The most common method involves performing DNS queries with the “recursion desired” (RD) flag set to zero, which resolvers typically answer from their caches alone. The answer’s TTL value is then used to infer when the resolver cached the RR, and thus when the domain was last queried. Previous work in this space assumes that DNS resolvers will respond to researchers’ queries. However, an increasingly common policy for resolvers is to ignore queries from outside their networks. In this paper, we demonstrate that many of these DNS resolvers can still be queried indirectly through open DNS forwarders in their network. We apply our technique to localize website filtering appliances sold by Netsweeper, Inc and, tracking the global proliferation of stalkerware. We are able to discover Netsweeper devices in ASNs where OONI and Censys fail to detect them and we observe a regionality effect in the usage of stalkerware apps across the world.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
We analyze Farsight Security’s Passive DNS Project data [2], and the responses they observed for google.com since March 2, 2018, all belong to AS15169.
References
Open observatory of network interference. https://ooni.torproject.org/
Farsight security (2020). https://www.farsightsecurity.com/solutions/dnsdb/
Abu Rajab, M., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, New York, NY, USA, pp. 41–52. IMC 2006, ACM (2006). https://doi.org/10.1145/1177080.1177086. http://doi.acm.org/10.1145/1177080.1177086
Akcan, H., Suel, T., Brönnimann, H.: Geographic web usage estimation by monitoring dns caches. In: Proceedings of the First International Workshop on Location and the Web, LOCWEB 2008, New York, NY, USA, pp. 85–92. ACM (2008). https://doi.org/10.1145/1367798.1367813. http://doi.acm.org/10.1145/1367798.1367813
Alexa: The top 500 sites on the web. https://www.alexa.com/topsites
CAIDA: As classification (2017). http://www.caida.org/data/as-classification/. Accessed April 2019
Calder, M., Fan, X., Zhu, L.: A cloud provider’s view of EDNs client-subnet adoption. In: 2019 Network Traffic Measurement and Analysis Conference (TMA), pp. 129–136. IEEE (2019)
Centre UNCS. Protective DNS (PDNS). https://www.ncsc.gov.uk/information/pdns
Centre UNCS. Protective DNS service for the public sector is now live. https://www.ncsc.gov.uk/blog-post/protective-dns-service-public-sector-now-live
Chatterjee, R., et al.: The spyware used in intimate partner violence. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 441–458. IEEE (2018)
Cisco: Cisco umbrella 1 million. https://umbrella.cisco.com/blog/cisco-umbrella-1-million
Dalek, J., et al.: Planet netsweeper (2018). https://citizenlab.ca/2018/04/planet-netsweeper/
Dalek, J., et al.: A method for identifying and confirming the use of URL filtering products for censorship. In: ACM Internet Measurement Conference (2013)
Durumeric, Z., Adrian, D., Mirian, A., Bailey, M., Halderman, J.A.: A search engine backed by internet-wide scanning. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, New York, NY, USA, pp. 542–553. ACM (2015). https://doi.org/10.1145/2810103.2813703. http://doi.acm.org/10.1145/2810103.2813703
Durumeric, Z., Wustrow, E., Halderman, J.: Zmap: fast internet-wide scanning and its security applications, pp. 605–620 (2013)
Freed, D., Palmer, J., Minchala, D.E., Levy, K., Ristenpart, T., Dell, N.: Digital technologies and intimate partner violence: a qualitative analysis with multiple stakeholders. In: Proceedings of the ACM on Human-Computer Interaction 1(CSCW), pp. 1–22 (2017)
Google: gopacket: Provides packet processing capabilities for Go. https://github.com/google/gopacket
Grangeia, L.: DNS cache snooping. Technical report, Securi Team-Beyond Security (2004)
Heasley, C.: Watching The Watchers: The Stalkerware Surveillance Ecosystem (2020). https://github.com/diskurse/android-stalkerware. Accessed Oct 2020
Marquis-Boire, M., et al.: Planet blue coat: Mapping global censorship and surveillance tools (2013). https://citizenlab.ca/2013/01/planet-blue-coat-mapping-global-censorship-and-surveillance-tools/
Mockapetris, P.: Domain names - concepts and facilities. RFC 1034, RFC Editor, November 1987. http://www.rfc-editor.org/rfc/rfc1034.txt
Mockapetris, P.: Domain names - implementation and specification. RFC 1035, RFC Editor, November 1987. http://www.rfc-editor.org/rfc/rfc1035.txt
Netsweeper: Netsweeper 6.3 Documentation: List Management - Freshnsd. https://helpdesk.netsweeper.com/docs/6.3/#t=List_Management_Docs%2FFreshnsd%2FFreshnsd.htm
Niaki, A.A., Hoang, N.P., Gill, P., Houmansadr, A., et al.: Triplet censors: demystifying great firewall’s DNS censorship behavior. In: 10th USENIX Workshop on Free and Open Communications on the Internet (FOCI 2020) (2020)
OONI: OONI Explorer. https://explorer.ooni.org/
Osborne, C.: Severe Netsweeper zero-day leaves gaping hole in users networks. https://portswigger.net/daily-swig/severe-netsweeper-zero-day-leaves-gaping-hole-in-users-networks
Parsons, C., et al.: The predator in your pocket: A multidisciplinary assessment of the stalkerware application industry
Paxson, V.: An analysis of using reflectors for distributed denial-of-service attacks. SIGCOMM Comput. Commun. Rev. 31(3), 38–47 (2001). https://doi.org/10.1145/505659.505664. http://doi.acm.org/10.1145/505659.505664
Rajab, M.A., Monrose, F., Provos, N.: Peeking through the cloud: client density estimation via DNS cache probing. ACM Trans. Internet Technol. 10(3), 9:1–9:21 (2010). https://doi.org/10.1145/1852096.1852097. http://doi.acm.org/10.1145/1852096.1852097
Randall, A., et al.: Trufflehunter: Cache snooping rare domains at large public DNS resolvers. In: Proceedings of the ACM Internet Measurement Conference, pp. 50–64 (2020)
Schomp, K., Callahan, T., Rabinovich, M., Allman, M.: On measuring the client-side DNS infrastructure. In: Proceedings of the 2013 Conference on Internet Measurement Conference, IMC 2013, New York, NY, USA, pp. 77–90. ACM (2013). https://doi.org/10.1145/2504730.2504734. http://doi.acm.org/10.1145/2504730.2504734
Southworth, C., Finn, J., Dawson, S., Fraser, C., Tucker, S.: Intimate partner violence, technology, and stalking. Violence Against Women 13(8), 842–856 (2007)
Statista: Number of smartphone users worldwide from 2016 to 2021. https://www.statista.com/statistics/330695/number-of-smartphone-users-worldwide/
Te-k: Indicators on Stalkerware (2019). https://github.com/Te-k/stalkerware-indicators. Accessed Oct 2020
Tseng, E., et al.: The tools and tactics used in intimate partner surveillance: an analysis of online infidelity forums. In: 29th USENIX Security Symposium (USENIX Security 2020), pp. 1893–1909. USENIX Association (2020). https://www.usenix.org/conference/usenixsecurity20/presentation/tseng
Wander, M., Boelmann, C., Schwittmann, L., Weis, T.: Measurement of globally visible DNS injection. IEEE Access 2, 526–536 (2014)
Wills, C.E., Mikhailov, M., Shang, H.: Inferring relative popularity of internet applications by actively querying DNS caches. In: Proceedings of the 3rd ACM SIGCOMM Conference on Internet Measurement, IMC 2003, New York, NY, USA, pp. 78–90. ACM (2003). https://doi.org/10.1145/948205.948216. http://doi.acm.org/10.1145/948205.948216
Acknowledgments
We would like to thank our shepherd, Matt Calder, and all of the anonymous reviewers for their feedback on this paper. We also thank Amin Nejatbakhsh, Armin Niaki, Ilia Shumailov, Milad Nasr, Mohammad Motiei, and Negar Ghorbani for helpful comments and suggestions.
This research was financially supported by the National Science Foundation, United States, under awards CNS-1740895 and CNS-1719386. The opinions in this paper are those of the authors and do not necessarily reflect the opinions of the sponsors.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Global Tracking of Stalkerware Apps
A Global Tracking of Stalkerware Apps
The 22 stalkerware apps are shown in Table 5 based on their activity in the most number of countries.
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Akhavan Niaki, A., Marczak, W., Farhoodi, S., McGregor, A., Gill, P., Weaver, N. (2021). Cache Me Outside: A New Look at DNS Cache Probing. In: Hohlfeld, O., Lutu, A., Levin, D. (eds) Passive and Active Measurement. PAM 2021. Lecture Notes in Computer Science(), vol 12671. Springer, Cham. https://doi.org/10.1007/978-3-030-72582-2_25
Download citation
DOI: https://doi.org/10.1007/978-3-030-72582-2_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-72581-5
Online ISBN: 978-3-030-72582-2
eBook Packages: Computer ScienceComputer Science (R0)