research-article

Open access

Trufflehunter: Cache Snooping Rare Domains at Large Public DNS Resolvers

Authors:

Audrey Randall,

Enze Liu,

Gautam Akiwate,

Ramakrishna Padmanabhan,

Geoffrey M. Voelker,

Stefan Savage,

Aaron SchulmanAuthors Info & Claims

IMC '20: Proceedings of the ACM Internet Measurement Conference

Pages 50 - 64

https://doi.org/10.1145/3419394.3423640

Published: 27 October 2020 Publication History

PDF eReader

Abstract

This paper presents and evaluates Trufflehunter, a DNS cache snooping tool for estimating the prevalence of rare and sensitive Internet applications. Unlike previous efforts that have focused on small, misconfigured open DNS resolvers, Trufflehunter models the complex behavior of large multi-layer distributed caching infrastructures (e.g., such as Google Public DNS). In particular, using controlled experiments, we have inferred the caching strategies of the four most popular public DNS resolvers (Google Public DNS, Cloudflare Quad1, OpenDNS and Quad9). The large footprint of such resolvers presents an opportunity to observe rare domain usage, while preserving the privacy of the users accessing them. Using a controlled testbed, we evaluate how accurately Trufflehunter can estimate domain name usage across the U.S. Applying this technique in the wild, we provide a lower-bound estimate of the popularity of several rare and sensitive applications (most notably smartphone stalkerware) which are otherwise challenging to survey.

Supplementary Material

MP4 File (imc2020-148-long.mp4)

This presentation video for "Trufflehunter: Cache Snooping Rare Domains at Large Public DNS Resolvers" describes how cache snooping can be used as a privacy-preserving measurement tool on public DNS resolvers like Google Public DNS, Cloudflare DNS, Quad9, and OpenDNS. "Trufflehunter," the distributed measurement tool developed by the authors, is well suited for measuring the usage of uncommon, harmful Internet behaviors. These are typically less well studied in the wild than more common types of harm because their rarity makes them harder to observe. Cache snooping a complex resolver with many caches is not possible unless the cache architecture is well understood, so the authors reverse engineered the caching structure of four public resolvers. They then performed case studies on several under-studied harmful Internet phenomena, including stalkerware and contract cheating services.

Download
347.94 MB

MP4 File (imc2020-148-short.mp4)

This short presentation video for "Trufflehunter: Cache Snooping Rare Domains at Large Public DNS Resolvers" describes how cache snooping can be used as a privacy-preserving measurement tool on public DNS resolvers like Google Public DNS, Cloudflare DNS, Quad9, and OpenDNS. "Trufflehunter," the distributed measurement tool developed by the authors, is well suited for measuring the usage of uncommon, harmful Internet behaviors. These are typically less well studied in the wild than more common types of harm because their rarity makes them harder to observe. Cache snooping a complex resolver with many caches is not possible unless the cache architecture is well understood, so the authors reverse engineered the caching structure of four public resolvers. They then performed case studies on several under-studied harmful Internet phenomena, including stalkerware and contract cheating services.

Download
90.10 MB

References

[1]

Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, and Andreas Terzis. 2006. A Multifaceted Approach to Understanding the Botnet Phenomenon. In Proc. ACM Internet Measurement Conference (IMC).

Abstract

Supplementary Material

References

Cited By

Index Terms

Recommendations

TLB Improvements for Chip Multiprocessors: Inter-Core Cooperative Prefetchers and Shared Last-Level TLBs

SELECTIVE VICTIM CACHING: A METHOD TO IMPROVE THE PERFORMANCE OF DIRECT-MAPPED CACHES

On scalable and locality-aware web document sharing

Comments

Information

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Qualifiers

Funding Sources

Conference

Acceptance Rates

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

PDF

eReader

Get Access

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations