Large Scale Analysis of DoH Deployment on the Internet
Authors: 
Sebastián García, 
Joaquín Bogado, Karel Hynek, Dmitrii Vekshin, Tomáš Čejka, Armin WasicekAuthors Info & Claims
Pages 145 - 165
Abstract
DNS over HTTPS (DoH) is one of the standards to protect the security and privacy of users. The choice of DoH provider has controversial consequences, from monopolisation of surveillance to lost visibility by network administrators and security providers. More importantly, it is a novel security business. Software products and organisations depend on users choosing well-known and trusted DoH resolvers. However, there is no comprehensive study on the number of DoH resolvers on the Internet, its growth, and the trustworthiness of the organisations behind them. This paper studies the deployment of DoH resolvers by (i) scanning the whole Internet for DoH resolvers in 2021 and 2022; (ii) creating lists of well-known DoH resolvers by the community; (iii) characterising what those resolvers are, (iv) comparing the growth and differences. Results show that (i) the number of DoH resolvers increased 4.8 times in the period 2021–2022, (ii) the number of organisations providing DoH services has doubled, and (iii) the number of DoH resolvers in 2022 is 28 times larger than the number of well-known DoH resolvers by the community. Moreover, 94% of the public DoH resolvers on the Internet are unknown to the community, 77% use certificates from free services, and 57% belong to unknown organisations or personal servers. We conclude that the number of DoH resolvers is growing at a fast rate; also that at least 30% of them are not completely trustworthy and users should be very careful when choosing a DoH resolver.
References
[1]
AdGuard software Limited: Adguard known DNS providers. https://kb.adguard.com/en/general/dns-providers. Accessed 25 May 2021
[2]
AhaDNS: DNSover https (DoH). https://ahadns.com/dns-over-https/
[3]
Baheux, K.: A safer and more private browsing experience with secure DNS (2020). https://blog.chromium.org/2020/05/a-safer-and-more-private-browsing-DoH.html. Accessed 17 Jan 2021
[4]
Borgolte, K., et al.: How DNS over HTTPS is reshaping privacy, performance, and policy in the internet ecosystem. In: Proceedings of TPRC47: The 47th Research Conference on Communication, Information and Internet Policy 2019. Elsevier BV (2019).
[5]
Callejo P, Cuevas R, Vallina-Rodriguez N, and Cuevas Rumin A Measuring the global recursive DNS infrastructure: a view from the edge IEEE Access 2019 7 168020-168028
[6]
Chandel, S., Jingji, Z., Yunnan, Y., Jingyao, S., Zhipeng, Z.: The golden shield project of china: A decade later-an in-depth study of the great firewall. In: 2019 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), pp. 111–119 (2019).
[7]
Cloudflare Inc: DNS over https – using JSON. https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/make-api-requests/dns-json/
[8]
Deccio, C., Davis, J.: DNS privacy in practice and preparation. In: Proceedings of the 15th International Conference on Emerging Networking Experiments And Technologies, pp. 138–143. CoNEXT 2019, Association for Computing Machinery (2019).
[9]
DNSFilter: DNSfilter AI-powered DNS security. https://www.dnsfilter.com/. Accessed 15 May 2022
[10]
Doan TV, Tsareva I, and Bajpai V Hohlfeld O, Lutu A, and Levin D Measuring DNS over TLS from the edge: adoption, reliability, and response times Passive and Active Measurement 2021 Cham Springer International Publishing 192-209
[11]
Fernando Gont: Introduction to DNS Privacy (2019). https://www.internetsociety.org/resources/deploy360/dns-privacy/intro/
[12]
García, S., Čejka, T., Valeros, V.: Dataset of DNS over HTTPS (DoH) Internet Servers (2021).
[13]
Graham, R.: Masscan: the entire internet in 3 minutes (2013). https://blog.erratasec.com/2013/09/masscan-entire-internet-in-3-minutes.html
[14]
Grothoff C, Wachs M, Ermert M, and Appelbaum J Toward secure name resolution on the internet Comput. Secur. 2018 77 694-708
[15]
Guha S and Francis P Borisov N and Golle P Identity trail: covert surveillance using DNS Privacy Enhancing Technologies 2007 Heidelberg Springer 153-166
[16]
Herrmann D, Banse C, and Federrath H Behavior-based tracking: exploiting characteristic patterns in DNS traffic Comput. Secur. 2013 39 17-33
[17]
Hoffman, P.E.: Representing DNS Messages in JSON. RFC 8427 (2018). Accessed 25 May 2021
[18]
Hoffman, P.E., McManus, P.: DNS Queries over HTTPS (DoH). RFC 8484 (Oct 2018).
[19]
curl DNS over HTTPS. https://github.com/curl/curl/wiki/DNS-over-HTTPS, Accessed 25 May 2021
[20]
Hynek, K., Cejka, T.: Privacy illusion: Beware of unpadded DoH. In: 2020 11th IEEE Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON), pp. 621–628 (2020).
[21]
Hynek, K., García, S., Bogado, J., Cejka, T., Vekshin, D., Wasicek, A.: Dataset of DNS over https (DoH) internet servers (2022).
[22]
Hynek K, Vekshin D, Luxemburk J, Cejka T, and Wasicek A Summary of DNS over https abuse IEEE Access 2022 10 54668-54680
[23]
Jamieson, S.: The ethics and legality of port scanning. Tech. rep., SANS Institute (2001). https://www.sans.org/white-papers/71/
[24]
Jerabek, K., Rysavy, O., Burgetova, I.: Measurement and characterization of DNS over HTTPS traffic (2022).
[25]
Klein, A., Pinkas, B.: DNS cache-based user tracking. In: Proceedings 2019 Network and Distributed System Security Symposium. Internet Society (2019).
[26]
Lioy, A., Maino, F., Marian, M., Mazzocchi, D.: DNS security. In: Proceedings of the TERENA Networking Conference, pp. 22–25 (2000)
[27]
Lu, C., et al.: An end-to-end, large-scale measurement of DNS-over-encryption: How far have we come? In: Proceedings of the Internet Measurement Conference, pp. 22–35. IMC 2019, Association for Computing Machinery, New York, NY, USA (2019).
[28]
Lyon GF Nmap network scanning: The official Nmap project guide to network discovery and security scanning 2008 Com LLC (US) Insecure
[29]
Mockapetris, P.: Domain names - implementation and specification. RFC 1035 (1987). Accessed 25 May 2021
[30]
MontazeriShatoori, M., Davidson, L., Kaur, G., Habibi Lashkari, A.: Detection of doh tunnels using time-series classification of encrypted traffic. In: 2020 IEEE Intl Conference DASC/PiCom/CBDCom/CyberSciTech, pp. 63–70 (2020).
[31]
NetSTAR Inc.: Netstar url/ip lookup. https://incompass-branch.netstar-inc.com/urlsearch. Accessed 15 May 2022
[32]
Quad9 Foundation: DoH with quad9 DNS servers. https://www.quad9.net/news/blog/doh-with-quad9-dns-servers/
[33]
Rescorla, E., Oku, K., Sullivan, N., Wood, C.A.: TLS Encrypted Client Hello. Internet-Draft draft-ietf-tls-esni-13, Internet Engineering Task Force (2021). https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-13
[34]
Sebastian, G., Hynek, K., Vekshin, D., Cejka, T., Wasicek, A.: DoH research scripts for cvut/cesnet/avast doh project (2022). https://github.com/stratosphereips/DoH-Research. Accessed 25 Jan 2022
[35]
Siby, S., Juarez, M., Diaz, C., Vallina-Rodriguez, N., Troncoso, C.: Encrypted DNS privacy? a traffic analysis perspective. In: Proceedings 2020 Network and Distributed System Security Symposium. Internet Society, Reston, VA (2020).
[36]
Sophos Ltd: DNS over https (DoH) for web security. https://support.sophos.com/support/s/article/KB-000039056?language=en_US
[37]
Sophos Ltd: DNS over https (DoH) for web security. https://support.sophos.com/support/s/article/KB-000039056?language=en_US. Accessed 15 May 2022
[38]
The SciPy community: Scipy two sample t-test (2022). https://docs.scipy.org/doc/scipy/reference/generated/scipy.stats.ttest_ind.html. Accessed 15 May 2022
[39]
Vekshin, D., Hynek, K., Cejka, T.: DoH Insight: Detecting DNS over HTTPS by Machine Learning. In: Proceedings of 15th International Conference on Availability, Reliability and Security. ARES 2020, ACM, New York, NY, USA (2020).
Index Terms
- Large Scale Analysis of DoH Deployment on the Internet
Index terms have been assigned to the content through auto-classification.
Recommendations
DoH Insight: detecting DNS over HTTPS by machine learning
ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and SecurityOver the past few years, a new protocol DNS over HTTPS (DoH) has been created to improve users' privacy on the internet. DoH can be used instead of traditional DNS for domain name translation with encryption as a benefit. This new feature also brings ...
Measuring DoH with web ads
AbstractIn this paper we present a large measurement study of the impact on the performance of the adoption of HTTPS as a transport for the DNS protocol (DoH) with public resolvers compared to the existent approach of using non-encrypted ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Sep 2022
797 pages
ISBN:978-3-031-17142-0
DOI:10.1007/978-3-031-17143-7
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022.
Publisher
Springer-Verlag
Berlin, Heidelberg
Publication History
Published: 26 September 2022
Author Tags
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 04 Oct 2024
Other Metrics
Citations
Cited By
View allView Options
View options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in