August 22, 2018 | By Adonis Bovell
As Google's public DNS resolver hits an eponymous milestone, a recent paper explores the prevalence of DNS interception in various Autonomous Systems. The Domain Name System service translates readable domain names into addressable network locations, which is typically the first step in most network conversations. This study shows that a small but significant number of these conversations are not simply couriered to and from their destination, but may be tampered with along the way. In addition to the privacy and data integrity concerns that this raises, the study also discovers that the interception is performed on insecure platforms that may be further vulnerable to attack.
IISP Analyst Adonis Bovell: "Often browsers mark HTTP as insecure, warning users to switch to HTTPS when entering sensitive data, but typically they stay silent about insecure domain name resolutions. This untrusted first step is an accepted fact of life on the Internet. So, it's not entirely surprising to discover that various Internet providers exploit this vulnerability to monitor and modify DNS queries within their Autonomous System. Ostensibly, this is done for security and speed concerns, but it may also be part of a monetization or censorship strategy. This study begins to put an estimate on the scale of this problem.
Unfortunately, the DNS protocol makes it difficult for an end-user to detect and prevent DNS manipulation. The adoption of newer standards, such as DNSSEC and DNS-over-HTTPS (DoH) will change this. DNSSEC allows users to validate the authenticity DNS responses, whereas DoH also provides privacy by encrypting DNS communications. Google's DNS offering has supported DoH since 2016, whereas CloudFlare's resolver has supported DoH from its inception earlier this year. With the rise of publicly accessible alternative systems that support these advanced protocols, selecting your own DNS resolver is now a real choice that can be enforced by the consumer.
The availability of these resolvers are good for the health of the Internet as a whole. However there is a caveat: using a public resolver gives the resolver an increased view of your Internet communication, and requires a level of trust in their service. Each of these resolvers have their own privacy and data-retention policies which should be reviewed to ensure that it is a viable option."
For further reading
- Google Blog: https://security.googleblog.com/2018/08/google-public-dns-turns-8888-years-old.html
- USENIX: https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-liu_0.pdf