WEKO3
アイテム
Investigate the Countermeasure to Mitigate the Privacy Leakage in DNS over QUIC
https://ipsj.ixsq.nii.ac.jp/records/241745
https://ipsj.ixsq.nii.ac.jp/records/2417456c31728a-51bc-4935-a45c-52742b2c0ab4
名前 / ファイル | ライセンス | アクション |
---|---|---|
![]()
2026年12月15日からダウンロード可能です。
|
Copyright (c) 2024 by the Information Processing Society of Japan
|
|
非会員:¥0, IPSJ:学会員:¥0, 論文誌:会員:¥0, DLIB:会員:¥0 |
Item type | Journal(1) | |||||||||
---|---|---|---|---|---|---|---|---|---|---|
公開日 | 2024-12-15 | |||||||||
タイトル | ||||||||||
タイトル | Investigate the Countermeasure to Mitigate the Privacy Leakage in DNS over QUIC | |||||||||
タイトル | ||||||||||
言語 | en | |||||||||
タイトル | Investigate the Countermeasure to Mitigate the Privacy Leakage in DNS over QUIC | |||||||||
言語 | ||||||||||
言語 | eng | |||||||||
キーワード | ||||||||||
主題Scheme | Other | |||||||||
主題 | [特集:社会的・倫理的なオンライン活動を支援するセキュリティとトラスト] DNS over QUIC, privacy leakage, website fingerprinting | |||||||||
資源タイプ | ||||||||||
資源タイプ識別子 | http://purl.org/coar/resource_type/c_6501 | |||||||||
資源タイプ | journal article | |||||||||
著者所属 | ||||||||||
The Graduate University for Advanced Studies | ||||||||||
著者所属 | ||||||||||
National Institute of Informatics/The Graduate University for Advanced Studies | ||||||||||
著者所属(英) | ||||||||||
en | ||||||||||
The Graduate University for Advanced Studies | ||||||||||
著者所属(英) | ||||||||||
en | ||||||||||
National Institute of Informatics / The Graduate University for Advanced Studies | ||||||||||
著者名 |
Guannan, Hu
× Guannan, Hu
× Kensuke, Fukuda
|
|||||||||
著者名(英) |
Guannan, Hu
× Guannan, Hu
× Kensuke, Fukuda
|
|||||||||
論文抄録 | ||||||||||
内容記述タイプ | Other | |||||||||
内容記述 | Original DNS packets are unencrypted, which leads to information leakage while users visit websites. The adversary could monitor the DNS communication and infer the users' Internet preferences, which may contain private sensitive content, such as health, finance, and religion. Although several encrypted DNS protocols have been proposed - DNS over HTTPS (DoH), DNS over TLS (DoT), and DNS over QUIC (DoQ), recent research shows that the adversary could still infer the category of websites even using DoT and DoH. This paper studies the privacy leakage problem of DoQ protocol with two different DNS recursive resolvers (NextDNS and Bind). We investigate 30 categories from Alexa's top websites for binary and multi-classification. As a baseline analysis, we first show the classification performance of the binary classification (i.e., sensitive and non-sensitive). We find that the classification performance of the websites is high both in NextDNS and Bind resolvers for identifying whether the category of websites is sensitive. More particularly, we indicate that discriminative features are mainly related to the inter-arrival time of packets and packet length. For the multi-classification, we notice the performances decrease as the number of categories increases, meaning that the impact of the leakage is limited. Next, we further investigate four possible countermeasures that could affect the classification results: using AdBlocker extension, disabling DNS prefetch, adding random delay in responses, and padding the DNS payload. 1) We show that using AdBlocker and disabling DNS prefetch are less effective in mitigating the attack. 2) We find that mean F1 scores decrease as the delays increase. Specifically, it decreases the classification performance by 22% with NextDNS and 18% with Bind. 3) DNS padding decreases the classification performance by 9%. We further investigate the combination of the two countermeasures: both adding random (0-60ms and 0-100ms) delays and padding the DNS payload with binary and multi-classification of 30 categories. We confirm that the combined method could greatly reduce the classification performance, on average 27% of binary and 22% of multi-classification in Bind. These results indicate that adding random time and padding can protect users' information from the website fingerprinting attack, though the random delay might affect the user experiences. ------------------------------ This is a preprint of an article intended for publication Journal of Information Processing(JIP). This preprint should not be cited. This article should be cited as: Journal of Information Processing Vol.32(2024) (online) DOI http://dx.doi.org/10.2197/ipsjjip.32.1082 ------------------------------ |
|||||||||
論文抄録(英) | ||||||||||
内容記述タイプ | Other | |||||||||
内容記述 | Original DNS packets are unencrypted, which leads to information leakage while users visit websites. The adversary could monitor the DNS communication and infer the users' Internet preferences, which may contain private sensitive content, such as health, finance, and religion. Although several encrypted DNS protocols have been proposed - DNS over HTTPS (DoH), DNS over TLS (DoT), and DNS over QUIC (DoQ), recent research shows that the adversary could still infer the category of websites even using DoT and DoH. This paper studies the privacy leakage problem of DoQ protocol with two different DNS recursive resolvers (NextDNS and Bind). We investigate 30 categories from Alexa's top websites for binary and multi-classification. As a baseline analysis, we first show the classification performance of the binary classification (i.e., sensitive and non-sensitive). We find that the classification performance of the websites is high both in NextDNS and Bind resolvers for identifying whether the category of websites is sensitive. More particularly, we indicate that discriminative features are mainly related to the inter-arrival time of packets and packet length. For the multi-classification, we notice the performances decrease as the number of categories increases, meaning that the impact of the leakage is limited. Next, we further investigate four possible countermeasures that could affect the classification results: using AdBlocker extension, disabling DNS prefetch, adding random delay in responses, and padding the DNS payload. 1) We show that using AdBlocker and disabling DNS prefetch are less effective in mitigating the attack. 2) We find that mean F1 scores decrease as the delays increase. Specifically, it decreases the classification performance by 22% with NextDNS and 18% with Bind. 3) DNS padding decreases the classification performance by 9%. We further investigate the combination of the two countermeasures: both adding random (0-60ms and 0-100ms) delays and padding the DNS payload with binary and multi-classification of 30 categories. We confirm that the combined method could greatly reduce the classification performance, on average 27% of binary and 22% of multi-classification in Bind. These results indicate that adding random time and padding can protect users' information from the website fingerprinting attack, though the random delay might affect the user experiences. ------------------------------ This is a preprint of an article intended for publication Journal of Information Processing(JIP). This preprint should not be cited. This article should be cited as: Journal of Information Processing Vol.32(2024) (online) DOI http://dx.doi.org/10.2197/ipsjjip.32.1082 ------------------------------ |
|||||||||
書誌レコードID | ||||||||||
収録物識別子タイプ | NCID | |||||||||
収録物識別子 | AN00116647 | |||||||||
書誌情報 |
情報処理学会論文誌 巻 65, 号 12, 発行日 2024-12-15 |
|||||||||
ISSN | ||||||||||
収録物識別子タイプ | ISSN | |||||||||
収録物識別子 | 1882-7764 | |||||||||
公開者 | ||||||||||
言語 | ja | |||||||||
出版者 | 情報処理学会 |