Advertisement

A First Look at QNAME Minimization in the Domain Name System

  • Wouter B. de VriesEmail author
  • Quirin Scheitle
  • Moritz Müller
  • Willem Toorop
  • Ralph Dolmans
  • Roland van Rijswijk-Deij
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11419)

Abstract

The Domain Name System (DNS) is a critical part of network and Internet infrastructure; DNS lookups precede almost any user request. DNS lookups may contain private information about the sites and services a user contacts, which has spawned efforts to protect privacy of users, such as transport encryption through DNS-over-TLS or DNS-over-HTTPS.

In this work, we provide a first look on the resolver-side technique of query name minimization (qmin), which was standardized in March 2016 as RFC 7816. qmin aims to only send minimal information to authoritative name servers, reducing the number of servers that full DNS query names are exposed to. Using passive and active measurements, we show a slow but steady adoption of qmin on the Internet, with a surprising variety in implementations of the standard. Using controlled experiments in a test-bed, we validate lookup behavior of various resolvers, and quantify that qmin both increases the number of DNS lookups by up to 26%, and also leads to up to 5% more failed lookups. We conclude our work with a discussion of qmin’s risks and benefits, and give advice for future use.

Keywords

DNS Privacy QNAME minimization Measurements 

Notes

Acknowledgements

This work was partially funded by the German Federal Ministry of Education and Research under project X-Check (grant 16KIS0530). Partial funding was also supplied by SURFnet Research on Networks.

References

  1. 1.
    RIPE Atlas measurement for a.b.qnamemin-test.internet.nlTXT (2017). https://atlas.ripe.net/measurements/8310250/
  2. 2.
    RIPE Atlas measurement for o-o.myaddr.l.google.comTXT (2017). https://atlas.ripe.net/measurements/8310237/
  3. 3.
    RIPE Atlas measurement for ripe-hackathon6.nlnetlabs.nlAAAA (2017). https://atlas.ripe.net/measurements/8310366/
  4. 4.
    RIPE Atlas measurement for ripe-hackathon6.nlnetlabs.nlAAAA. Ripe MSM IDs: 16428213, 16428214, 16428215, 16428216, 16428217, 16428218, 16428219, 16428220, 16428221, 16428222 (2017)Google Scholar
  5. 5.
    RIPE Atlas measurement for whoami.akamai.netA (2017). https://atlas.ripe.net/measurements/8310245/
  6. 6.
    Bortzmeyer, S.: DNS privacy considerations. RFC 7626 (Informational), August 2015. https://www.rfc-editor.org/rfc/rfc7626.txt
  7. 7.
    Bortzmeyer, S.: DNS query name minimisation to improve privacy. RFC 7816 (Experimental), March 2016. https://www.rfc-editor.org/rfc/rfc7816.txt
  8. 8.
    Bortzmeyer, S., Huque, S.: NXDOMAIN: there really is nothing underneath. RFC 8020 (Proposed Standard), November 2016. https://www.rfc-editor.org/rfc/rfc8020.txt
  9. 9.
    Bortzmeyer, S.: PowerDNS - add qname minimisation (2015). https://github.com/PowerDNS/pdns/issues/2311
  10. 10.
    Castro, S., Wessels, D., Fomenkov, M., Claffy, K.: A day at the root of the internet. ACM SIGCOMM Comput. Commun. Rev. 38(5), 41–46 (2008)CrossRefGoogle Scholar
  11. 11.
    Cisco: Cisco Umbrella Top 1M List, September 14–30 2018. https://s3-us-west-1.amazonaws.com/umbrella-static/index.html
  12. 12.
    Cooper, A., et al.: Privacy Considerations for Internet Protocols. RFC 6973, July 2013. https://rfc-editor.org/rfc/rfc6973.txt
  13. 13.
    CZ.NIC: Knot resolver 1.0.0 released (2016). https://www.knot-resolver.cz/2016-05-30-knot-resolver-1.0.0.html
  14. 14.
    Dittrich, D., Kenneally, E., et al.: The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research. US Department of Homeland Security (2012)Google Scholar
  15. 15.
    DNS OARC: Day In The Life of the Internet (2017 and 2018). https://www.dns-oarc.net/oarc/data/ditl
  16. 16.
    Dolmans, R.: QNAME Minimization in Unbound, RIPE 72 (2016). https://ripe72.ripe.net/wp-content/uploads/presentations/120-unbound_qnamemin_ripe72.pdf
  17. 17.
    Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: USENIX Security (2013)Google Scholar
  18. 18.
    Fujiwara, K., Kato, A., Kumari, W.: Aggressive Use of DNSSEC-Validated Cache. RFC 8198 (Proposed Standard), July 2017. https://www.rfc-editor.org/rfc/rfc8198.txt
  19. 19.
    Hardaker, W.: Analyzing and mitigating privacy with the DNS root service. In: NDSS: DNS Privacy Workshop, 2018 (2018)Google Scholar
  20. 20.
    Hoffman, P.E., McManus, P.: DNS queries over HTTPS (DoH). RFC 8484, October 2018. https://rfc-editor.org/rfc/rfc8484.txt
  21. 21.
    Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., Hoffman, P.E.: Specification for DNS over transport layer security (TLS). RFC 7858, May 2016. https://rfc-editor.org/rfc/rfc7858.txt
  22. 22.
    Imana, B., Korolova, A., Heidemann, J.: Enumerating privacy leaks in DNS data collected above the recursive. In: NDSS: DNS Privacy Workshop, 2018. San Diego, California, USA, Feburary 2018. https://www.isi.edu/%7ejohnh/PAPERS/Imana18a.html
  23. 23.
    ISC: Release notes for bind version 9.13.2 (2018). https://ftp.isc.org/isc/bind9/9.13.2/RELEASE-NOTES-bind-9.13.2.txt
  24. 24.
    Mockapetris, P.: Domain names - concepts and facilities. RFC 1034, November 1987. https://rfc-editor.org/rfc/rfc1034.txt
  25. 25.
    NLnet Labs: Nlnet labs: Unbound chanelog (2018). https://nlnetlabs.nl/svn/unbound/tags/release-1.8.0/doc/Changelog
  26. 26.
    Pappas, V., Wessels, D., Massey, D., Lu, S., Terzis, A., Zhang, L.: Impact of configuration errors on DNS robustness. IEEE J. Sel. Areas Commun. 27(3), 275–290 (2009)CrossRefGoogle Scholar
  27. 27.
    Partridge, C., Allman, M.: Ethical considerations in network measurement papers. Commun. ACM 59, 58–64 (2016)CrossRefGoogle Scholar
  28. 28.
    Rose, S., Larson, M., Massey, D., Austein, R., Arends, R.: DNS security introduction and requirements. RFC 4033, March 2005. https://rfc-editor.org/rfc/rfc4033.txt
  29. 29.
    Rose, S., Larson, M., Massey, D., Austein, R., Arends, R.: Protocol modifications for the DNS security extensions. RFC 4035, March 2005. https://rfc-editor.org/rfc/rfc4035.txt
  30. 30.
    Rose, S., Larson, M., Massey, D., Austein, R., Arends, R.: Resource records for the DNS security extensions. RFC 4034, March 2005. https://rfc-editor.org/rfc/rfc4034.txt
  31. 31.
    Scheitle, Q., et al.: A long way to the top: significance, structure, and stability of internet top lists. In: IMC 2018, Boston, USA. arXiv:1805.11506 November 2018
  32. 32.
    Schmitt, P., Edmundson, A., Feamster, N.: Oblivious DNS: practical privacy for DNS queries. arXiv:1806.00276 (2018)
  33. 33.
    de Vries, W.B., Scheitle, Q., Müller, M., Toorop, W., Dolmans, R., van Rijswijk-Deij, R.: Datasets and Scripts (2019). https://www.simpleweb.org/wiki/index.php/Traces#A_First_Look_at_QNAME_Minimization_in_the_Domain_Name_System
  34. 34.
    Wang, Z.: Understanding the performance and challenges of DNS query name minimization. In: 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), pp. 1115–1120. IEEE (2018)Google Scholar
  35. 35.
    Wullink, M., Moura, G.C., Müller, M., Hesselman, C.: ENTRADA: a high-performance network traffic data streaming warehouse. In: 2016 IEEE/IFIP Network Operations and Management Symposium (NOMS), pp. 913–918. IEEE (2016)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Wouter B. de Vries
    • 1
    Email author
  • Quirin Scheitle
    • 2
  • Moritz Müller
    • 1
    • 3
  • Willem Toorop
    • 4
  • Ralph Dolmans
    • 4
  • Roland van Rijswijk-Deij
    • 1
    • 4
  1. 1.University of TwenteEnschedeThe Netherlands
  2. 2.TUMMunichGermany
  3. 3.SIDN LabsArnhemThe Netherlands
  4. 4.NLnet LabsAmsterdamThe Netherlands

Personalised recommendations