Identity Trail: Covert Surveillance Using DNS

  • Saikat Guha
  • Paul Francis
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4776)


The Domain Name System (DNS) is the only globally deployed Internet service that provides user-friendly naming for Internet hosts. It was originally designed to return the same answer to any given query regardless of who may have issued the query, and thus all data in the DNS is assumed to be public. Such an assumption potentially conflicts with the privacy policies of private Internet hosts, particularly the increasing numbers of laptops and PDAs used by mobile users as their primary computing device. IP addresses of such devices in the DNS reveal the host’s, and typically the user’s, dynamic geographic location to anyone that is interested without the host’s knowledge or explicit consent. This paper demonstrates, and measures the severity of an attack that allows anyone on the Internet to covertly monitor mobile devices to construct detailed user profiles including user identity, daily commute patterns, and travel itineraries. Users that wish to identify their private hosts using user-friendly names are locked into the DNS model, thus becoming unwitting victims to this attack; we identify a growing number of such dynamic DNS users (two million and climbing), and covertly trail over one hundred thousand of them. We report on a large scale study that demonstrates the feasibility and severity of such an attack in today’s Internet. We further propose short-term and long-term defenses for the attack.


Mobile User Session Initiation Protocol Mobile Host Access Control Policy Proxy Service 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: RFC 4033: DNS Security Introduction and Requirements (March 2005)Google Scholar
  2. 2.
    Nissenbaum, H.: Privacy as Contextual Integrity. Washington Law Review 79(1), 119–158 (2004)Google Scholar
  3. 3.
    Padmanabhan, V.N., Subramanian, L.: An investigation of geographic mapping techniques for Internet hosts. In: Proceedings of the SIGCOMM 2001, San Diego, CA (August 2001)Google Scholar
  4. 4.
    Spring, N., Mahajan, R., Anderson, T.: Quantifying the Causes of Path Inflation. In: Proceedings of the SIGCOMM 2003, Karlsruhe, Germany (August 2003)Google Scholar
  5. 5.
    The Privacy Ecosystem: IPPages – IP Address properties of your Internet ConnectionGoogle Scholar
  6. 6.
    Dynamic Network Services, Inc.: DynDNS – A free DNS service for those with dynamic IP addressesGoogle Scholar
  7. 7.
    Vitalwerks Internet Solutions, LLC.: No-IP – Dynamic DNS, Static DNS for Your Dynamic IPGoogle Scholar
  8. 8.
    Tzolkin Corporation: – Dynamic DNS Services for your Dynamic or Static IP AddressGoogle Scholar
  9. 9.
    Deerfield dot com: DNS2GO – Dynamic DNS Services for your IP AddressGoogle Scholar
  10. 10.
    CanWeb Internet Services Ltd.: DynIP – Dynamic DNS ServiceGoogle Scholar
  11. 11.
    GravityFree: DtDNS – Your Complete DNS SolutionGoogle Scholar
  12. 12.
    Dynamic Network Services, Inc.: DynDNS: Third Party Clients – keep IP address current, use with all DNS servicesGoogle Scholar
  13. 13.
    Akamai Technologies, Inc.: Akamai: How it worksGoogle Scholar
  14. 14.
    Dynamic Network Services, Inc.: Private communications (2006)Google Scholar
  15. 15.
    Kanellos, M.: Notebooks pass desktops in U.S. retail, ZDNet News (February 2006)Google Scholar
  16. 16.
    Mockapetris, P., Dunlap, K.: Development of the Domain Name System. In: Proceedings of the SIGCOMM 1988, Stanford, CA (August 1988)Google Scholar
  17. 17.
    Park, K., Pai, V.S., Peterson, L., Wang, Z.: CoDNS: Improving DNS performance and reliability via cooperative lookups. In: Proceedings of the Sixth Symposium on Operating Systems Design and Implementation (OSDI 2004), San Francisco, CA (December 2004)Google Scholar
  18. 18.
    Ramasubramanian, V., Sirer, E.G.: CoDoNS: The Design and Implementation of a Next Generation Name Service for the Internet. In: Proceedings of SIGCOMM 2004, Portland, OR (August 2004)Google Scholar
  19. 19.
    Poole, L., Pai, V.S.: ConfiDNS: Leveraging Scale and History to Improve DNS Security. In: Proceedings of WORLDS 2006, Seattle, WA (November 2006)Google Scholar
  20. 20.
    Gabrilovich, E., Gontmakher, A.: The Homograph Attack. Communications of the ACM 45(2), 128 (2002)CrossRefGoogle Scholar
  21. 21.
    Walfish, M., Stribling, J., Krohn, M., Balakrishnan, H., Morris, R., Shenker, S.: Middleboxes No Longer Considered Harmful. In: Proceedings of the OSDI 2004, San Francisco, CA (December 2004)Google Scholar
  22. 22.
    Ford, B., Strauss, J., Lesniewski-Laas, C., Rhea, S., Kaashoek, F., Morris, R.: Persistent Personal Names for Globally Connected Mobile Devices. In: Proceedings of the OSDI 2006, Seattle, WA (November 2004)Google Scholar
  23. 23.
    Perkowitz, M., Doorenbos, R.B., Etzioni, O., Weld, D.S.: Learning to Understand Information on the Internet: An Example-Based Approach. Journal of Intelligent Information Systems 8(2), 133–153 (2004)CrossRefGoogle Scholar
  24. 24.
    Gordon Lyon: Nmap Security ScannerGoogle Scholar
  25. 25.
    Dagon, D., Gu, G., Zou, C., Grizzard, J., Dwivedi, S., Lee, W., Lipton, R.: A Taxonomy of Botnets. In: Proceedings of CAIDA DNS-OARC Workshop, San Jose, CA (July 2005)Google Scholar
  26. 26.
    Gueye, B., Ziviani, A., Crovella, M., Fdida, S.: Constraint-based geolocation of internet hosts. IEEE/ACM Transactions on Networking 14(6), 1219–1232 (2006)CrossRefGoogle Scholar
  27. 27.
    Wong, B., Stoyanov, I., Sirer, E.G.: Octant: A Comprehensive Framework for the Geolocalization of Internet Hosts. In: Proceedings of the NSDI 2007, Cambridge, MA (May 2007)Google Scholar
  28. 28.
    Srisuresh, P., Egevang, K.: RFC 3022: Traditional IP Network Address Translator (Traditional NAT) (January 2001)Google Scholar
  29. 29.
    Laurie, B., Sisson, G., Arends, R., Blacka, D.: Internet draft: DNSSEC Hashed Authenticated Denial of Existence Work in progress. draft-ietf-dnsext-nsec3-11.txt (July 2007)Google Scholar
  30. 30.
    US-CERT: The Continuing Denial of Service Threat Posed by DNS Recursion (v2.0)Google Scholar
  31. 31.
    Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A Concrete Security Treatment of Symmetric Encryption. FOCS 00, 394 (1997)Google Scholar
  32. 32.
    Boneh, D., Gentry, C., Waters, B.: Collusion Resistant Broadcast Encryption With Short Ciphertexts and Private Keys. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, Springer, Heidelberg (2005)Google Scholar
  33. 33.
    Saltzer, J.H., Reed, D., Clark, D.D.: End-to-end arguments in system design. ACM Transactions on Computer Systems 2(4), 277–288 (1984)CrossRefGoogle Scholar
  34. 34.
    Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., Schooler, E.: RFC 3261: SIP Session Initiation Protocol (June 2002)Google Scholar
  35. 35.
    Jung, J., Sit, E., Balakrishnan, H., Morris, R.: DNS Performance and Effectiveness of Caching. In: Proceedings of SIGCOMM Internet Measurement Workshop, San Francisco, CA (November 2001)Google Scholar
  36. 36.
    Breslau, L., Cao, P., Fan, L., Phillips, G., Shenker, S.: Web Caching and Zipf-like Distributions: Evidence and Implications. In: Proceedings of INFOCOM 1999, New York, pp. 126–134 (March 1999)Google Scholar
  37. 37.
    Guha, S., Francis, P.: An End-Middle-End Approach to Connection Establishment. In: Proceedings of SIGCOMM 2007, Kyoto, Japan (August 2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Saikat Guha
    • 1
  • Paul Francis
    • 1
  1. 1.Cornell University, Ithaca NY 14853USA

Personalised recommendations