How ODNS keeps your browsing habits secret

DNS

In computing, popular ideas have a way of becoming part of the bedrock and, once petrified, they’re extremely difficult to dislodge.

It doesn’t matter how good or bad an idea is, how well or how poorly something is coded or how insecure it is, if something is widely adopted it’s not going anywhere fast.

For example, despite its inherent insecurity email remains central to our lives, and Flash, despite a ready replacement and countless should-have-been-fatal wounds, is dying as if there’s an Oscar on the line.

Finding new ideas is easy but replacing or retooling old ideas is hard.

That puts a premium on solutions that make things better, faster or more secure by working with, or adding to, what’s already there with minimal disruption.

And that’s why ODNS (Oblivious DNS) is such an interesting idea.

ODNS is the latest entrant to an increasingly crowded field of solutions looking to address the privacy problems of the global DNS (Domain Name System).

The trouble with DNS

DNS maps human-readable names for computers and services, like nakedsecurity.sophos.com, into the numeric IP addresses that computers need in order to communicate with each other, like 192.0.79.33.

Unfortunately DNS has a privacy problem – an adversary who can see DNS queries can tell who is browsing where, even if those people are taking care to encrypt the precise details of their browsing with HTTPS.

DNS traffic can be read in two ways: on-the-wire, as it passes over the internet, or when it arrives at its destination.

How DNS works

Let’s say you want to visit www.example.org with your web browser. In order to reach that site your computer has to know its IP address, information it can get via DNS.

It does this by asking the question “what’s the IP address for www.example.org?” of a recursive resolver, which might be operated by your ISP or perhaps a third party service, like CloudFlare’s 1.1.1.1 or Google’s 8.8.8.8.

In turn the recursive resolver consults the server that knows about  .org addresses, which passes it on to the server that knows about .example.org addresses, which passes it on to the authoritative server that knows about www.example.org.

The authoritative server answers the original question, and sends the IP address 93.184.216.34 to the recursive resolver, which sends it back to your computer.

All this traffic is visible on-the-wire to anyone on the same network as you and to your ISP (or your VPN provider) as it passes through their network.

It’s also visible at a number of destinations. The most useful vantage point is the DNS resolver but traffic is also visible at the authoritative server and, often, at the other servers the recursive resolver consults too:

This information can be visible to a 3rd party eavesdropping on the communication between a client and a recursive resolver, or even between a recursive resolver and an authoritative server. As this information is sent to each DNS server, DNS operators can also see clients’ information.

Securing DNS

There are a lot of schemes afoot to deal with DNS’s privacy issues but most solutions only tackle a part of the problem and some require the kind of retooling that could make adoption slow.

  • DNS Query Name Minimisation reduces the amount of information that recursive resolvers share with some DNS servers. Snooping at or between the resolver, ISP or authoritative server is still possible though.
  • DNS-over-TLS and DNS-over-HTTPS require retooling of existing systems to encrypt DNS traffic and prevent snooping on-the-wire. They solve that problem at a cost but do nothing to prevent traffic being monitored at the resolver or other destinations.
  • Recursive resolvers built for privacy, like 1.1.1.1, tackle the resolver problem by promising not to monitor you or keep logs of your activity hanging around. It’s nice, but privacy and security requires stronger underpinnings than assurances of “you can trust us”.

Enter ODNS.

Oblivious DNS

Oblivious DNS attempts to tackle spying on-the-wire and snooping at the resolver, or other destinations, without significant retooling.

Your computer still asks the question “what’s the IP address for www.example.org?” but this time it’s sent to a local ODNS resolver on your computer.

That local resolver creates a session key, encrypts the domain with it and then adds .odns to the end, giving you a completely unrecognisable domain name, like 9fab9405429045fe5.odns.

The session key is then itself encrypted using a public key provided by an the authoritative server for the .odns TLD (Top-Level Domain). Anyone can encrypt something with the public key but only the authoritative server can read it (you’ll see why in a few paragraphs).

The encrypted session key is added to the DNS query and it’s sent on to a normal recursive resolver, such as the one operated by your ISP.

Snooping between you and the resolver, or at the resolver itself, is foiled because a voyeur can identify who’s making a request but not what the request is for, since the domain name is encrypted before leaving your computer.

Just as it would with any other domain, the resolver then identifies the authoritative server for 9fab9405429045fe5.odns and asks it for the corresponding IP address.

On receiving that request the specially equipped authoritative server uses its private key to decrypt the session key, and then uses the session key to decrypt 9fab9405429045fe5.odns, revealing www.example.org.

The authoritative server then acts like a recursive resolver: consulting the server that knows about  .org addresses, which passes it on to the server that knows about .example.org addresses, which passes it on to the authoritative server for www.example.org, which provides the IP address.

The IP address is then passed back down the line to your computer.

Spying on-the-wire during this phase, or at any of those destinations, is foiled because, although a voyeur can now see what domain the requests are for, they can’t see who made them since all the requests appear to start at the .odns server rather than your computer.

Right now ODNS is only a prototype and according to the research team there’s work to be done:

…we have some future work to continue in this direction. We have implemented a prototype of ODNS to evaluate its feasibility and to measure its performance overhead in comparison to current DNS performance.

This puts it a way behind some other DNS privacy solutions but, as I said at the beginning, solutions that require existing systems to change have a way of rolling out really, really slowly.

ODNS’s ability to work with DNS as it is, rather than as we wish it to be, could give it head start, even though it’s starting from behind.