Most people's DNS queries – by which browsers and other software resolve domain names into IP addresses – remain unprotected while flowing over the internet.
DNSSEC, for one, aims to prevent miscreants tampering with intercepted domain-name lookups by digital signing the answers – making any forgeries obvious to software. DNS-over-TLS and DNS-over-HTTPS aim to do this, too, and encrypt the queries so eavesdroppers on the network can't snoop on what sites you're visiting.
Without these safeguards in wide (or any) use, DNS traffic remains unencrypted and unauthenticated, meaning they can be potentially spied on and meddled with to redirect people to malicious websites masquerading as legit sites.
Researchers from universities in China and the US recently decided to check whether or not this is actually happening, and found that traffic interception a reality for a small but significant portion of DNS queries – 0.66 per cent of DNS requests over TCP – across a global sample of residential and cellular IP addresses.
The boffins – Baojun Liu, Chaoyi Lu, Haixin Duan, and Ying Liu from Tsinghua University in China; Zhou Li and Shuang Hao from the University of Texas at Dallas; and Min Yang from Fudan University in China – describe the results of their inquiry in a paper presented at this week's USENIX Security Symposium.
The paper, "Who Is Answering My Queries: Understanding and Characterizing Interception of the DNS Resolution Path," describes how the researchers set up a system to measure DNS interception across 148,478 residential and cellular IP addresses around the world.
Internet users may choose their own DNS resolvers, by manually pointing their applications and operating systems at, say, Google Public DNS (126.96.36.199) or Cloudflare (188.8.131.52). Usually, however, people accept whatever DNS resolver the network or their ISP automatically provides.
If an intermediary intercepts a DNS request, that isn't necessarily nefarious, but it could lead to undesirable consequences. At the very least, it deprives those using the internet of choice and privacy.
The researchers looked for providers spoofing the IP addresses of users' specified DNS resolvers to intercept DNS traffic covertly. They designed their study to focus on registered domains and to omit sensitive keywords, to avoid the influence of content censorship mechanisms.
They found DNS query interception in 259 of the 3,047 service provider AS collections tested, or 8.5 per cent. (The research paper uses the term "ASes," which stands for Autonomous Systems, networking terminology for a collection of IP address blocks assigned to ISPs and other organizations.)
UDP as easy as 123
In terms of packets sent to Google Public DNS, 27.9 per cent of UDP-based packets were intercepted, compared to about 7.3 per cent of data sent over TCP, it is claimed. (Most of DNS requests are sent over UDP and intercepting UDP traffic is easier from a technical perspective, the researchers explain.)
Google DNS appears to be particularly appealing as an interception target for service providers. "We also discover 82 ASes are intercepting more than 90 per cent of DNS traffic sent to Google Public DNS," the researchers observed in their paper.
DNS ad-hocracy in peril as ICANN advisors mull root server shakeupREAD MORE
Comcast Cable Communications in the US is cited as the controller of AS7922, which was found intercepting a small portion of Google Public DNS traffic.
"Among our 13,466 DNS requests sent from this AS to Google DNS, 72 (0.53 per cent) are redirected, with alternative resolvers outside Google actually contacting our authoritative nameservers," the paper stated.
The researchers speculate that on-path devices handling interception are only deployed in a limited number of sub-networks for this AS and allow that it's possible a Comcast customer rather than the company itself deployed these devices.
Providers in China were cited as conducting the most interception. China Mobile, for example, gets singled out for alleged involvement in DNS tampering for profit.
"As an example, 8 responses from Google Public DNS are tampered in AS9808 (Guangdong Mobile), pointing to a web portal which promotes an APP of China Mobile," the paper stated.
In an email to The Register, Nick Sullivan, head of cryptography at Cloudflare, said that the lack of encryption and authentication in DNS is widely seen as one of the internet's biggest unpatched bugs.
"This bug is known to be exploited by networks for various reasons, but the extent to which networks are intercepting DNS queries is not well known," he said. "This paper is significant because it is one of the most widespread measurement studies done on the prevalence of DNS interception is on the internet."
Sullivan said it was surprising to see just how high the rate of interception is in some instances.
"The researchers found that interception rates for DNS queries directed to popular public DNS resolvers are high overall, and in some networks as high as 100 per cent," he said. "Not all the intercepted DNS queries were modified or recorded, but they could be, which has huge implications for privacy and security online. These findings accelerate the need to patch this bug by transitioning DNS from an unencrypted protocol to one that is protected by strong encryption and authentication technologies." ®