Defence Technologies Against Encrypted DNS Traffic Analysis

The Domain Name System(DNS)that stores the mutual mapping relationship between domain names and IP addresses is the infrastructure of the Internet.Initially,the DNS protocol did not consider privacy issues and the messages were transmitted in unencrypted plaintext,which could lead to personal network traces disclosure.The encrypted DNS protocol prevents DNS messages from being eavesdropped and manipulated by encrypting DNS data between clients and recursive name servers.However,the encrypted DNS protocol still faces the problem of privacy leakage.Encrypted DNS traffic analysis refers to predicting the websites users visit by collecting and analyzing encrypted DNS traffic generated by users.The research on defence technologies against encrypted DNS traffic analysis is helpful to find out the weakness of current encrypted DNS protocols,and promote the development of encrypted DNS protocols’ security and robustness,so that user privacy can be better protected.The research focuses on DNS-overHTTPS(DoH),and the works are:(1)A DoH traffic generation and collection system was established,and a DoH traffic dataset including 1,000 website domain names,100 traffic records per domain name,and a total of 100,000 traffic records were generated,which can support encrypted DNS traffic analysis and defense research.(2)A DoH traffic statistical feature extraction framework was implemented,which can extract 33 traffic statistical features,and select 28 features that can be used for DoH traffic analysis.The distribution of DoH traffic features and the correlation between different features are analyzed.(3)It is confirmed that the DoH protocol still faces the risk of privacy leakage,and the adversary can passively collect the user’s DoH traffic to predict the website that the user visits.In the closed-world settings,Naive Bayes,k-Nearest Neighbor,Decision Tree,and Random Forest classifiers are used for DoH traffic analysis attack,and the attack performance using different classification algorithms with different traffic data scales are compared.The results show that Random Forest outperforms other classifiers.Besides,the fewer domain names,the better the attack performance.In the open-world settings,Random Forest and Local Outlier Factors are used for DoH traffic analysis attacks,and the proportion of traffic of the target domain name varies from 1% to 5%.The results show that the Random Forest performs well.Besides,the greater the proportion of target domain name traffic,the better the attack performance.(4)Two methods to resist DoH traffic analysis are proposed,namely traffic obfuscation strategy and adaptive packet insertion strategy,and the effectiveness of these methods is verified.The core concept of the traffic obfuscation strategy is to mix the DoH traffic generated by visiting two websites;The core concept of the adaptive packet insertion strategy is to send padding packets when the packet density is low.The lower the packet density,the greater the probability of sending padding packets.Both methods inject more packets into the original DoH flow to mask the statistical features of the original flow.Several comparative experiments were set up to explore the effectiveness of these two methods against analysis.The influence of different parameter choices on the defensive performance of adaptive packet insertion is deeply explored.Experiment results show that after applying the traffic obfuscation strategy or the adaptive packet insertion strategy,the accuracy and recall rate of DoH traffic analysis attacks drop significantly compared with no defense strategy.In addition,when the available bandwidth is large enough,these two defense methods hardly increase the time consumption of actual domain name resolution,and maximize the quality of service.