The Prevalence of Domain Name Encryption and its Impact on Internet Filtering
Abstract
Most online communications rely on DNS to map domain names to their hosting IP
address(es). Previous work has shown that DNS-based network interference is
widespread due to the unencrypted and unauthenticated nature of the original
DNS protocol.
In addition to DNS, accessed domain names can also be monitored by on-path
observers during the TLS handshake when the SNI extension is used. These
lingering issues with exposed plaintext domain names have led to the
development of a new generation of protocols that keep accessed domain names
hidden. DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) hide the domain names of
DNS queries, while Encrypted Server Name Indication (ESNI) encrypts the domain
name in the SNI extension.
In this paper we present DNEye, a measurement system built on top of a
network of distributed vantage points, which we used to study the
accessibility of DoT/DoH and ESNI, and to investigate whether these protocols
are tampered with by network providers (e.g., for censorship). Moreover, we
evaluate the efficacy of these new protocols in circumventing network
interference when accessing content that is blocked by traditional DNS
manipulation. We find evidence of blocking efforts against domain name
encryption technologies in several countries, including China, Russia, and
Saudi Arabia. At the same time, we discover that domain name encryption can
help with unblocking more than 55\% and 95\% of censored domains in China and
other countries where DNS-based filtering is heavily employed.
address(es). Previous work has shown that DNS-based network interference is
widespread due to the unencrypted and unauthenticated nature of the original
DNS protocol.
In addition to DNS, accessed domain names can also be monitored by on-path
observers during the TLS handshake when the SNI extension is used. These
lingering issues with exposed plaintext domain names have led to the
development of a new generation of protocols that keep accessed domain names
hidden. DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) hide the domain names of
DNS queries, while Encrypted Server Name Indication (ESNI) encrypts the domain
name in the SNI extension.
In this paper we present DNEye, a measurement system built on top of a
network of distributed vantage points, which we used to study the
accessibility of DoT/DoH and ESNI, and to investigate whether these protocols
are tampered with by network providers (e.g., for censorship). Moreover, we
evaluate the efficacy of these new protocols in circumventing network
interference when accessing content that is blocked by traditional DNS
manipulation. We find evidence of blocking efforts against domain name
encryption technologies in several countries, including China, Russia, and
Saudi Arabia. At the same time, we discover that domain name encryption can
help with unblocking more than 55\% and 95\% of censored domains in China and
other countries where DNS-based filtering is heavily employed.