This document discusses strategies for reducing DNS data leakage and protecting online privacy. It begins with an introduction and overview of topics to be covered, including why DNS data is important from a privacy perspective, common DNS privacy exploits, insecure DNS resolution processes, and solutions for anonymizing DNS data like DNS over HTTPS and DNS over TLS. The document provides details on how DNS data can be tracked and leaked, as well as tools and techniques for analyzing DNS traffic and protecting privacy, including public secure resolvers, browser-based protections, VPNs, and running one's own recursive resolver. It concludes with taking privacy to varying degrees and balancing privacy with usability.

1. DNS – Strategies for Reducing Data Leakage &
Protecting Online Privacy
Jim Nitterauer – Senior Security Engineer

2. Disclaimer
www.hackerhalted.com 2
Information disclosed in this presentation is intended to help
improve your security & privacy posture and should not be
used for unethical purposes
The concepts presented are in no way meant to imply original
research on my part or on the part of my employer
Information presented here is gathered from public and private
sources with proper references and credit provided where
applicable
The views expressed in this talk are not necessarily the views
of my employer

3. Whoami
www.hackerhalted.com 3

4. www.hackerhalted.com 4

5. Agenda
www.hackerhalted.com 5
What Will We Cover?
• Why is DNS important from a privacy perspective?
• Browsing Habits
• Internal Service Info
• Why should I care?
• Data used to direct advertising
• Malicious purposes
• Common DNS privacy exploits
• Data Leakage

6. Agenda
www.hackerhalted.com 6
What Will We Cover? (continued)
• DNS data could leak
• All domains browsed
• Email servers contacted
• All included DNS content
• Examine DNS tracking methods
• DNS logs
• Passive DNS data
• Direct packer sniffing
• EDNS(0) option data
• Discuss insecure DNS resolution
• What is it?
• Typical DNS resolution process
• Where are the “leakage” points?

7. Agenda
www.hackerhalted.com 7
What Will We Cover? (continued)
• Review DNS over HTTPS and DNS over TLS
• Describe DNS over HTTPS
• Describe DNS over TLS
• Compare and contrast
• Strategies for analyzing DNS traffic
• Solutions for protecting (anonymizing) DNS data
• DNS Crypt
• Cloudflare
• Quad 9
• Opera
• Firefox
• Tor Browser

8. Agenda
www.hackerhalted.com 8
What Will We Cover? (continued)
• Solutions for protecting (anonymizing) DNS data (continued)
• Private cache server
• VPN
• VPN Over Tor
• Put it all together
• Solution shortcomings
• Multicast DNS
• IPv6
• Questions
• Wrap-up

9. Why is DNS important from a privacy perspective?
www.hackerhalted.com 9
Browsing Habits
https://labs.ripe.net/Members/babak_farrokhi/is-your-isp-hijacking-your-dns-traffic

10. Why is DNS important from a privacy perspective?
www.hackerhalted.com 10
Browsing Habits
https://www.infoworld.com/article/2608352/internet-privacy-another-privacy-threat-dns-logging-and-how-to-avoid-it.html

11. Why is DNS important from a privacy perspective?
www.hackerhalted.com 11
Internal Service Info
• What can you learn?
• Internal IP addresses
• Internal service types
• Types of devices on the network
• Email interactions (MX record data)
• Internal Web applications
• How is this Possible?
• Dual purpose DNS – AD & public facing
• Internal DNS data leaking into public requests
• Basically misconfiguration

12. Why should I care?
www.hackerhalted.com 12
Malicious Possibilities
https://www.imperva.com/learn/application-security/dns-spoofing/

13. Why should I care?
www.hackerhalted.com 13
Malicious Possibilities
• DNS Spoofing or Hijacking
• Not particularly easy to do but can be done at network level
• Usually done as a MITM attack
• ARP spoofing
• Can be done at the network level as well
• This is what your ISPs do!
• Can you trust your DNS?

14. Why should I care?
www.hackerhalted.com 14
Malicious Possibilities
https://www.komando.com/happening-now/481807/beware-theres-another-new-twist-in-this-scary-email-scam

15. Why should I care?
www.hackerhalted.com 15
Malicious Possibilities
• Extortion
• Is all traffic work-related on your LAN?
• You have seen the fake email extortion attempts
• What if the data were real?
• Could browsing data be used to coerce someone?

16. Common DNS Privacy Exploits
• Data leaked by
• Installed DNS or security software
• Cisco Umbrella Agent
• Antivirus or Endpoint security
• Browser logs
• Browser built-in DNS resolver
• Chrome Asynchronous DNS Feature
• DNS over HTTPS (DoH)
• ISPs logging DNS
• Intermediate DNS servers logging requests
• Cache servers
• Authoritative servers
Data Leakage

17. Common DNS Data
www.hackerhalted.com 17
What Data Could Be Leaked?
• Commonly logged data
• Domain Name
• Source IP
• Record Type
• Overlooked data
• Included record content
• TXT records – SPF info, DKIM keys, etc.
• EDNS(0) Option data – ex. Client subnet data
• Added by software
• Device MAC address
• Local IP
• Device name, etc.

18. Common DNS Data
www.hackerhalted.com 18
What Data Could Be Leaked?

19. Common DNS Data
www.hackerhalted.com 19
What Data Could Be Leaked?

20. Common DNS Data
www.hackerhalted.com 20
What Data Could Be Leaked?

21. Common DNS Data
www.hackerhalted.com 21
What Data Could Be Leaked?
• Overlooked data (continued)
• MX Record Requests
• Infer email habits
• Aid in targeted phishing
• Service Provider DNS
• DNS is used to validate or score both domains and web content
• SonicWall, Umbrella, Antivirus
• Discloses internal software & security solution vendors

22. DNS Data Tracking Methods
www.hackerhalted.com 22
How is DNS Data Tracked?
• DNS Logging
• Local servers
• Cache Servers – both forwarded and in line
• Firewalls
• Proxies
• Local Devices
• Third Party Analytics
• Packet Sniffing
• IDS /IPS
• ISP DNS sniffing
• Internal security software

23. DNS Resolution
www.hackerhalted.com 23
How is DNS Resolved?

24. DNS Resolution
www.hackerhalted.com 24
What are the leakage points?
• LAN
• ISP / WAN Provider
• Upstream Cache Server
• Target Authoritative Servers
• Root Servers

25. Secure DNS
www.hackerhalted.com 25
DNS over HTTPS & DNS Over TLS
• DNS over HTTPS (DoH)
• Defined in RFC 8484
• Port 443
• Standard HTTPS connection
• DNS over TLS (DoT)
• Defined in RFC 7858 & RFC 8310
• Includes
• DNS over Datagram Transport Layer Security (DTLS) optional
• DNS over Transport Layer Security (TLS) required
• Port 853
• Standard TCP connection

26. Secure DNS
www.hackerhalted.com 26
DNS over HTTPS & DNS Over TLS

27. Secure DNS
www.hackerhalted.com 27
Compare & Contrast
DoH DoT
Uses existing port & protocol 443/HTTPS Uses dedicated port & TCP protocol
Traffic “hides” in existing HTTPS traffic Traffic visible due to dedicated port
Possible to MITM due to inspection Can be blocked at network level
Uses TLS 1.3 Uses TLS 1.2 or 1.3
Hard to block just malicious DNS w/o impact Impossible to block malicious DNS in transit
Insures reasonable privacy Full privacy if you trust cache resolvers
Caching has issues due to random ID Caching same as existing DNS
Great deal of overhead Less overhead
Requires server & client rework Requires server & client rework

28. DNS Tools
www.hackerhalted.com 28
How Can I Check My DNS for Leaks?
• Dig
• Built into Bind https://www.isc.org/downloads/
• Runs on Windows
• Extract BIND for Windows file to a folder
• Run C++ runtime installer included
• Add folder to PATH
• No aa flag in known authoritative requests
• Namebench
• Google tool supported at https://namebench.en.softonic.com/
• Windows or Mac
• Included “Censorship” check option
• Compares DNS performance

29. DNS Tools
www.hackerhalted.com 29
How Can I Check My DNS for Leaks?
• Nmap
• Download from https://nmap.org/
• Scan random IPs
• If port 53 is ALWAYS open, your ISP is redirecting port 53 traffic
• DNS Leak Test (Assumes VPN)
• Visit https://www.dnsleaktest.com
• Choose “Extended Test”
• Examine the results to see DNS resolvers
• Make sure they are expected
• Also https://torguard.net/vpn-dns-leak-test.php
• Also http://dnsleak.com/

30. DNS Tools
www.hackerhalted.com 30
How Can I Check My DNS for Leaks?
• Wireshark
• Download from https://www.wireshark.org
• Set up capture filter “port 53 or port 853”
• Need TCP too as DNS could reply on TCP
• Capture and see where your DNS conversations happen

31. DNS Tools
www.hackerhalted.com 31
How Can I Log My DNS?
• Packetbeat
• Download from https://www.elastic.co/downloads/beats
• Install on your endpoints & DNS cache servers
• Export DNS data to Graylog or other Elasticsearch-based system
• Graylog
• Download from https://www.graylog.org/downloads
• Log aggregation
• Enables single pane of glass insight into DNS activity

32. DNS Privacy Solutions
www.hackerhalted.com 32
How Private Do I Want to Be?
• Public Secure Resolvers
• Cloudflare
• https://blog.cloudflare.com/announcing-1111/
• Supports both DoT and DoH
• Promise not log more than 24 hours backed by verified audit
• Quad 9 (Verisign)
• https://www.quad9.net/
• Claims to block malicious domains
• No PII collected
• Supports DNSCrypt
• Supports DoT and DoH

33. DNS Privacy Solutions
www.hackerhalted.com 33
How Private Do I Want to Be?
• Cloud Based
• Build VM in cloud
• Use Unbound configured like this:
https://dnsprivacy.org/wiki/display/DP/Using+Unbound+as+a+DNS+
Privacy+server
• Configure to forward all queries to DoT compatible upstream server
• Point your local DNS to your VM IP for DNS
• Enhancements
• VPN tunnel
• VPN over TOR

34. DNS Privacy Solutions
www.hackerhalted.com 34
How Private Do I Want to Be?
• Opera Browser
• Has built-in VPN (technically a proxy)
• No data encryption on tunnel
• DNS appears to be tunneled bypassing ISP
• Opera logs EVERYTHING
• VPN provided by Canadian company
• Bottom line
• Keeps you ISP from seeing your DNS queries
• Hides nothing else
https://thebestvpn.com/reviews/opera-vpn/

35. DNS Privacy Solutions
www.hackerhalted.com 35
How Private Do I Want to Be?
• Firefox
• No built in VPN
• Has setting for configuring DNS over HTTPS
• Other settings in about:config
• View activity in about:networking
• Check at https://www.cloudflare.com/ssl/encrypted-sni/
• Bottom line
• Keeps you ISP from seeing your DNS queries
• Hides nothing else
https://www.bleepingcomputer.com/news/software/mozilla-firefox-expands-dns-over-https-doh-test-to-release-channel/

36. DNS Privacy Solutions
www.hackerhalted.com 36
How Private Do I Want to Be?

37. DNS Privacy Solutions
www.hackerhalted.com 37
How Private Do I Want to Be?

38. DNS Privacy Solutions
www.hackerhalted.com 38
How Private Do I Want to Be?

39. DNS Privacy Solutions
www.hackerhalted.com 39
How Private Do I Want to Be?
• Tor Browser
• All traffic including DNS routed through Tor node
• Has setting for configuring DNS over HTTPS
• Other settings in about:config
• View activity in about:networking
• Check at https://www.cloudflare.com/ssl/encrypted-sni/
• Bottom line
• Keeps you ISP from seeing your DNS queries
• Hides all traffic until it comes out a Tor exit node

40. DNS Privacy Solutions
www.hackerhalted.com 40
How Private Do I Want to Be?
• DNSCrypt
• Implemented both at server and client https://www.dnscrypt.org/
• https://dnscrypt.info/implementations
• Set up your own server
• https://github.com/jedisct1/dnscrypt-proxy/wiki/How-to-setup-your-own-
DNSCrypt-server-in-less-than-10-minutes
• Cheap and off-site
• Client options
• https://simplednscrypt.org/
• TorGhost
• For Kali
• Routes all IPv4 traffic through Tor

41. Wrap-up
www.hackerhalted.com 41
Take Home Message
• DNSCrypt, DoH & DoT
• Provide assurance that DNS isn’t tampered with in transit
• DO NOT insure 100% privacy
• Getting 100% privacy is relatively cumbersome
• End up trading speed for privacy
• Introduces complexity and more points of failure
• Privacy is relative
• What is your goal?
• Who are you trying to evade?
• You cannot evade everyone easily
• Tempered curiosity and paranoia are good
• Validate your assumptions

42. Wrap-up
www.hackerhalted.com 42
So Now What?
• Questions & Answers
• Contact Info
• jnitterauer@appriver.com
• @jnitterauer
• https://www.linkedin.com/in/jnitterauer
• 850-932-5338 ext. 6468