Who Is Answering My Queries: Understanding and Characterizing Interception of the DNS Resolution Path


Baojun Liu, Chaoyi Lu, Haixin Duan, and Ying Liu, Tsinghua University; Zhou Li, IEEE member; Shuang Hao, University of Texas at Dallas; Min Yang, Fudan University


DNS queries from end users are handled by recursive DNS servers for scalability. For convenience, Internet Service Providers (ISPs) assign recursive servers for their clients automatically when the clients choose the default network settings. But users should also have flexibility to use their preferred recursive servers, like public DNS servers. This kind of trust, however, can be broken by the hidden interception of the DNS resolution path (which we term as DNSIntercept). Specifically, on-path devices could spoof the IP addresses of user-specified DNS servers and intercept the DNS queries surreptitiously, introducing privacy and security issues.

In this paper, we perform a large-scale analysis of on-path DNS interception and shed light on its scope and characteristics. We design novel approaches to detect DNS interception and leverage 148,478 residential and cellular IP addresses around the world for analysis. As a result, we find that 259 of the 3,047 ASes (8.5%) that we inspect exhibit DNS interception behavior, including large providers, such as China Mobile. Moreover, we find that the DNS servers of the ASes which intercept requests may use outdated vulnerable software (deprecated before 2009) and lack security-related functionality, such as handling DNSSEC requests. Our work highlights the issues around on-path DNS interception and provides new insights for addressing such issues.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {217551,
author = {Baojun Liu and Chaoyi Lu and Haixin Duan and Ying Liu and Zhou Li and Shuang Hao and Min Yang},
title = {Who Is Answering My Queries: Understanding and Characterizing Interception of the {DNS} Resolution Path},
booktitle = {27th {USENIX} Security Symposium ({USENIX} Security 18)},
year = {2018},
isbn = {978-1-931971-46-1},
address = {Baltimore, MD},
pages = {1113--1128},
url = {https://www.usenix.org/conference/usenixsecurity18/presentation/liu-baojun},
publisher = {{USENIX} Association},