Gilad Moav, Yehuda Afek, and Anat Bremler-Barr, Tel Aviv University; Amit Klein, Hebrew University of Jerusalem
In this paper, we present DNS FLaRE, a DNS cache-based timing side-channel attack that allows an attacker to accurately infer the times at which a user visits specific websites. We demonstrate the attack on DNS forwarders, a widely used component of the DNS infrastructure that acts as an intermediary cache between DNS clients and recursive resolvers. The threat model assumes only that the victim is tricked into visiting a malicious website. We show that the attack can accurately infer the times at which a user visits specific websites by exploiting discrepancies in the DNS resolution times of a domain, depending on whether it is in the forwarder cache or not. Furthermore, when targeting IoT devices, the attack can infer when certain events were taking place at an IoT device. This is enabled by observing IoT related DNS resolution discrepancies by a browser in the same household. The attack facilitates sophisticated phishing attacks, IoT device detection and profiling and other potential privacy implications.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Gilad Moav and Yehuda Afek and Anat Bremler-Barr and Amit Klein},
title = {{DNS} {FLaRE}: A {Flush-Reload} Attack on {DNS} Forwarders},
booktitle = {34th USENIX Security Symposium (USENIX Security 25)},
year = {2025},
isbn = {978-1-939133-52-6},
address = {Seattle, WA},
pages = {3557--3576},
url = {https://www.usenix.org/conference/usenixsecurity25/presentation/moav},
publisher = {USENIX Association},
month = aug
}
