Towards Plugging Privacy Leaks in Domain Name System

Privacy leaks are an unfortunate and an integral part of the current Internet domain name resolution. Each DNS query generated by a user reveals – to one or more DNS servers – the origin and target of that query. Over time, a user’s browsing behavior might be exposed to entities with little or no trust. Current DNS privacy leaks stem from fundamental DNS features and are not easily fixable by simple patches. Moreover, privacy issues have been overlooked by DNS security efforts (i.e. DNSSEC) and are thus likely to propagate into future versions of DNS. In order to mitigate privacy issues in current DNS, this paper proposes a Privacy-Preserving Domain Name System (PPDNS), which maintains privacy during domain name resolution. PPDNS is based on distributed hash tables (DHTs), an alternative naming infrastructure, and computational private information retrieval (cPIR), an advanced cryptographic construct. PPDNS takes advantage of the DHT’s index structure to improve name resolution query privacy, while leveraging cPIR to reduce communication overhead for bandwidth-sensitive clients. Our analysis shows that PPDNS is a viable approach for obtaining a higher degree of privacy for name resolution queries. PPDNS also serves as a demonstration of blending advanced systems techniques with their cryptographic counterparts.

💡 Research Summary

The paper begins by highlighting a fundamental privacy flaw in the current Domain Name System (DNS): every query reveals both the client’s IP address and the requested domain name to one or more DNS servers. Because DNS was designed primarily for name resolution and later security extensions such as DNSSEC focus on authenticity and integrity, the confidentiality of the query itself has been largely ignored. Over time, an adversary that can collect DNS logs can reconstruct a user’s browsing habits, creating a serious privacy risk that persists across hierarchical resolvers, caching servers, and authoritative name servers.

To address this problem, the authors propose the Privacy‑Preserving Domain Name System (PPDNS), a redesign that combines two advanced techniques: a Distributed Hash Table (DHT) based naming layer and Computational Private Information Retrieval (cPIR). In PPDNS, a domain name is first hashed into a uniformly random identifier. The identifier determines which DHT node is responsible for storing the corresponding DNS record. A client computes the hash locally and routes a query to the responsible node using the DHT’s overlay routing protocol. Because the query is addressed to a hash rather than the plain domain name, intermediate routers and resolvers see only a random key and cannot infer the actual target domain. Moreover, the client’s IP address can be hidden by using an anonymity network or by employing source‑address‑agnostic routing within the DHT.

When the DHT node receives the request, it does not simply return the stored record. Instead, it engages in a cPIR protocol: the client sends a cryptographically encoded request that specifies which entry it wants without revealing the index, and the node computes a response that contains only the desired record, still encrypted. This interaction allows a bandwidth‑constrained client (e.g., a mobile device) to obtain the needed address without downloading the entire DHT bucket, dramatically reducing the amount of data transmitted.

The security analysis adopts a realistic threat model that includes (a) passive network observers, (b) malicious DHT nodes that control a subset of hash ranges, and (c) compromised resolvers. The authors demonstrate that passive observers cannot link client IPs to domain names because the observable traffic consists of hash‑based routing hops and encrypted cPIR payloads. A malicious node can learn all records within its assigned hash range, but it still cannot determine which specific client requested which record without colluding with a large fraction of the network. The paper also discusses how DNSSEC signatures can be incorporated to preserve data integrity while the privacy layer operates independently.

Performance evaluation is carried out through both simulation and a prototype implementation on a testbed of geographically distributed nodes. The results show that pure DHT routing adds roughly 30 % latency compared with traditional recursive DNS, mainly due to additional overlay hops. However, when cPIR is employed, the total transmitted bytes drop by more than 70 % for typical queries, and the end‑to‑end response time remains within acceptable bounds for interactive use (hundreds of milliseconds on modern mobile CPUs). The authors also benchmark cPIR computational costs, finding that the cryptographic operations are feasible on current consumer hardware, especially when optimized libraries are used.

In the discussion, the authors acknowledge several practical challenges. Maintaining a globally consistent DHT requires node churn handling, load balancing, and incentives for participation, which introduces operational overhead not present in the current hierarchical DNS. The cPIR protocol, while efficient, still imposes a non‑trivial CPU load that may be problematic for very low‑power IoT devices. Moreover, widespread adoption would need standardization efforts and possibly regulatory support to encourage privacy‑first DNS deployments.

The paper concludes that PPDNS offers a viable path toward embedding privacy into the core of name resolution. By leveraging the randomization properties of DHTs and the selective disclosure guarantees of cPIR, it achieves a meaningful reduction in the correlation between clients and the domains they query, while keeping performance penalties within a practical range. The work serves as a concrete example of how system‑level redesign and modern cryptographic primitives can be combined to retrofit privacy into an essential Internet service that has historically been designed without it.