DNS Leaking: where is as important as what
Wednesday, May 27th, 2009In intelligence, the where can be just as important as the what.
What I mean is, even if I don’t know what communication was exchanged, the mere fact that you met with someone is very valuable.
This paradigm also applies to internet traffic analysis.
While there are secure methods to exchange data online via HTTPS (the what), there are ways to cover up the where.
To get a better idea of how traffic analysis can yield the “where” information here’s a quick overview of a typical set of events that take place.
- you type ‘marzeporgohar.org’ in your browser
- your browser queries a DNS server asking what the IP address is
- DNS server replies with the IP of marzeporgohar.org
- browser requests data from the webserver with the ip
At this point you might be wondering what is this DNS server?
Let’s say the IP address of mpg’s site is 10.10.1.14. Well, you can paste the IP address into your browser and the site will come up, but most people don’t memorize IP addresses, rather domain names. Memorizing marzeporgohar.org is a lot easier then 10.10.1.14
This is where a DNS server comes in, it basically maps an IP address to a domain.
Here’s a sample exchange:
Query
From (you): 192.168.0.10
To (DNS Server): 66.75.160.63
Standard query A marzeporgohar.org
Answer
From (DNS Server): 66.75.160.63
To (you): 192.168.0.10
marzeporgohar.org: type A, class IN, addr 64.34.168.37
So why should you care? Well lets say you are in Iran and you are look up https://marzeporgohar.org. The Islamic Republic can’t intercept the HTTPS traffic because it is encrypted, however the initial DNS query to get the IP address of marzeporgohar.org can be.
So while they may not know what you are doing on mpg’s site, the mere fact that you visited may be enough to begin building a profile on you.
Even if you are using a proxy (I like SSH tunnel proxies), you are open to DNS traffic analysis.
So what is the solution?
One solution is to use SOCKS5 proxies and enable remote DNS proxy in firefox.
Now all your DNS queries will be done through the proxy server (which is obviously outside Iran).
