DNS-sly: Avoiding Censorship through Network Complexity
Qurat-Ul-Ann Danyal Akbar, Marcel Flores, Aleksandar Kuzmanovic
https://censorbib.nymity.ch/#Akbar2016a
Presentation slides
DNS-sly is a covert channel based on DNS: a requester and responder exchange information over DNS queries and responses. Unlike other DNS tunnels, DNS-sly aspires to deniability: it should be difficult, by watching the messages exchanged between the requester and responder, or even by active interference, to determine whether DNS-sly is being used, or what is being sent through the tunnel. DNS-sly accomplishes this with a preliminary profiling phase in which the requester uses the responder as a normal DNS server, and the responder learns distributions of (1) what domains the requester usually queries, and (2) the IP addresses that those domains correspond to. Later, covert communication tries to conform to the distributions observed during profiling. Upstream communication takes the form of queries for domains that are similar to what the requester usually queries for. Downstream communication is expressed in the selection of which of a domain name’s real, multiple IP addresses are included in a response, and their ordering. (The upstream is therefore slightly additive, in that it injects queries on top of the requester’s “natural” query stream. The downstream does not add new responses, but only modifies the responses that the responder would have sent anyway.)
One of the main empirical observations of the paper is that many domain names—probably because they are hosted on CDNs—map to more than one IP address—even hundreds. And a single DNS response may contain multiple IP address records: responses with 8 or 15 records are reasonably common. All the IP addresses are equivalent, as far as functionality is concerned. Therefore the choice of which IP addresses are included in a response can be used to encode information. As a simple example, suppose a domain name has a pool of 256 possible IP addresses, and that a response for that domain name typically includes 8 IP address records. Then each IP address can map to a byte value, and a collection of them in a response can represent 8 bytes of downstream data. (The way of representing information as a choice of items from a set is reminiscent of the “range-mapping” encoding of Infranet Section 4.2.3.)
The upstream data encoding is not completely described in the paper. All it says is that the requester sends additional queries that “semantically overlap” with the kinds of queries the requester normally makes. Both the upstream and downstream depend, for deniability, on fairly extensive prior profiling of requested domains and the IP addresses they map to; a compressed profile map is said to be 2.3 MB in size. The profile map is measured by the responder, and must be somehow transferred back to the requester before DNS-sly may be used. The envisioned use case for DNS-sly is a web proxy: the requester sends URLs to the responder, and the responder fetches the URLs and sends back the web page bodies.
Thanks to the authors for reviewing a draft of this summary.