New Research Examines Privacy Concerns of the Internet's Domain Name System
All internet activity begins with a domain name system (DNS) query, as the protocol maps host names to routable internet protocol (IP) addresses. The transmission of information through the DNS and the data stored on DNS servers generate a wealth of data from millions of users, creating privacy concerns.
DNS research conducted by Cynthia Hood, associate professor of computer science, and Vijay K. Gurbani, adjunct professor of computer science, in Illinois Institute of Technology’s Department of Computer Science examined the protocol as it evolves against a backdrop of increased privacy concerns on the internet. The research attempts to trace the evolution of the DNS protocol and determine if the evolutionary trajectory benefits the privacy of users. Their paper entitled “When DNS Goes Dark: Understanding Privacy and Shaping Policy of an Evolving Protocol” was recognized as a top 10 paper by the SSRN (formerly the Social Science Research Network), and will be presented on February 19, 2021, at the Research Conference on Communications, Information, and Internet Policy.
“Each time we visit a website or accomplish a task on the internet, every such transaction starts with a DNS query,” Gurbani says. “Consequently, the owner of the DNS server knows where a certain user is going. Over time, a sophisticated user profile can be built up that includes all the sites that a user visits, when the user visits these sites, and so on.”
Most users are unaware that DNS queries are stored by DNS providers, or that these queries can be traced back to their specific IP address. And although many users might not have a concern if they visit online shopping sites, or social media, some DNS queries could be more sensitive.
“If it is observed that a certain user always signs in to Alcoholics Anonymous at 4 p.m. every day, that may be a privacy leak, as there is an expectation of privacy on behalf of the user when using this service,” Gurbani says.
The research shows that data stored by DNS providers is regulated by a variety of means, with some being more restrictive than others. The European Union’s General Data Protection Regulation places strict restrictions as to how user data, including data pertaining to DNS queries, can be shared. For example, when IP addresses can be linked with other information at the DNS provider, then the IP addresses are considered “personal data” and are heavily restricted in regulations covering storage and sharing. In the United States, there is no federal regulation governing data privacy, just a patchwork of regulations that provide limited guidance on how user data, including DNS queries, can be shared.
The paper concludes that DNS resolvers deserve careful scrutiny, as users are generally unaware of the privacy policies of the companies running the DNS resolvers, nor are users aware that their DNS lookups are stored and may be used by these companies for profit. Internet service providers (ISP) bundle DNS service, and some ISPs outsource DNS, which contributes to the lack of user awareness.
“What will probably help is a federal omnibus privacy legislation instead of the patchwork of data-privacy regulations we have in the U.S. today,” Gurbani says. “Insofar as we are to have stronger regulations that help protect user privacy, these regulations should be focused more on the entire data-privacy spectrum, with the user’s privacy as the centerpiece instead of affording protections to a specific protocol or a specific industry. A user’s data generated as a result of using the internet is just as private when the user is interacting with a medical professional as it is when the user is making an online purchase.”
Gurbani and Hood collaborated with Anita Nikolich of the University of Illinois at Urbana-Champaign, Henning Schulzrinne of Columbia University, and Radu State of the University of Luxembourg to publish the paper.
Photo: Associate Professor of Computer Science Cynthia Hood