Innovation

Oblivious DNS could protect your internet traffic against snooping

DNS is prone to snooping of personal data, but four Princeton researchers think they've found a way to encrypt everyone's traffic without any changes to the current DNS system.

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • Researchers at Princeton University have proposed a new DNS system that will separate user identity from requests, greatly increasing online privacy and anonymity.
  • The new system, Oblivious DNS, would require no changes to the existing DNS structure, only the addition of two nodes to handle encryption and decryption of ODNS traffic.

A group of researchers at Princeton University believe they have found a way to protect the identity of internet users by adding a new layer to Domain Naming System (DNS) traffic.

At its most basic level DNS matches website names with their IP addresses, making it a fundamental part of the structure of the internet. Any change to DNS is likely to be met with resistance, the researchers say, making changing it to protect users difficult.

It's also simple for a third party, like law enforcement or cyber criminals, to snoop on the personally identifying information that is transmitted to DNS servers. That information includes your IP address, the geographical subnet you are on (and therefore your general location), your MAC address, and the name of the website you want to visit.

Those personal details are transmitted in plain text, making intercepting it easy. Internet users also need to have faith in the security of their DNS provider—all the information transmitted can be stored, creating a total profile of the internet use coming from your IP address, or even your particular computer.

The Princeton team developed what it calls Oblivious DNS (ODNS), which protects user data not only by encrypting it, but also by separating what different nodes in the DNS chain are aware of, making it much harder, if not impossible, to snoop on users.

And they've done it all without requiring a single change to the structure of DNS.

Obliviating your DNS identity

ODNS is simple. So simple, in fact, that you'll be amazed it hasn't been thought of already.

What it requires is the addition of two nodes to the DNS chain: a new server called an ODNS Stub between the user and the recursive DNS server, and a new ODNS authoritative name server that comes after the recursive DNS server.

odnsoverview.png
Image: Princeton University

SEE: IT leader's guide to reducing insider security threats (Tech Pro Research)

Those two new nodes facilitate the encryption and breaking up of a user identity (IP address, subnet, MAC) from the user request (site name). Here's how it works:

  • A user requests a connection to www.techrepublic.com.
  • The ODNS Stub encrypts the request, attaches a session key, and appends .odns onto the request.
  • The recursive DNS server, upon seeing ".odns" at the end of the request, passes it on to the ODNS authoritative name server.
  • The ODNS authoritative name server decrypts the request and passes it along to the appropriate servers, completing the request.

The recursive DNS server, therefore, may know who you are but can't tell what you're requesting, and the ODNS server knows your request but not who you are.

ODNS won't be coming for a while, if ever. The Princeton team said that it's an ongoing project that is only in the prototype phase. If it does become reality it could be one of the largest transformations in practical internet privacy to date.

Also see

About Brandon Vigliarolo

Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.

Editor's Picks

Free Newsletters, In your Inbox