Toward practical defense against traffic analysis attacks on encrypted DNS traffic

The primary goal of the DNS-over-HTTPS (DoH) protocol is to address users’ privacy concerns regarding on-path adversaries, including local ISPs, who observe DNS traffic to learn web browsing activities even when the web traffic is not observable. To achieve this goal, in DoH protocol, DNS traffic between a DNS client and its local DNS resolver is channeled through an encrypted HTTPS tunnel. However, as shown in previous studies, adversaries can still infer users’ web browsing activities from encrypted DoH traffic through machine-learning-based traffic analysis (TA) attacks. These attacks rely on unencryptable features in the DNS footprint of a website, including query/response lengths and counts and delays between subsequent queries (timing), to identify which website is being visited. To defend against such TA attacks, existing DoH clients and resolvers pad DNS queries and responses with null bytes to specific block sizes before encrypting them, as recommended in RFC 8467. However, as shown by prior research and our current work, this padding alone is not effective in defeating TA attacks, and even with this padding, attackers can still achieve over 95% accuracy.