Liang Wang, Hyojoon Kim, Prateek Mittal, Jennifer Rexford (Princeton University)

In conventional DNS, or Do53, requests and responses are sent in cleartext. Thus, DNS recursive resolvers or any on-path adversaries can access privacy-sensitive information. To address this issue, several encryption-based approaches (e.g., DNS-over-HTTPS) and proxy-based approaches (e.g., Oblivious DNS) were proposed. However, encryption-based approaches put too much trust in recursive resolvers. Proxy-based approaches can help hide the client’s identity, but sets a higher deployment barrier while also introducing noticeable performance overhead. We propose PINOT, a packet-header obfuscation system that runs entirely in the data plane of a programmable network switch, which provides a lightweight, low-deployment-barrier anonymization service for clients sending and receiving DNS packets. PINOT does not require any modification to the DNS protocol or additional client software installation or proxy setup. Yet, it can also be combined with existing approaches to provide stronger privacy guarantees. We implement a PINOT prototype on a commodity switch, deploy it in a campus network, and present results on protecting user identity against public DNS services.

View More Papers

Manipulating the Byzantine: Optimizing Model Poisoning Attacks and Defenses...

Virat Shejwalkar (UMass Amherst), Amir Houmansadr (UMass Amherst)

Read More

Demo #6: Impact of Stealthy Attacks on Autonomous Robotic...

Pritam Dash, Mehdi Karimibiuki, and Karthik Pattabiraman (University of British Columbia)

Read More

WeepingCAN: A Stealthy CAN Bus-off Attack

Gedare Bloom (University of Colorado Colorado Springs) Best Paper Award Winner ($300 cash prize)!

Read More

Polypyus – The Firmware Historian

Jan Friebertshauser, Florian Kosterhon, Jiska Classen, Matthias Hollick (Secure Mobile Networking Lab, TU Darmstad)

Read More