Alec Muffett

Users of DNS over cleartext UDP port 53 (Do53) — i.e. most users of the internet — are at risk from specified privacy and integrity threats, not all of which risks are mitigated by authoritative content signature schemes such as DNSSEC. DNS-over-TLS (DoT) by design does not address several of these risks. DNS-over-HTTPS (DoH) obviates many but not all of the risks, and its transport protocol (i.e. HTTPS) raises historical concerns of privacy due to (e.g.) "cookies." The Tor Network exists to provide TCP circuits with some freedom from tracking, surveillance, and blocking.

Thus: In combination with Tor, DoH, and the principle of "Don't Do That, Then" (DDTT) to mitigate request fingerprinting, I describe DNS over HTTPS over Tor (DoHoT).

Since February 2020, using off-the-shelf open-source software, I have provided DoHoT to my home network. A dnscrypt-proxy caching resolver presents locally as a Do53 resolver that is exclusively configured to make outbound resolution DoH calls over Tor. I have — aside from necessary heartbeats and bootstrap — blocked all outbound port 53 & 853 traffic at my firewall, in order to prevent leaks. I have not sought to prevent other forms of DoH traffic because I am less interested in the challenge of constraining name resolution than I am in enhancing its privacy and integrity.

After an initial five months of testing, tuning, selection of DoH servers, and being forgotten about in the light of world news, in the subsequent seven months (ending February 2021) the DoHoT system has issued more than 1.6 million DoH requests over Tor to a pool of 9 public DoH resolvers, and served an additional 773k responses to clients from cached results. I share performance statistics, a list of technical prejudices that I was told to expect, describe my failure (for the most part) to experience them, and a summary of the experiences of two people relying entirely upon this system for work and personal life during COVID-19 "lockdown".

View More Papers

ROV++: Improved Deployable Defense against BGP Hijacking

Reynaldo Morillo (University of Connecticut), Justin Furuness (University of Connecticut), Cameron Morris (University of Connecticut), James Breslin (University of Connecticut), Amir Herzberg (University of Connecticut), Bing Wang (University of Connecticut)

Read More

Impact Evaluation of Falsified Data Attacks on Connected Vehicle...

Shihong Huang (University of Michigan, Ann Arbor), Yiheng Feng (Purdue University), Wai Wong (University of Michigan, Ann Arbor), Qi Alfred Chen (UC Irvine), Z. Morley Mao and Henry X. Liu (University of Michigan, Ann Arbor) Best Paper Award Runner-up ($200 cash prize)!

Read More

(Short) Spoofing Mobileye 630’s Video Camera Using a Projector

Ben Nassi, Dudi Nassi, Raz Ben Netanel and Yuval Elovici (Ben-Gurion University of the Negev)

Read More