DNS-DNS: DNS-based De-NAT scheme

Liran Orevi, Amir Herzberg, Haim Zlatokrilov

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

11 Scopus citations

Abstract

Network Address Translation (NAT) routers aggregate the flows of multiple devices behind a single IP address. By doing so, NAT routers masquerade the original IP address, which is often viewed as a privacy feature, making it harder to identify the communication of individuals devices behind the NAT. De-NAT is the reverse process: Re-identifying communication flowing into and out of the NAT. De-NAT can be used for traffic management, security, and lawful surveillance. We show how DNS requests provide an effective De-NAT mechanism by observing queries to open resolver, in addition to ‘classical’ provider-based De-NAT. This new method allows de-NATing in cases where known schemes fail, e.g., in Windows 8 and 10, and by remote DNS resolvers. We analyze use cases where the suggested DNS based De-NAT is effective, suggest a De-NAT algorithm and evaluate its performance on real (anonymized) traffic. Another contribution is identifying the phenomena of drum beats, which are periodic DNS requests by popular applications and processes; these can allow long-term de-NATing, and also provide fingerprinting identifying specific devices and users. We conclude with recommendations for mitigating de-NATing.

Original languageEnglish
Title of host publicationCryptology and Network Security - 17th International Conference, CANS 2018, Proceedings
EditorsPanos Papadimitratos, Jan Camenisch
PublisherSpringer Verlag
Pages69-88
Number of pages20
ISBN (Print)9783030004330
DOIs
StatePublished - 2018
Event17th International Conference on Cryptology and Network Security, CANS 2018 - Naples, Italy
Duration: 30 Sep 20183 Oct 2018

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume11124 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference17th International Conference on Cryptology and Network Security, CANS 2018
Country/TerritoryItaly
CityNaples
Period30/09/183/10/18

Bibliographical note

Publisher Copyright:
© Springer Nature Switzerland AG 2018.

Funding

Acknowledgements. Many thanks to Amit Klein for his helpful comments. Many thanks to Roland van Rijswijk-Deij for his support during this project. This work was supported by the Israeli ministry of Science, grant number 3-11857. Part of the data that led to this research was provided by SURFnet, the National Research and Education Network in the Netherlands, https://www.surfnet.nl/en/.

FundersFunder number
Israeli Ministry of Science3-11857

    Fingerprint

    Dive into the research topics of 'DNS-DNS: DNS-based De-NAT scheme'. Together they form a unique fingerprint.

    Cite this