PhD on Privacy Deficiencies of the DNS

In my PhD I focused on the privacy deficiencies of the Domain Name System, inference attacks, behavior-based tracking of users, and lightweight privacy enhancing technologies for DNS. The title of the thesis is (in German): „Beobachtungsmöglichkeiten im Domain Name System: Angriffe auf die Privatsphäre und Techniken zum Selbstdatenschutz“ (entry in DNB, entry in UHH Informatics Library). The PhD thesis has been published by Springer-Vieweg (ISBN: 978-3-658-13262-0).

I have compiled two German summaries of the PhD thesis:

The PhD thesis has received three research awards: the Dissertationspreis 2014 of the Germany Informatics Society (Gesellschaft für Informatik) for the best computer science dissertation in Germany, Austria and Switzerland, the GI/CAST Promotionspreis IT-Sicherheit 2014 for the best information-security-related dissertation in Germany, and the Wissenschaftspreis 2014 of Gesellschaft für Datenschutz und Datensicherheit (GDD e.V.), which recognizes significant contributions to privacy.

Summary of the PhD Thesis

In the thesis I demonstrate with empirical experiments that DNS resolvers can determine the websites a user visits. Additionally, I show that information about the operating system, the browser, and the applications running on a user’s machine are leaked due to characteristic properties of their DNS queries. I also demonstrate that third parties (e.g., Google’s Public DNS service) can leverage supervised learning techniques to track the activities of Internet users without their consent, even if users change their IP addresses daily. My behavior-based tracking technique exploits the fact that users exhibit quite regular and characteristic online behaviors that can be used to link their sessions. I also studied to what degree various privacy enhancing techniques (mix cascades, range queries, very dynamic IP addresses, and caching) can prevent such monitoring and tracking efforts.

The main contributions of the thesis have also been published separately: The behavior-based tracking technique mentioned above has been published in an article that appeared in Computers & Security. The results on range queries have been published in a paper presented at IFIP SEC 2014, additional privacy-enhancing technologies for DNS are discussed in an ESORICS 2011 paper.