Tracking your queries

While hijacking can be dramatic, the more subtle and because of its volume and scope, perhaps more serious issue is tracking.

There are many reasons that a party would want to know your DNS queries, both what was queried and when. This information is part of the “Big Data” that is collected by institutions such as intelligence agencies, marketers, tax collectors, police, and the criminal world, which defines the list.

Those who have and know how to use this information wield significant power. Consider just knowing the DNS queries, and nothing else, what can be surmised.

A set of queries give a glimpse of what site you are on and when to the DNS provider without ever seeing the actual traffic.

A given home, office, or phone’s queries can be collected over time and a number of things can be reasonably assumed.

You may be showing that at a certain time frame you are accessing entertainment sites and of what variety.

Your selection of news, sports, music, religious, or other categories will not only indicate your interests but of what persuasion you are in those interests.

Note that this information is provide to the DNS service provider. Using an encrypted, or HTTPS, has no impact on this and hides nothing. What site you are interacting with is exposed, but not the data you are sharing. You are exposing your metadata, not your data. Remember, the metadata alone gives a huge amount of information about you.

An extremely common technique with web pages and emails is to place a transparent 1 pixel square image on the page. It is not seen, but when you view the page or email a request is made to download the image. You are informing a third party what you are viewing, when and from where.

For the site address of the image, such as “image.example.net”, a DNS query needs to be made. This gives some information to the DNS provider.

By limiting the time that your computer will cache that query to perhaps a second, the Time To Live parameter, each time you view the page a new DNS query will occur.

By using a unique site address for the image, such as “123456789.image.example.net”, particular information is now being exposed to he DNS provider in cooperation with the web page provider.

Many browsers will examine a page that you request and note all links on the page. Where it has not resolved the IP address for any link it will do so before you click so that the resolve time become essentially zero. However, in doing so you are also leaking information about you, since the set of links can be mapped to the specific page or group of pages.

In summary, whether in cooperation with or independent of the web page provider, your DNS queries alone, something that most are unaware is even happening, inform third parties a significant amount of information about you.

This is not benign.

ShofarNexus™ ● ShofarNexus.comShofarNexus.Shofar

The Domain Name System ● What it is to “Resolve”

Domain Names and IP Addresses

Iterative Lookup ● Alice’s computer does it all

Recursive Lookup ● A server does it all

Hijacking a query

Tracking your queries

Secure DNS Server

DNS Filtering

Matryoshka DNS Server