Plaintext DNS reveals every website that a user visits regardless of other encryption (e.g. HTTPS) or anonymity (e.g. Virtual Private Networks) used. DoH (DNS over HTTPS) was introduced to encrypt the previously-plaintext DNS queries to improve web privacy. In this research, we show that even DoH queries still leak the website name. Our attack on DoH is similar to website fingerprinting attacks, where the URL visited by a user is predicted based on the size of network packets and the number of network packets transmitted. Even though padding is used in DoH, we show that the website name can still be guessed with a high accuracy using only the size of each network packet and the number of incoming/outgoing network packets.
Eric Chan-Tin
PDF Document
Thursday Block I