Computer scientists at the University of Twente in the Netherlands have found that the interaction between the Internet and local networks can be analyzed to reveal private data and facilitate tracking.
in the a study Entitled Saving Brian’s Privacy: the Perils of Privacy Exposure through Reverse DNS, Olivier van der Toorn, Raffaele Sommese, Anna Sperotto, Roland van Rijswijk-Deij and Mattijs Jonker examine how DNS interacts with DHCP and find that some The exchanged data can be revealed through reverse DNS (rDNS) queries.
DHCP is a network management protocol that allows IP addresses to be dynamically assigned to devices on a network. This is a client-server model in which the device joining the network (the client) requests an address from the DHCP server.
The client keeps this address for a set period of time (lease period) or until it sends a release message and leaves the network to allow the assigned IP address to be reassigned. But clients can also leave a network without sending a release message, creating a time gap between the client leaving and the automatic removal of records, providing an opportunity for further rDNS network queries.
Typically, DNS maps host and domain names to IP addresses, a process known as forward DNS, which uses an “A record” to match a domain name such as
theregister.com to an IPv4 address [don’t start – ed.].
Reverse DNS takes a DNS pointer entry (PTR) with an IP address and returns a hostname. For example, if we want to know which hostname is pointing to
126.96.36.199let’s juggle this IPv4 address into a special one
in-addr.arpa Address, look for the PTR record for
188.8.131.52.in-addr.arpaand see that it is
dns.googleGoogle’s public DNS offering.
This also means if we loop through all public IPv4 addresses and look up their reverse DNS, we can get all associated hostnames. In this way, the host names can be determined for devices in university LANs, for example, which are assigned public IP addresses via DHCP.
184.108.40.206 could indicate
220.127.116.11 could be
You don’t even have to scan the entire IP range, just search the IP blocks of institutions or organizations you are interested in.
These hostnames probably won’t give much away in practice, or all those interesting systems you want to know about don’t have public IPs assigned. However, when publicly available hostnames contain sensitive or revealing information and can be read by anyone on the internet via rDNS queries, there is a potential privacy issue, the research team argues.
It gets interesting when you can see the delays in DHCP-issued IP addresses deleting their hostnames and reappearing later, as it gives you an idea of a person’s movements. We leave it up to the readers to decide how high the risk is for their own users and network environments.
Previous research into privacy, the paper’s authors say, has already found that network hostnames can contain information useful to attackers. They cite studies that used rDNS data to derive router and switch connection speeds, network topology, geographic information, and so on. Hostnames can also reveal the hardware used and the name of the user.
The researchers say their work builds on these findings to show that automated and continuous changes to rDNS records via DHCP can reveal client IDs that compromise privacy.
“Our results show a strong association: in 9 out of 10 cases, recordings persist for one hour or less, for a sample of academic, enterprise and ISP networks alike,” the study states. “We also demonstrate how customer patterns and network dynamics can be learned by tracking devices owned by individuals named Brian over time, uncovering shifts in work patterns caused by COVID-19-related work-from-home measures , and by timing it well, staging a robbery.”
The suggestion here is that the ability to track people from the internet via their devices provides an opportunity to rob an associated location if it is not occupied.
Not a new topic
The researchers observe that the privacy risk of DHCP has been recognized since at least 2016 RFC-7844which describes how DHCP clients can remain anonymous on a network.
“Our results not only show that identifiers are indeed transmitted in the wild, but also show that the content contained in identifiers is itself privacy-sensitive,” the paper claims. “For example, the ability to identify a client device’s make and model can be beneficial to experienced attackers, who could use this information to pre-select relevant exploits. Proprietary names, in turn, can associate IP addresses with users that could be used for a variety of malicious purposes.”
Often, the researchers speculate, phone and computer names are revealed via the DHCP hostname parameter. And since people often choose an identifying identifier when setting up devices, this information can be available to criminals using the techniques described.
“We see this as a serious problem that may lie in the network operators’ blind spot,” explained Mattijs Jonker, assistant professor at the Faculty of Electrical Engineering, Mathematics and Computer Science (EEMCS) at the University of Twente, in an email to The registry.
“First, the practice of dynamically adding records as devices join and leave a network provides a way for criminals to learn network dynamics and internals remotely, even when traditional mechanisms are in place to stop outsider tracking.
“Let’s assume that a firewall has been placed in front of a campus or corporate network to block ping probes from the internet to devices on the network and prevent outsiders from knowing the presence of devices. This functionality would be undermined if the presence of said devices is signaled by dynamically added records.
“Second, when we look at the content of the recordings ourselves, privacy-sensitive and/or uniquely identifiable device information leaks onto the public internet.”
To demonstrate how people can be tracked, the researchers used rDNA data to track one or more people named Brian across a US university network over a six-week period. The rDNS queries returned hostnames such as brian-air, brian-galaxy-note9, brian-ipad, brian-mbp, and brian-phone.
“The Brians mentioned and followed in the newspaper are real people, although we have made a conscious decision not to identify an individual Brian for privacy reasons,” explained Jonker. “We suspect that in our case we were tracking a limited number of people named Brian (in the network we targeted in our case study).”
We show that observing automated changes to rDNS can provide insights into client presence and network dynamics
Since the Galaxy Note 9 first appeared on the Monday afternoon after the US Thanksgiving holiday, they speculate that one of these Brians bought the device at a sale on or on the Friday after the holiday.
The experts say their study shows that rDNS data can provide insight into the behavior of clients that have received dynamically assigned hostnames. And because these hostnames often match a device owner’s name or reveal other identifying information, connected individuals can be tracked across the Internet.
“Our results are worrying,” they conclude. “While the existing literature has shown that meaningful information can be extracted from hostnames, primarily without considering continuous changes to reverse DNS records, we show that observing automated changes to rDNS provides insights into client presence and network dynamics can.
“The publicity of rDNS greatly increases this risk and allows anyone on the Internet to observe automated changes. An attacker with measurement skills and knowledge of a potential target can gain valuable insights following an approach similar to ours.”
To mitigate these risks, the researchers argue that information provided by the DHCP client, such as device names, should not be mapped to publicly available PTR records. And they are urging network operators to prevent hostname formation from being passed from DHCP to DNS. ®
https://www.theregister.com/2022/09/29/reverse_dns_queries_reveal_too/ Reverse DNS queries reveal too much information, research warns • The Register