Abstract

Martine S. Lenders, Thomas C. Schmidt, Matthias Wählisch,
Secrets Best Not Shared: DNS Privacy Enhancements for the Constrained IoT,
In: Proc. of the 11th IEEE European Symposium on Security and Privacy (EuroS\&P), IEEE : Piscataway, NJ, USA, 2026.
[BibTeX][Abstract]

Abstract: Several attacks aim at identifying DNS traffic for disrupting or compromising Internet services. Prior defense focused on the obfuscation of DNS requests by using DNS over TLS, HTTPS, or QUIC to counter such attacks. These protocols conflict with the constrained hardware resources of mass IoT devices. In this paper, we target IETF protocols tailored for the constrained IoT and empirically analyze the potentials of hiding DNS traffic. To this end, we create a dataset that includes the DNS resolution process for accessing 58,768 data objects derived from the HTTP Archive. For each object, we consider 296 different deployment scenarios of resolving host names, including DNS over the constrained application layer protocol CoAP and an onion routing flavor. Also, we compare to DNS over HTTPS. After validating the applicability of six machine learning classifiers to distinguish DNS and data traffic, we continue our further analysis with the overall best performing Random Forest. Applying a header field analysis based on permutation importances we identify header fields that leak the most information to Random Forest. We find that DNS over CoAP with equalized packet lengths by block-wise transfer and without leaking header fields by header compression can reduce the accuracy of identifying DNS frames by Random Forest to 86%. Compressing the DNS message format to fit the constrained use case, reduces accuracy even further to 77%. Our proposal outperforms DNS over HTTPS, for which the classifier identifies DNS frames with 100% accuracy. We make our dataset publicly available.

 

This page generated by bibTOhtml on Mon May 11 12:05:53 AM UTC 2026