DNS-over-HTTPS (DoH) has been widely adopted by major web browsers to enhance the security and privacy of DNS transactions. To mitigate traffic analysis threats such as website fingerprinting (WFP) attacks, many DoH deployments apply EDNS(0) padding at both the client and resolver. As the padding strategy equalizes DNS data sizes, it diminishes the efficacy of previous WFP attacks that exploit TLS-layer length patterns. Moreover, TLS-level features fail to capture the application-layer behavior of HTTP/2, which underlies DoH communication. In this paper, we propose a novel WFP method for DoH that operates at the application layer. Our approach extracts the sequence of HTTP/2 key frames that encapsulate DNS queries and responses, and then derives time interval features that remain informative even in the presence of padding. Experimental results show that our approach achieves over 87% accuracy in the same-environment settings and maintains robustness across different resolver implementations and operating systems settings. Compared to existing WFP techniques, our method improves accuracy by at least 6% in same-environment tests and 19% in cross-environment scenarios. In addition, we conduct an Internet-scale measurement of 6,617 public DoH resolvers and uncover widespread deficiencies in padding adoption, which exacerbate fingerprint leakage. Based on these findings, we propose practical countermeasures to further strengthen DoH privacy.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Unraveling DoH Traces: Padding-Resilient Website Fingerprinting via HTTP/2 Key Frame Sequences

  • Baiyang Li,
  • Yujia Zhu,
  • Yuedong Zhang,
  • Qingyun Liu,
  • Li Guo

摘要

DNS-over-HTTPS (DoH) has been widely adopted by major web browsers to enhance the security and privacy of DNS transactions. To mitigate traffic analysis threats such as website fingerprinting (WFP) attacks, many DoH deployments apply EDNS(0) padding at both the client and resolver. As the padding strategy equalizes DNS data sizes, it diminishes the efficacy of previous WFP attacks that exploit TLS-layer length patterns. Moreover, TLS-level features fail to capture the application-layer behavior of HTTP/2, which underlies DoH communication. In this paper, we propose a novel WFP method for DoH that operates at the application layer. Our approach extracts the sequence of HTTP/2 key frames that encapsulate DNS queries and responses, and then derives time interval features that remain informative even in the presence of padding. Experimental results show that our approach achieves over 87% accuracy in the same-environment settings and maintains robustness across different resolver implementations and operating systems settings. Compared to existing WFP techniques, our method improves accuracy by at least 6% in same-environment tests and 19% in cross-environment scenarios. In addition, we conduct an Internet-scale measurement of 6,617 public DoH resolvers and uncover widespread deficiencies in padding adoption, which exacerbate fingerprint leakage. Based on these findings, we propose practical countermeasures to further strengthen DoH privacy.