Smart DNS (SDNS) services advertise access to "geofenced" content (typically, video streaming sites such as Netflix or Hulu) that is normally inaccessible unless the client is within a prescribed geographic region. SDNS is simple to use and involves no software installation. Instead, it requires only that users modify their DNS settings to point to an SDNS resolver. The SDNS resolver "smartly" identifies geofenced domains and, in lieu of their proper DNS resolutions, returns IP addresses of proxy servers located within the geofence. These servers then transparently proxy traffic between the users and their intended destinations, allowing for the bypass of these geographic restrictions. This paper presents the first academic study of SDNS services. We identify a number of serious and pervasive privacy vulnerabilities that expose information about the users of these systems. These include architectural weaknesses that enable content providers to identify which requesting clients use SDNS. Worse, we identify flaws in the design of some SDNS services that allow {\em any} arbitrary third party to enumerate these services' users (by IP address), even if said users are currently offline. We present mitigation strategies to these attacks that have been adopted by at least one SDNS provider in response to our findings.
翻译:智能 DNS (SDNS) 服务, 以广告形式宣传“ geofenced” 内容( 通常是Netflix 或 Hulu 等视频流流站), 除非客户在指定的地理区域内, 否则通常无法访问这些内容( 例如 Netflix 或 Hulu ) 。 SDNS 简单易用, 没有软件安装。 相反, 它只要求用户修改其 DNS 设置以指SDNS 解决器 。 SDNS 解析器“ 智能地” 辨别了地理隔离域, 并用适当的 DNS 分辨率, 返回位于地理栅栏内的代理服务器的IP 地址 。 这些服务器然后透明地代理用户与其预定的目的地之间的通信, 从而可以绕过这些地理限制 。 本文展示了SDNS 服务首次的学术研究。 我们找出了一些严重和普遍的隐私脆弱性, 暴露了这些系统用户的信息。 其中包括使内容提供者能够识别哪些客户使用 SDNS 。 更糟糕的是, 我们发现某些SNS 的设计缺陷, 设计中的缺陷, 使得某些SDNS 用户可以任意的第三方 将用户( ) 列出这些服务的用户的用户对这些攻击的反应。
相关内容
微信扫码咨询专知VIP会员