Computer scientists at the University of Twente in the Netherlands have discovered that the interaction between the Internet and local networks can be analyzed to reveal private data and facilitate tracking.
In a study titled “Saving Brian’s Privacy: The Perils of Privacy Exposure Through Reverse DNS”, Olivier van der Toorn, Raffaele Sommese, Anna Sperotto, Roland van Rijswijk-Deij and Mattijs Jonker examine how DNS interacts with DHCP and find that some of the data exchanged may be exposed by Reverse DNS (rDNS) queries.
DHCP is a network management protocol that dynamically assigns IP addresses to devices on a network. This is a client-server model where the device joining the network (the client) requests an address from the DHCP server.
The client retains this address for a specified time (a lease period) or until it sends a release message and leaves the network, to allow reassignment of the assigned IP address. But clients can also leave a network without sending a release message, which creates a time gap between the client’s departure and the automated deletion of records that provides the opportunity to query the rDNS network further.
Typically, DNS maps host and domain names to IP addresses, a process known as forward DNS which uses an “A record” to match a domain name like
theregister.com to an IPv4 address [don’t start – ed.].
Reverse DNS takes a DNS pointer record (RTP) with an IP address and returns a hostname. For example, if we want to know which hostname points to
188.8.131.52we juggle this IPv4 address into a special address
in-addr.arpa address, find the PTR record for
184.108.40.206.in-addr.arpaand see that it is
dns.googleGoogle’s public DNS offering.
It also means that if we browse all public IPv4 addresses, looking for their reverse DNS, we can get all related hostnames. For devices on, for example, university LANs that are assigned public IP addresses via DHCP, their hostnames can therefore be discovered.
220.127.116.11 could indicate
18.104.22.168 could be
You don’t even need to scan the entire IP space, you just focus on the IP blocks of the institutions or organizations you are interested in.
These hostnames probably won’t reveal much, in practice, or not all the interesting systems you want to know about are assigned public IP addresses. However, when public hostnames contain sensitive or revealing information and can be read via rDNS queries by anyone on the Internet, you have a potential privacy issue, the research team argues.
It gets interesting when you can see the delays in IP addresses issued by DHCP, dropping their hostnames, then reappearing later, because it gives you an idea of someone’s movements. We’ll leave it up to readers to decide how much of a risk this poses to their own users and network environments.
According to the authors of the article, previous privacy research has already established that network hostnames can contain information useful to adversaries. They point to studies in which rDNS data has been used to infer router and switch link speeds, network topology, geographic information, and more. Hostnames can also reveal the hardware used and the name of the user.
The researchers say their work builds on these findings to show that continuous automated changes to rDNS records, via DHCP, can reveal client identifiers that compromise privacy.
“Our results show a strong link: in 9 out of 10 cases, recordings persisted for at most an hour, for a selection of university, enterprise and ISP networks,” the newspaper said. “We also demonstrate how customer patterns and network dynamics can be learned, by tracking devices owned by people named Brian over time, revealing changes in work patterns caused by work-from-home metrics. related to COVID-19 and determining a good moment to stage a heist.”
The suggestion here is that the ability to track individuals through their devices from the internet provides the ability to steal an associated location when unoccupied.
Not a new problem
Researchers observe that the privacy risk of DHCP has been recognized at least since 2016 in RFC 7844which describes how DHCP clients can remain anonymous on a network.
“Our results not only demonstrate that identifiers are in fact transmitted in nature, but also reveal that the content contained within identifiers is inherently privacy-sensitive,” the paper asserts. “For example, being able to tell the make and model of a client device can benefit sophisticated attackers, who could use this information to pre-select relevant exploits. Owner names, in turn, can link IP addresses to users, which could be used for several malicious purposes.”
Often, researchers speculate, phone and computer names are revealed through the DHCP hostname setting. And because people often choose an identifying ID when setting up devices, this information may be available to criminals using the techniques described.
“We see this as a serious problem that could very well be in the blind spot of network operators,” explained Mattijs Jonker, assistant professor at the Faculty of Electrical Engineering, Mathematics and Computer Science (EEMCS) at the University. ‘University of Twente, in an e-mail to The register.
“First, the practice of dynamically adding records as devices join and leave a network provides a means for criminals to remotely learn the dynamics and internals of the network, even if traditional mechanisms to stop tracking by outsiders are in place.
“Suppose a firewall has been placed in front of a campus or corporate network to block ping probes from the Internet to devices inside the network to prevent outsiders from learning of the presence of This function would be compromised if the presence of said devices is signaled by dynamically added records.
“Second, if we look at the content of the recordings itself, privacy-sensitive and/or uniquely identifiable information on the device comes onto the public internet.”
To demonstrate how individuals can be tracked, researchers used rDNS data to track one or more individuals named Brian around a US university network over a six-week period. rDNS queries yielded hostnames such as brians-air, brians-galaxy-note9, brians-ipad, brians-mbp, and brians-phone.
“The Brians mentioned and tracked in the diary are real people, although we deliberately chose not to identify an individual Brian due to privacy concerns,” Jonker explained. “We suspect that in our case, we followed a limited number of people named Brian (in the network we targeted in our case study).”
We reveal that observing automated rDNS changes can provide insights into customer presence and network dynamics
Because the Galaxy Note 9 first appeared on the Monday afternoon after the Thanksgiving holiday in the US, they assume that one of those Brians bought the device at a sale on the Friday after the holiday or that day.
Boffins says their study shows that rDNS data can provide insight into the behavior of clients who have received dynamically assigned hostnames. And since these hostnames often match the name of a device’s owner or reveal other identifying information, associated individuals can be tracked from the internet.
“Our results are disconcerting,” they conclude. “While the existing literature has shown that meaningful information can be extracted from hostnames primarily without considering continuous changes to reverse DNS records, we reveal that observing automated rDNS changes can provide insight into the customer presence and network dynamics.
“Advertising rDNS greatly increases this risk, allowing anyone on the Internet to observe the automated changes. An adversary with measurement capability and knowledge of a potential target can gain valuable information by following an approach similar to ours.”
To mitigate these risks, the researchers say that information provided by the DHCP client, such as device names, should not be mapped to publicly available PTR records. And they urge network operators to prevent hostname formation from propagating from DHCP to DNS. ®