User profiling by DNS servers

Supervisor(s)Sebastian Luhn, MSc


The Domain Name System (DNS) is a basic functionality of the web, needed to translate host names into accessible IP addresses. The main protection goal of this system has always been availabilty, with less focus on integrity (although that will be covered by DNSSEC) and confidentiality. Regarding the latter, research has shown that DNS servers gather sufficient data to allow for user profiling to a certain degree – even when using anonymising techniques.

To target integrity, some malware reassigns a computer’s standard DNS server to one of the adversary’s choice, usually to lead the user to fraudulent websites instead of the ones she requested. Also, the Time To Live (TTL), stating how long a DNS entry is valid, can be chosen to suit an adversary’s need.

In this thesis, those different approaches shall be combined, implemented and evaluated. A reassigned DNS server sends out (correct) responses with a short TTL to force the user to send DNS requests more often. It is to be examined whether better user profiling is possible using short TTLs and thus, whether there could be incentives for many DNS server operators to use shorter TTLs in general.


  • Herrmann, D. Beobachtungsmöglichkeiten im Domain-Name-System: Angriffe auf die Privatsphäre und Techniken zum Selbstdatenschutz. 2014.
  • Federrath, H., Gerber, C., and Herrmann, D. Verhaltensbasierte Verkettung von Internetsitzungen. Datenschutz und Datensicherheit (DuD), 35, 11 (2011), 791–796.
  • Herrmann, D., Banse, C., and Federrath, H. Behavior-based Tracking: Exploiting Characteristic Patterns in DNS Traffic. Computers & Security, 39, (2013), 17–33.