Skip to Content
[CAIDA - Center for Applied Internet Data Analysis logo]
Center for Applied Internet Data Analysis > publications : papers : 2020 : trufflehunter
Trufflehunter: Cache Snooping Rare Domains at Large Public DNS Resolvers
A. Randall, E. Liu, G. Akiwate, R. Padmanabhan, G. Voelker, S. Savage, and A. Schulman, "Trufflehunter: Cache Snooping Rare Domains at Large Public DNS Resolvers", in ACM Internet Measurement Conference (IMC), Oct 2020.
|   View full paper:    PDF    DOI    Related Presentation    |  Citation:    BibTeX    Resource Catalog   |

Trufflehunter: Cache Snooping Rare Domains at Large Public DNS Resolvers

Audrey Randall2
Enze Liu2
Gautam Akiwate2
Ramakrishna Padmanabhan1
Geoffrey Voelker2
Stefan Savage2
Aaron Schulman2

CAIDA, San Diego Supercomputer Center, University of California San Diego


University of California, San Diego (UCSD)

This paper presents and evaluates Trufflehunter, a DNS cache snooping tool for estimating the prevalence of rare and sensitive Internet applications. Unlike previous efforts that have focused on small, misconfigured open DNS resolvers, Trufflehunter models the complex behavior of large multi-layer distributed caching infrastructures (e.g., such as Google Public DNS). In particular, using controlled experiments, we have inferred the caching strategies of the four most popular public DNS resolvers (Google Public DNS, Cloudflare Quad1, OpenDNS and Quad9). The large footprint of such resolvers presents an opportunity to observe rare domain usage, while preserving the privacy of the users accessing them. Using a controlled testbed, we evaluate how accurately Trufflehunter can estimate domain name usage across the U.S. Applying this technique in the wild, we provide a lower-bound estimate of the popularity of several rare and sensitive applications (most notably smartphone stalkerware) which are otherwise challenging to survey.

Keywords: dns, measurement methodology
  Last Modified: Fri Dec-11-2020 19:47:19 UTC
  Page URL: