Using DNS to determine when someone is home — DNS analysis, Part II
Last month, I did a quick write up on a DNS trace that I had extracted. The trace was all the DNS queries that left my house over a few days. Using that same trace, I noticed that there were many queries to the domain of my employer. This in itself was not unusual, but one particular query caught my eye:
2009-02-08 05:34:02.680383 IP 216.240.7.12.58684 > 208.67.222.222.53: 30554+ A? ap-1.sandvine.com. (35)
2009-02-08 05:34:03.037603 IP 208.67.222.222.53 > 216.240.7.12.58684: 30554 1/0/0 A 216.16.234.191 (51)
This query happened every 10-20 minutes. Tracing it back I realized it was coming from my mobile phone. This got me to thinking, could one determine when I was or was not home with just access to a DNS trace? To answer that I did a bit of investigation of the address ap-1.sandvine.com.
mike@Janel:~/investigation/homeDns$ dig @ns1.domainmonger.com ap-1.sandvine.com
; <<>> DiG 9.5.0-P2 <<>> @ns1.domainmonger.com ap-1.sandvine.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36335
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;ap-1.sandvine.com. IN A
;; ANSWER SECTION:
ap-1.sandvine.com. 60 IN A 216.16.234.191
;; AUTHORITY SECTION:
sandvine.com. 60 IN NS ns1.domainmonger.com.
sandvine.com. 60 IN NS ns2.domainmonger.com.
;; Query time: 92 msec
;; SERVER: 216.98.150.33#53(216.98.150.33)
;; WHEN: Sun Apr 12 12:29:19 2009
;; MSG SIZE rcvd: 100
mike@Janel:~/investigation/homeDns$
From above the record, for ap-1.sandvine.com refreshes every 60 seconds. That means that my mobile ignores the refresh request from the DNS. While interesting to know, it doesn’t help answer my question.
I extracted all queries to ap-1.sandvine.com, the timestamp for each and quickly plotted them with gnuplot. Next, I pulled my calendar and daily logs and added notes to the graph. The y-axis is irrelevant. The red dots show when the queries were made and the green arrows and notes are my comments based on my calendar and logs.
A third party could easily determine when I was or was not home with a high degree of certainty. With mobile phones now having wi-fi capabilities and connecting to the local wireless network it becomes trivial to use them as a vector to determine when someone is home or not. I ran the same analysis on my wife’s mobile and got similar results (I didn’t add them to the chart here).
Obviously you could use other protocols and do a much more detailed analysis and correlation (or just execute standard physical surveillance), but DNS is good in that it is required for the Internet, a standard, and is not encrypted. This was a relatively simple exercise and reasonably cost effective. I am not a lawyer, but I suspect based on the ongoing privacy debate and some recent court decisions that DNS queries executed by an individual or a business might be considered ‘public’ with no expectation of privacy. I’d argue that with access to DNS information from a particular entity, one could glean interesting information from a competitive company.
