This repository accompanies our ACM IMC paper on DNS behavior in consumer IoT devices. It contains datasets, analysis scripts, and experiment configurations used to evaluate DNS security, privacy, and operational practices across a diverse set of real-world IoT devices.
We analyze DNS behavior in a smart home testbed comprising over 30 consumer IoT devices. Our methodology combines:
- Passive Monitoring of DNS queries/responses
- Active Manipulation of DNS responses
Key objectives include:
- Detecting security vulnerabilities (e.g., spoofing risks)
- Assessing DNS caching and retry behaviors
- Evaluating adoption of secure DNS standards (DoH, DoT, DNSSEC)
Devices:
30+ consumer IoT devices categorized into: Cameras, Doorbells, Smart Plugs, Hubs, Speakers, Sensors, Lights, Appliances, Health, and Pet Care.
Examples:
- Cameras: Arlo Pro 4, Blurams, Wyze Cam Pan, Google Nest Cam
- Smart Plugs: Tapo P110, Meross, Belkin
- Speakers: Sonos One, Bose Home 500
- Health: QardioBase, Withings Sleep Analyzer
Infrastructure:
- Unbound DNS Server: Injects crafted DNS responses to test device behavior
- AP Collection Server: Multi-adapter Wi-Fi data collector
- DNS DoS Server: Simulates amplification and resource-record duplication attacks
- Automated Power Control: Synchronizes device restarts
Scripts
AnalyzeDNS.ipynb: Classifies devices by randomness (Excellent, Good, Poor, None)AnalyzeDNS.py: Parses.pcapfiles using Tshark, outputs visualizationsAnalyze-DNS-IMC.ipynb: Generates additional metrics (IPv6 %, EDNS0, retries, mDNS)Analyze-DNS-IMC.py: Full analysis pipeline from captures to plots
Key Metrics & Plots
- Query & Answer Volumes:
dns_query_counts.pdf,dns_answer_counts.pdf
- Caching Behavior:
average_ttl_log.pdf,avg_time_between_queries_log.pdf
- Query Diversity:
dns_query_types.pdf,distinct_addresses.pdf
- Reply Structure:
average_answers_per_frame.pdf
- Protocol Features:
- EDNS(0) usage, retry rates, query normalization, mDNS count
We actively manipulate DNS responses to assess device robustness.
TTL Manipulation
Experiment_1_ttl_0,ttl_0_1,ttl_01,ttl_01000000000
Record Injection
Experiment_1_A_192_0_2_1,CNAME_alias,AAAA_2001_0db8_1
DNS Flooding & Amplification
dos_1_answer_x10_repliestox100dos_1_request_1_reply_x10tox100
These simulate malicious resolver behaviors and test how devices respond to altered DNS answers.
-
Security Vulnerabilities:
- Predictable transaction IDs
- Non-randomized source ports
- Weak entropy leading to spoofing risks
-
Operational Issues:
- High DNS query rates
- Ignoring TTL values
- Hardcoded resolvers and erratic retry logic
-
Lack of Modern DNS Features:
- Poor support for DoH, DoT, DNSSEC across many devices
If you use this dataset or analysis scripts, please cite our paper:
Under review at ACM IMC Conference, 2025. Title withheld for double-blind review.
This repository is licensed under [LICENSE_TYPE]. Scripts for analysis depend on Python, Jupyter, and Tshark.
The datasets are available at: https://anonymous.4open.science/r/dns_guidelines-91DD
For questions, contact us through the GitHub Issues page.