pith. sign in

arxiv: 1907.04023 · v1 · pith:3GNK6NP4new · submitted 2019-07-09 · 💻 cs.CR · cs.NI

Analysing Censorship Circumvention with VPNs via DNS Cache Snooping

Oliver Farnan , Alexander Darer , Joss Wright This is my paper

Pith reviewed 2026-05-25 00:38 UTC · model grok-4.3

classification 💻 cs.CR cs.NI
keywords DNS cache snoopingVPNcensorship circumventiondomain accessChinaIranTurkeyIndonesia
0
0 comments X

The pith

DNS cache snooping on VPN servers reveals which censored domains users actually access.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper aims to demonstrate that DNS cache snooping can identify the specific websites people reach when routing traffic through VPN services. This works because certain VPN providers run their own DNS servers, so any cached domain queries must come from their users. The authors test three snooping approaches, select the most reliable one, and apply it to major providers while checking both popular sites and domains known to face blocks in China, Indonesia, Iran, and Turkey. A reader would value the result because it supplies measurable evidence of how VPNs serve censorship circumvention instead of relying on stories or self-reports. The work also supplies a repeatable way to gauge query frequency on those servers.

Core claim

We use DNS cache snooping to determine what domains people are accessing through VPNs. Some VPNs operate their own DNS servers, ensuring that any cached queries were made by users of the VPN. We explore 3 methods of DNS cache snooping and use the most reliable of the methods to perform a DNS cache snooping scan against the DNS servers of several major VPN providers. With this we discover which domains are actually accessed through VPNs. We run this technique against popular domains, as well as those known to be censored in certain countries; China, Indonesia, Iran, and Turkey. Our work gives a glimpse into what users use VPNs for, and provides a technique for discovering the frequency with a

What carries the argument

DNS cache snooping, a method that checks whether a DNS server has recently resolved a given domain name and thereby infers prior user queries.

If this is right

  • The chosen snooping method can list specific censored domains reached through each tested VPN.
  • The scan produces evidence of real query frequency for both popular and restricted sites on VPN DNS servers.
  • The technique distinguishes usage patterns across the four examined countries.
  • Repeating the scan on additional providers would enlarge the picture of VPN traffic.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Repeated scans over time could track whether VPN usage for particular censored sites rises or falls with policy changes.
  • The same cache-checking approach could be tried on other privacy tools that maintain custom resolvers.
  • Aggregate results might help evaluate how effective current blocks remain once VPN adoption grows.

Load-bearing premise

VPN providers run their own DNS servers whose caches contain only queries made by their own users.

What would settle it

A controlled test in which known VPN users query censored domains yet the provider's DNS server shows no corresponding cache entries, or entries that trace to non-VPN traffic.

Figures

Figures reproduced from arXiv: 1907.04023 by Alexander Darer, Joss Wright, Oliver Farnan.

Figure 1
Figure 1. Figure 1: Most frequently accessed domains For each domain we calculate the Poisson arrival rate, λ, of x, where x is the number of events in a fixed time period. The Poisson distribution is chosen in our initial modelling as an appropriate function for modelling count data, under the assumption that the variance and mean of the arrival rate are equal. If we were to require more specific characterisation of features… view at source ↗
Figure 2
Figure 2. Figure 2: Most frequently accessed domains (Indonesia) [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Most frequently accessed domains (Turkey) [PITH_FULL_IMAGE:figures/full_fig_p004_3.png] view at source ↗
Figure 5
Figure 5. Figure 5: Most frequently accessed domains (Chinese language) [PITH_FULL_IMAGE:figures/full_fig_p005_5.png] view at source ↗
read the original abstract

Anecdotal evidence suggests an increasing number of people are turning to VPN services for the properties of privacy, anonymity and free communication over the internet. Despite this, there is little research into what these services are actually being used for. We use DNS cache snooping to determine what domains people are accessing through VPNs. This technique is used to discover whether certain queries have been made against a particular DNS server. Some VPNs operate their own DNS servers, ensuring that any cached queries were made by users of the VPN. We explore 3 methods of DNS cache snooping and briefly discuss their strengths and limitations. Using the most reliable of the methods, we perform a DNS cache snooping scan against the DNS servers of several major VPN providers. With this we discover which domains are actually accessed through VPNs. We run this technique against popular domains, as well as those known to be censored in certain countries; China, Indonesia, Iran, and Turkey. Our work gives a glimpse into what users use VPNs for, and provides a technique for discovering the frequency with which domain records are accessed on a DNS server.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 1 minor

Summary. The manuscript presents an empirical measurement study that applies DNS cache snooping to the resolvers operated by several major VPN providers. It evaluates three snooping techniques, selects the most reliable, and uses it to scan for both popular domains and domains known to be censored in China, Indonesia, Iran, and Turkey, with the goal of identifying which domains are actually queried by VPN users.

Significance. If the attribution of cache hits to VPN users can be substantiated and the method validated, the work would supply a practical technique for studying real-world VPN usage patterns in censorship circumvention. The empirical focus and application of an existing measurement primitive to VPN infrastructure are positive features, but the current absence of validation data substantially reduces the strength of the reported discoveries.

major comments (3)
  1. [Abstract] Abstract: the premise that 'Some VPNs operate their own DNS servers, ensuring that any cached queries were made by users of the VPN' is stated without any supporting measurement (e.g., whether the resolvers answer recursive queries from arbitrary source IPs, whether they appear in public DNS, or provider documentation on exclusivity). This assumption is load-bearing for the claim that positive cache hits constitute evidence of VPN-user activity.
  2. [Methods description] The section describing the three DNS cache snooping methods: the abstract asserts that one method is 'most reliable' and that scans were performed, yet no quantitative comparison, false-positive rates, or ground-truth validation against known query logs is supplied to justify the selection or to bound the accuracy of the subsequent domain-discovery results.
  3. [Scan results] The scan-results section: reported hits on censored domains are presented without discussion of alternative explanations (infrastructure queries, public recursive access, or provider-internal traffic), leaving the attribution of results to VPN users untested.
minor comments (1)
  1. [Abstract] The abstract refers to 'several major VPN providers' without naming them or stating the exact count; adding this information would improve reproducibility.

Simulated Author's Rebuttal

3 responses · 1 unresolved

We thank the referee for the constructive comments. We address each major point below and indicate planned revisions to the manuscript.

read point-by-point responses

  1. Referee: [Abstract] Abstract: the premise that 'Some VPNs operate their own DNS servers, ensuring that any cached queries were made by users of the VPN' is stated without any supporting measurement (e.g., whether the resolvers answer recursive queries from arbitrary source IPs, whether they appear in public DNS, or provider documentation on exclusivity). This assumption is load-bearing for the claim that positive cache hits constitute evidence of VPN-user activity.

    Authors: The selection of VPN providers was based on their public statements and documentation indicating operation of private DNS resolvers exclusively for customers. We did not include explicit measurements of resolver accessibility in the submitted version. In revision we will add a methods subsection with references to provider documentation and any checks performed to confirm the resolvers are not publicly recursive. revision: yes

  2. Referee: [Methods description] The section describing the three DNS cache snooping methods: the abstract asserts that one method is 'most reliable' and that scans were performed, yet no quantitative comparison, false-positive rates, or ground-truth validation against known query logs is supplied to justify the selection or to bound the accuracy of the subsequent domain-discovery results.

    Authors: The manuscript provides a qualitative comparison of the three methods and their limitations. We agree that quantitative metrics would improve rigor. We will add a table summarizing observed consistency and probe behavior across the methods. Ground-truth validation against provider query logs is not feasible without direct access, which was unavailable; this limitation will be stated explicitly. revision: partial

  3. Referee: [Scan results] The scan-results section: reported hits on censored domains are presented without discussion of alternative explanations (infrastructure queries, public recursive access, or provider-internal traffic), leaving the attribution of results to VPN users untested.

    Authors: We will expand the results section with a new subsection addressing alternative explanations, including why infrastructure or internal traffic is unlikely to produce the observed pattern of censored-domain hits given the provider selection criteria and domain lists used. revision: yes

standing simulated objections not resolved
  • Provision of ground-truth validation against actual VPN provider query logs, as this data is not accessible to external researchers without provider cooperation.

Circularity Check

0 steps flagged

No circularity: empirical measurement study with no derivations or fitted parameters

full rationale

The paper performs DNS cache snooping scans on VPN providers' resolvers to observe cached domains. It states the premise that 'Some VPNs operate their own DNS servers, ensuring that any cached queries were made by users of the VPN' but supplies no equations, fitted parameters, self-citations, or uniqueness theorems. The central claim is a direct empirical observation under that premise; it does not reduce to any input by construction, renaming, or self-referential fit. This is a standard measurement study whose validity rests on external verifiability of the resolver exclusivity assumption rather than internal circularity.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim rests on the domain assumption that VPN-operated DNS servers only cache queries from their own users. No free parameters or invented entities are introduced.

axioms (1)
  • domain assumption Some VPNs operate their own DNS servers, ensuring that any cached queries were made by users of the VPN.
    This premise is stated directly in the abstract as the justification for applying cache snooping to VPN DNS servers.

pith-pipeline@v0.9.0 · 5726 in / 1145 out tokens · 33862 ms · 2026-05-25T00:38:15.741952+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

38 extracted references · 38 canonical work pages · 2 internal anchors

  1. [1]

    vpwns: Virtual pwned net- works

    Jacob Appelbaum et al. “vpwns: Virtual pwned net- works”. In: 2nd USENIX Workshop on Free and Open Communications on the Internet. USENIX Association . 2012

    work page 2012

  2. [2]

    Internet Censorship in Iran: A First Look

    Simurgh Aryan, Homa Aryan, and J Alex Halderman. “Internet Censorship in Iran: A First Look.” In: FOCI. 2013

    work page 2013

  3. [3]

    Scanning the Internet for Liveness

    Shehar Bano et al. “Scanning the Internet for Liveness”. In: ACM SIGCOMM Computer Communication Review 48.2 (2018), pp. 2–9

    work page 2018

  4. [4]

    RFC 7626 - DNS Privacy Consid- erations

    Stphane Bortzmeyer. RFC 7626 - DNS Privacy Consid- erations. https://tools.ietf.org/html/rfc7626. 2015. (Vis- ited on 05/25/2018)

    work page 2015

  5. [5]

    Citizen Lab. Psiphon. https://psiphon.ca/ (accessed 2018-05-15). 2018. (Visited on 05/15/2018)

    work page 2018

  6. [6]

    A formal security analysis of the signal messaging protocol

    Katriel Cohn-Gordon et al. “A formal security analysis of the signal messaging protocol”. In: Security and Privacy (EuroS&P), 2017 IEEE European Symposium on. IEEE. 2017, pp. 451–466

    work page 2017

  7. [7]

    Automated Discovery of Internet Censorship by Web Crawling

    Alexander Darer, Oliver Farnan, and Joss Wright. “Automated Discovery of Internet Censorship by Web Crawling”. In: arXiv preprint arXiv:1804.03056 (2018)

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  8. [8]

    Fil- teredWeb: A framework for the automated search-based discovery of blocked URLs

    Alexander Darer, Oliver Farnan, and Joss Wright. “Fil- teredWeb: A framework for the automated search-based discovery of blocked URLs”. In: Network Traffic Mea- surement and Analysis Conference (TMA), 2017 . IEEE. 2017, pp. 1–9

    work page 2017

  9. [9]

    Tor: The second-generation onion router

    Roger Dingledine, Nick Mathewson, and Paul Syverson. Tor: The second-generation onion router . Tech. rep. Naval Research Lab Washington DC, 2004

    work page 2004

  10. [10]

    Google Public DNS

    DNS. Google Public DNS . https://developers.google.com/speed/public-dns/ (accessed 2018-05-24). 2018. (Visited on 05/24/2018)

    work page 2018

  11. [11]

    Poi- soning the well: Exploring the great firewall’s poisoned dns responses

    Oliver Farnan, Alexander Darer, and Joss Wright. “Poi- soning the well: Exploring the great firewall’s poisoned dns responses”. In: Proceedings of the 2016 ACM on Workshop on Privacy in the Electronic Society . ACM. 2016, pp. 95–98

    work page 2016

  12. [12]

    How To Bypass Censorship in Russia

    Golden Frog. How To Bypass Censorship in Russia . https://www.goldenfrog.com/vyprvpn/guides/how-to- bypass-censorship-russia (accessed 2018-05-15). 2018. (Visited on 05/15/2018)

    work page 2018

  13. [13]

    DNS Cache Snooping or Snooping the Cache for Fun and Profit

    Luis Grangeia. DNS Cache Snooping or Snooping the Cache for Fun and Profit . 2004. 7

    work page 2004

  14. [14]

    The Effect of DNS on Tor's Anonymity

    Benjamin Greschbach et al. “The Effect of DNS on Tor’s Anonymity”. In: arXiv preprint arXiv:1609.08187 (2016)

    work page internal anchor Pith review Pith/arXiv arXiv 2016

  15. [15]

    China moves to block internet VPNs from 2018

    Benjamin Haas. China moves to block internet VPNs from 2018 . https://www.theguardian.com/world/2017/jul/11/china- moves-to-block-internet-vpns-from-2018 (accessed 2018-05-15). 2017. (Visited on 05/15/2018)

    work page 2018

  16. [16]

    Bypass Censorship

    IPVanish. Bypass Censorship . https://www.ipvanish.com/bypass-censorship.php (accessed 2018-05-15). 2018. (Visited on 05/15/2018)

    work page 2018

  17. [17]

    Ethical concerns for censorship mea- surement

    Ben Jones et al. “Ethical concerns for censorship mea- surement”. In: Proceedings of the 2015 ACM SIG- COMM Workshop on Ethics in Networked Systems Research. ACM. 2015, pp. 17–19

    work page 2015

  18. [18]

    DNS prefetch- ing and its privacy implications: when good things go bad

    Srinivas Krishnan and Fabian Monrose. “DNS prefetch- ing and its privacy implications: when good things go bad”. In: Proceedings of the 3rd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more. USENIX Association. 2010, pp. 10–10

    work page 2010

  19. [19]

    Apple removes apps that bypass Chinas censors

    Hannah Kuchler. Apple removes apps that bypass Chinas censors . https://www.ft.com/content/e83e8034- 7543-11e7-90c0-90a9d1bc9691 (accessed 2018-05-15)

    work page 2018

  20. [20]

    (Visited on 05/15/2018)

    work page 2018

  21. [21]

    Welcome to Majestic Million

    Majestic Million. Welcome to Majestic Million . https://blog.majestic.com/welcome-to-majestic-million/ (accessed 2018-05-01). 2018. (Visited on 05/01/2018)

    work page 2018

  22. [22]

    Advanced cryptographic ratch- eting

    Moxie Marlinspike. Advanced cryptographic ratch- eting. https://signal.org/blog/advanced-ratcheting/ (ac- cessed 2018-05-15. 2013. (Visited on 05/15/2018)

    work page 2018

  23. [23]

    The Anatomy of Web Censorship in Pakistan

    Zubair Nabi. “The Anatomy of Web Censorship in Pakistan.” In: FOCI. 2013

    work page 2013

  24. [24]

    NordVPN - DNS Leak Test

    NordVPN. NordVPN - DNS Leak Test . https://nordvpn.com/features/dns-leak-test/. 2018. (Visited on 05/25/2018)

    work page 2018

  25. [25]

    Exclusive: How the (synced) Cookie Monster breached my encrypted VPN session

    Panagiotis Papadopoulos, Nicolas Kourtellis, and Evan- gelos P Markatos. “Exclusive: How the (synced) Cookie Monster breached my encrypted VPN session”. In: Proceedings of the 11th European Workshop on Systems Security. ACM. 2018, p. 6

    work page 2018

  26. [26]

    A glance through the VPN looking glass: IPv6 leakage and DNS hijacking in commercial VPN clients

    Vasile C Perta et al. “A glance through the VPN looking glass: IPv6 leakage and DNS hijacking in commercial VPN clients”. In: Proceedings on Privacy Enhancing Technologies 2015.1 (2015), pp. 77–91

    work page 2015

  27. [27]

    Anonymity, privacy, and security online

    Lee Rainie et al. “Anonymity, privacy, and security online”. In: Pew Research Center 5 (2013)

    work page 2013

  28. [28]

    Russia designates Radio Free Europe and Voice of America as foreign agents

    Reuters. Russia designates Radio Free Europe and Voice of America as foreign agents . https://www.reuters.com/article/us-russia-usa- media-restrictions/russia-designates-radio-free- europe-and-voice-of-america-as-foreign-agents- idUSKBN1DZ0MP. 2017. (Visited on 09/15/2018)

    work page 2017

  29. [29]

    ropensci/cld3

    Jason Riesa. ropensci/cld3. https://github.com/ropensci/cld3 (accessed 2018- 05-16). 2018. (Visited on 05/16/2018)

    work page 2018

  30. [30]

    BYPASS INTERNET CENSORSHIP WITH VPN/PROXIES

    Charles Roswell. BYPASS INTERNET CENSORSHIP WITH VPN/PROXIES . https://thevpn.guru/bypass- internet-censorship-surveillance-vpn-tor-proxies (accessed 2018-05-15). 2018. (Visited on 05/15/2018)

    work page 2018

  31. [31]

    Analytical review of methods of providing internet anonymity

    II Savchenko and O Yu Gatsenko. “Analytical review of methods of providing internet anonymity”. In: Au- tomatic Control and Computer Sciences 49.8 (2015), pp. 696–700

    work page 2015

  32. [32]

    A long way to the top: Signifi- cance, structure, and stability of Internet top lists

    Quirin Scheitle et al. “A long way to the top: Signifi- cance, structure, and stability of Internet top lists”. In: Proceedings of the Internet Measurement Conference

    work page

  33. [33]

    2018, pp

    ACM. 2018, pp. 478–493

    work page 2018

  34. [34]

    Tor Relay Guide

    Tor Project. Tor Relay Guide . https://trac.torproject.org/projects/tor/wiki/TorRelayGuide (accessed 2018-05-16). 2018. (Visited on 05/16/2018)

    work page 2018

  35. [35]

    TorGuard DNS Leak Test

    TorGuard. TorGuard DNS Leak Test . https://torguard.net/vpn-dns-leak-test.php. 2018. (Visited on 05/25/2018)

    work page 2018

  36. [36]

    DNS Leaks

    Kevin Townsend. DNS Leaks . https://thebestvpn.com/dns-leaks-causes-fixes/. 2018. (Visited on 05/25/2018)

    work page 2018

  37. [37]

    Spoiled onions: Exposing mali- cious Tor exit relays

    Philipp Winter et al. “Spoiled onions: Exposing mali- cious Tor exit relays”. In: International Symposium on Privacy Enhancing Technologies Symposium . Springer. 2014, pp. 304–331

    work page 2014

  38. [38]

    James Yonan. OpenVPN. https://openvpn.net/. 2001. (Visited on 05/25/2018)

    work page 2001