Audrey Randall

About Me

I am a PhD student at the University of California San Diego (UCSD), working with Aaron Schulman, Geoff Voelker, and Stefan Savage.

Research Interests

Internet Measurement | Security | Privacy | Networking

Current Projects

DNS Interception

While working on Trufflehunter, we discovered that some of our queries were getting intercepted before they could arrive at the resolver we sent them to. Furthermore, the responses we received were spoofed to look like they had come from the query's original destination. The responses were not otherwise changed: this interception is transparent from the point of view of the users. Upon investigation, we discovered the culprit: our own Customer Premises Equipment (CPE), also known as a home router. We conducted a measurement study to find out if this interception happens anywhere else, and if so, where in the network the interceptors are located. Our results were published at IMC 2021 in a short paper entitled Home is Where the Hijacking Is: Understanding DNS Interception by Residential Routers.

Bounce Tracking

Some browsers, such as Safari, Firefox, and Brave, are moving towards blocking third-party tracking cookies by default. Trackers have responded by developing new techniques for tracking users between websites. For example, say a tracker wishes to track a user from website A to website B. The tracker can manipulate the link on A that points to B, by stuffing a user identifier into a query parameter in the link when it is clicked. The tracker could also redirect the link: instead of taking the user directly to site B, the link redirects from site A to site "track.com" to site B. Visiting "track.com" as a top level frame allows the tracker to set a cookie in a first party context. This redirection-based technique is called "bounce tracking." During an internship with Brave Software, we crawled the web to measure the prevalence of bounce tracking and query stuffing. This work is currently ongoing.

Blockchain DNS

Traditional DNS relies on centralized entities (registries and registrars) that control who can purchase domain names. These entities have the power to remove domain names from zone files and prevent them from being accessed. Due to a perception that this power can lead to censorship, "blockchain DNS" has arisen as a censorship-proof alternative to traditional DNS. In blockchain DNS, DNS records are stored within various blockchains, which means no central organization has the ability to remove them. Unfortunately, this arrangement has proven attractive to malware authors, who use blockchain DNS to record the records of their command and control servers. By some estimates, the majority of domains in some DNS-supporting blockchains are associated with malware. We intend to study this ecosystem and present possible solutions to the rampant abuse. This work is ongoing.

Selected Past Projects

Trufflehunter

Certain phenomena on the Internet, such as the prevalence of stalkerware, contract cheating services, or phishing domains, are difficult to measure because of their sensitive and rare natures. However, all of these phenomena are visible within the Domain Name System. With the rise of public DNS resolvers such as Google Public DNS, Cloudflare DNS OpenDNS, and Quad9, a new opportunity has arisen to study the prevalence of such occurrences using DNS cache sniffing. Cache sniffing on public resolvers, in contrast to previous work published on small, misconfigured open resolvers, can yield far more information, while at the same time preserving privacy. However, public resolvers have complex and unique caching behaviors that also make cache sniffing far more difficult. We studied the caching strategies of four public DNS resolvers and present a method for using DNS cache sniffing on each of them. We then built a tool, Trufflehunter, to estimate the popularity of the aforementioned applications, which is difficult to measure by other means. This work was published at IMC 2020.

Network Hygiene

Common security advice includes injunctions such as "Update your operating system," "run antivirus," and "change your passwords frequently." However, there isn't much information available about if this advice actually lowers a user's chances of getting infected by malware. Working with a unique network vantage point, we measured the correlations between user behaviors and infection rates to see what behavioral factors are actually likely to get you owned online. This work was published at IMC 2019.