Encrypted DNS Traffic

What is Encrypted DNS Traffic?

Encrypted DNS traffic secures the process of translating domain names into IP addresses. By encrypting this communication, it prevents interception and manipulation by unauthorized parties. In fraud prevention, this ensures that traffic sources are legitimate and not hijacked by bots, as analyzing DNS metadata helps verify user authenticity without compromising privacy.

How Encrypted DNS Traffic Works

User Click on Ad
        β”‚
        β–Ό
   [ DNS Query ] ───────────→ Encrypted via DoH/DoT Protocol
                                    β”‚
                                    β–Ό
+-----------------------------------+
|   Traffic Protection System       |
|  (Analyzes DNS Metadata & TLS)    |
+-----------------------------------+
        β”‚
        β”œβ”€β–Ί [Rule: High-Risk Resolver?] β†’ Yes β†’ [BLOCK]
        β”‚
        β”œβ”€β–Ί [Rule: Geo-Mismatch?] ──────→ Yes β†’ [BLOCK]
        β”‚
        β”œβ”€β–Ί [Rule: Bot-like Pattern?]──→ Yes β†’ [BLOCK]
        β”‚
        β–Ό
     [ALLOW]
        β”‚
        β–Ό
Legitimate DNS Resolution β†’ [Landing Page]
Encrypted DNS is a foundational element in modern traffic security, shifting fraud detection from easily spoofed data points to more reliable network-level signals. The process focuses on analyzing the metadata and context of a DNS request rather than its content, which remains private. This allows for effective bot detection without compromising user privacy. By scrutinizing how a DNS request is made, where it comes from, and its technical characteristics, security systems can identify fraudulent activity that would otherwise be hidden.

Initial Request and Encryption

When a user clicks on an ad, their device initiates a DNS query to find the server’s IP address. With encrypted DNS protocols like DNS over HTTPS (DoH) or DNS over TLS (DoT), this query is wrapped in a secure TLS tunnel before it leaves the device. This encryption prevents on-path observers, such as ISPs or attackers on the network, from reading or altering the request. For fraud detection, this means the system can trust that the query’s metadata has not been tampered with en route.

Metadata Analysis by Security Systems

A traffic protection system doesn’t need to decrypt the DNS query to assess its legitimacy. Instead, it analyzes the metadata associated with the encrypted connection. This includes the IP address of the DNS resolver the user is connecting to, the parameters of the TLS handshake (which can be fingerprinted), the timing and frequency of queries, and the geographic location of the resolver. This information is compared against known fraud patterns. For instance, queries from data center IPs are highly indicative of bots.

Verification and Filtering

Based on the metadata analysis, the system applies a set of rules to score the traffic’s authenticity. If the DNS resolver is on a known blocklist (e.g., associated with proxies or data centers), the traffic is flagged as fraudulent. If there’s a mismatch between the resolver’s location and the user’s IP location, or if the query patterns match those of known botnets, the system can block the request before it results in a billable click. Legitimate traffic that passes these checks is allowed to resolve, ensuring a clean and secure user experience.

Diagram Element Breakdown

User Click and DNS Query

This represents the starting point of the ad interaction. The subsequent DNS query is the first network-level action that a security system can analyze to determine if the click originated from a real human or an automated bot.

Encryption via DoH/DoT Protocol

This step highlights the core concept. DoH and DoT wrap the DNS query in a standard encryption layer (HTTPS or TLS). While this protects user privacy from eavesdroppers, it also presents a challenge for security systems, forcing them to rely on metadata analysis instead of content inspection.

Traffic Protection System

This is the fraud detection engine. It does not look inside the encrypted query. Instead, it inspects the “envelope”β€”the resolver’s IP, TLS fingerprint, and behavioral patternsβ€”to assess risk. This allows it to identify suspicious traffic without violating privacy.

Rule-Based Filtering

This shows the decision-making logic. The system applies rules based on signals that strongly correlate with fraud. These rules are designed to catch common bot tactics, such as hiding behind data center resolvers or using mismatched geographic locations, to generate fake clicks.

Allow/Block Decision

This is the final output. Based on the rule evaluation, the system either blocks the fraudulent request, preventing ad spend waste, or allows the legitimate user to proceed to the landing page. This filtering happens at the earliest stage, making it highly efficient.

🧠 Core Detection Logic

Example 1: DNS Resolver Reputation Check

This logic identifies fraudulent traffic by checking the source of the DNS query. Bots often run in data centers, not on residential devices. This code checks if the IP address of the DNS resolver used for the click belongs to a known data center, which is a strong signal of non-human traffic.

FUNCTION check_resolver_reputation(resolver_ip):
  // List of ASNs known to belong to data centers/hosting providers
  DATACENTER_ASN_LIST = ["ASN15169", "ASN16509", "ASN396981"]

  resolver_asn = get_asn(resolver_ip)

  IF resolver_asn IN DATACENTER_ASN_LIST:
    RETURN "fraudulent"
  ELSE:
    RETURN "legitimate"
  END IF
END FUNCTION

Example 2: Session Heuristics and Geo Mismatch

This logic detects fraud by finding inconsistencies in a user’s session data. A real user’s IP address and their DNS resolver are typically in the same country. A mismatch often indicates the use of a proxy or VPN to disguise traffic, a common tactic in sophisticated bot attacks.

FUNCTION check_geo_mismatch(user_ip, resolver_ip):
  user_country = get_country_from_ip(user_ip)
  resolver_country = get_country_from_ip(resolver_ip)

  IF user_country != resolver_country:
    // Flag for further analysis or block immediately
    RETURN "suspicious_geo_mismatch"
  ELSE:
    RETURN "ok"
  END IF
END FUNCTION

Example 3: TLS Fingerprinting (JA3/JARM)

This logic identifies the client application that made the encrypted request. Different applications (browsers, bots) create unique TLS handshake signatures. By matching the signature (known as a JA3 or JARM hash) against a database of known bot tools, this logic can detect non-human traffic without decrypting the payload.

FUNCTION analyze_tls_fingerprint(tls_handshake_data):
  // Database of fingerprints from known botnets and automation tools
  KNOWN_BOT_FINGERPRINTS = ["e7d4f1a2...", "a4f6b3c8...", "f9e1d0g7..."]

  client_fingerprint = generate_jarm_hash(tls_handshake_data)

  IF client_fingerprint IN KNOWN_BOT_FINGERPRINTS:
    RETURN "bot_detected"
  ELSE:
    RETURN "human_traffic"
  END IF
END FUNCTION

πŸ“ˆ Practical Use Cases for Businesses

  • Campaign Shielding: Actively filter out invalid traffic originating from data centers and known proxies by analyzing DNS resolver information, directly protecting ad budgets from being wasted on non-human interactions.
  • Data Integrity: Ensure marketing analytics are based on real human behavior. By weeding out bot-driven sessions at the DNS level, businesses can trust their conversion rates, user engagement metrics, and site statistics.

  • Return on Ad Spend (ROAS) Improvement: Increase campaign efficiency by ensuring ads are served only to legitimate users. Blocking fraudulent clicks at the earliest stage means that ad spend is concentrated on audiences with real conversion potential.

  • Blocking Sophisticated Bots: Identify and block advanced bots that mimic human behavior. Techniques like TLS fingerprinting can unmask automated clients even when their IP addresses appear legitimate, protecting against complex fraud schemes.

Example 1: Geolocation Mismatch Rule

This rule is used to automatically flag or block clicks where the user’s apparent location (from their IP address) is different from their DNS resolver’s location. This is a common indicator of proxy or VPN usage, which is often employed to commit ad fraud.

RULE ad_traffic_filter_geo_mismatch
  WHEN
    click.user_ip.country != click.dns_resolver.country
  THEN
    BLOCK TRAFFIC
    REASON "Geographic mismatch between user and DNS resolver."
END RULE

Example 2: Session Scoring with DNS Reputation

This logic assigns a risk score to an incoming click based on multiple factors, including the reputation of the DNS resolver. If the resolver is associated with a data center or known for malicious activity, the risk score increases, potentially leading to the click being invalidated.

FUNCTION calculate_risk_score(click_event):
  score = 0
  
  // Check if DNS resolver is from a known datacenter
  IF is_datacenter_ip(click_event.dns_resolver.ip):
    score += 50
  
  // Check if resolver is on a threat intelligence blocklist
  IF is_on_blocklist(click_event.dns_resolver.ip):
    score += 30

  // Check for geo mismatch
  IF click_event.user_ip.country != click_event.dns_resolver.country:
    score += 20

  RETURN score
END FUNCTION

🐍 Python Code Examples

This Python function simulates checking a DNS resolver’s IP address against a predefined blocklist of IPs known to be associated with data centers or malicious actors. This is a primary step in filtering out non-human traffic from ad campaigns.

# A list of known fraudulent or non-human IP addresses (e.g., from data centers)
DNS_RESOLVER_BLOCKLIST = {
    "8.8.8.8",  # Example: Google DNS (often legitimate, but used for illustration)
    "1.1.1.1",  # Example: Cloudflare DNS
    "208.67.222.222", # Example: OpenDNS
    "94.140.14.14" # AdGuard DNS
}

def filter_by_resolver_blocklist(resolver_ip: str) -> bool:
    """
    Checks if the resolver IP is in a known blocklist.
    Returns True if the IP should be blocked, False otherwise.
    """
    if resolver_ip in DNS_RESOLVER_BLOCKLIST:
        print(f"FLAGGED: Resolver {resolver_ip} is on the blocklist.")
        return True
    print(f"OK: Resolver {resolver_ip} is not on the blocklist.")
    return False

# --- Simulation ---
suspicious_click_resolver = "94.140.14.14"
legitimate_click_resolver = "192.168.1.1" # A typical local resolver

filter_by_resolver_blocklist(suspicious_click_resolver)
filter_by_resolver_blocklist(legitimate_click_resolver)

This code analyzes session data to detect anomalies that suggest fraudulent activity. By comparing the geographic location derived from the user’s IP address with the location of the DNS resolver, it can flag sessions where a significant mismatch might indicate the use of a proxy or botnet.

# In a real system, this would use a GeoIP database.
# Here we simulate it with a dictionary.
IP_GEO_DATABASE = {
    "81.2.69.142": "UK", # User IP
    "208.67.222.222": "USA", # DNS Resolver IP
    "195.46.39.39": "DE" # Another DNS Resolver IP
}

def detect_geo_mismatch(user_ip: str, resolver_ip: str) -> bool:
    """
    Compares the country of the user IP and the DNS resolver IP.
    Returns True if a mismatch is detected, False otherwise.
    """
    user_country = IP_GEO_DATABASE.get(user_ip)
    resolver_country = IP_GEO_DATABASE.get(resolver_ip)

    if not user_country or not resolver_country:
        print("Could not determine location for one or both IPs.")
        return False

    if user_country != resolver_country:
        print(f"FRAUD ALERT: Mismatch found! User in {user_country}, Resolver in {resolver_country}.")
        return True
    
    print(f"OK: User and resolver are both in {user_country}.")
    return False

# --- Simulation ---
# Scenario 1: A fraudulent click with a geo-mismatch
detect_geo_mismatch("81.2.69.142", "208.67.222.222")

# Scenario 2: A legitimate click
detect_geo_mismatch("81.2.69.142", "195.46.39.39")

Types of Encrypted DNS Traffic

  • DNS over TLS (DoT): This method wraps DNS queries in the Transport Layer Security protocol and sends them over a dedicated port (853). In fraud detection, its use of a distinct port makes DoT traffic identifiable, allowing security systems to isolate and analyze it for anomalies without needing to inspect other web traffic.
  • DNS over HTTPS (DoH): This type encapsulates DNS queries within standard HTTPS traffic on port 443. This makes DNS requests indistinguishable from normal browsing activity, helping bots evade detection. For security, this means fraud analysis must rely on other signals, like TLS fingerprinting or the resolver’s reputation, to identify malicious clients.
  • DNSCrypt: An earlier protocol that encrypts and authenticates DNS traffic between a user and their resolver. While less common than DoT or DoH, its presence can be a signal for analysis. Fraud detection systems can profile clients using DNSCrypt to identify patterns associated with specific tools or botnets.
  • Private Relay: Apple’s implementation that uses a dual-hop architecture to separate a user’s IP address from their DNS query. While designed for privacy, scammers have been found spoofing Private Relay traffic to commit ad fraud. Detection requires identifying inconsistencies between traffic claiming to be from Private Relay and its actual technical signatures.

πŸ›‘οΈ Common Detection Techniques

  • DNS Resolver Analysis: This technique involves examining the IP address of the DNS resolver used in a click. If the resolver belongs to a data center, hosting service, or public proxy, it is highly likely that the traffic is non-human and generated by a bot.
  • TLS/JA3 Fingerprinting: Security systems analyze the parameters of the TLS handshake (the start of an encrypted session) to create a unique fingerprint (a JA3 hash). This fingerprint can identify the specific client software (e.g., a Chrome browser vs. a Python bot) making the request, revealing automation tools.
  • Geographic Consistency Analysis: This method compares the geographic location of the user’s IP address with the location of their DNS resolver. A significant mismatch, such as a user in Germany using a resolver in Brazil, suggests the use of proxies or other obfuscation methods common in ad fraud.
  • Behavioral Analysis of DNS Queries: This technique monitors the frequency, timing, and pattern of DNS requests from a single user or IP. Abnormally high query rates, repetitive lookups for the same domains, or non-random query patterns are strong indicators of automated bot activity.
  • IP to ASN Correlation: This involves checking the Autonomous System Number (ASN) associated with an IP address. An ASN reveals the network’s owner (e.g., a residential ISP or a cloud provider). Clicks originating from data center ASNs are almost always flagged as fraudulent.

🧰 Popular Tools & Services

Tool Description Pros Cons
Integrated Click Fraud Platform A comprehensive service that combines DNS metadata analysis with other signals like behavioral modeling and device fingerprinting to provide an all-in-one fraud detection and prevention solution for ad campaigns. High accuracy; provides a holistic view of traffic quality; often includes automated blocking and reporting dashboards. Can be expensive; may require complex integration with ad platforms; might have a steeper learning curve.
DNS-Level Filtering Service A network-level security service that filters DNS requests against real-time threat intelligence feeds, blocking connections to malicious or fraudulent domains before they are established. Easy to deploy at the network level; provides a strong first line of defense; effective at blocking known threats. May not catch sophisticated or zero-day threats; can be bypassed by bots that use hardcoded IP addresses.
Threat Intelligence API An API that provides real-time data on the reputation of IPs, domains, and DNS resolvers. Businesses can integrate this data into their own fraud detection systems to enrich their analysis. Highly flexible; allows for custom rule implementation; provides up-to-date threat data from multiple sources. Requires in-house development resources to implement and maintain; cost can scale with query volume.
Open-Source Analytics Engine A custom-built solution using open-source tools (e.g., ELK Stack, Suricata) to capture and analyze network traffic, including encrypted DNS metadata, to identify suspicious patterns. Complete control and customization; no licensing fees for the core software; can be tailored to specific business needs. Requires significant technical expertise to build and manage; responsibility for maintenance and updates falls entirely on the business.

πŸ“Š KPI & Metrics

To measure the effectiveness of encrypted DNS traffic analysis, it is crucial to track both its technical accuracy in identifying fraud and its impact on business outcomes. Monitoring these key performance indicators (KPIs) helps ensure that fraud prevention efforts are not only blocking invalid traffic but also positively contributing to campaign goals and return on investment.

Metric Name Description Business Relevance
Invalid Traffic (IVT) Rate The percentage of clicks or impressions identified as fraudulent based on DNS metadata analysis. Directly measures the volume of fraud being blocked, demonstrating the value of the detection system.
False Positive Rate The percentage of legitimate user clicks that are incorrectly flagged as fraudulent. A low rate is critical to avoid blocking real customers and losing potential revenue.
Resolver Risk Score An aggregated score indicating the risk level associated with traffic from specific DNS resolvers. Helps prioritize which traffic sources to scrutinize and refine blocking rules for better accuracy.
Cost Per Acquisition (CPA) The average cost to acquire a new customer, calculated after filtering out fraudulent clicks. Lowering CPA by eliminating ad spend on bots is a primary goal of fraud protection.
Clean Traffic Ratio The proportion of traffic deemed legitimate after applying DNS-based filtering rules. Indicates the overall quality of traffic from different ad channels or campaigns.

These metrics are typically monitored through real-time dashboards that visualize incoming traffic, detection rates, and blocked activity. Automated alerts can be configured to notify analysts of sudden spikes in fraudulent traffic or anomalies in resolver behavior. This feedback loop is essential for continuously optimizing fraud filters and adapting to new bot tactics, ensuring the system remains effective over time.

πŸ†š Comparison with Other Detection Methods

Detection Accuracy and Evasion

Compared to signature-based detection, which relies on blocklisting known bad IPs or user agents, encrypted DNS analysis is more robust. Bots can easily rotate IPs and spoof user agents, but their network-level behavior, such as using a data center’s DNS resolver, is harder to fake. However, it can be less precise than advanced behavioral analytics, which tracks mouse movements and keyboard inputs. Sophisticated bots may try to evade DNS analysis by using legitimate public resolvers, making this method one important layer in a multi-layered defense.

Performance and Scalability

Analyzing encrypted DNS metadata is extremely fast and scalable. Since it happens at the network edge and doesn’t require inspecting the full content of a webpage or executing complex JavaScript, it adds minimal latency. This makes it suitable for high-volume, real-time environments like programmatic ad bidding. In contrast, behavioral analysis is more resource-intensive and often occurs post-click, while CAPTCHAs introduce significant user friction and are not suitable for passive fraud detection in advertising.

Effectiveness Against Bots

This method is highly effective against simple to moderately complex bots that run in cloud environments, as their network origins are a clear giveaway. It is a powerful tool for catching large-scale, automated attacks. However, it may be less effective against bots operating on compromised residential devices, where the DNS resolver and user IP may appear legitimate. In these cases, it must be combined with other methods like behavioral analysis or click-timing heuristics to achieve comprehensive protection.

⚠️ Limitations & Drawbacks

While analyzing encrypted DNS traffic is a powerful technique for fraud detection, it has certain limitations. It is not a standalone solution but rather one component of a comprehensive security strategy. Its effectiveness can be constrained by the sophistication of attackers and the inherent trade-offs between security and user privacy.

  • Limited Visibility: Since the DNS query itself is encrypted, analysis is restricted to metadata. This method cannot determine the exact domain being requested, which can limit its ability to block newly created malicious domains that are not yet on a threat list.
  • Evasion by Sophisticated Bots: Advanced bots can be programmed to use legitimate public DNS resolvers (like Google’s or Cloudflare’s), making them harder to distinguish from human traffic based on resolver reputation alone.
  • False Positives with Privacy Tools: Legitimate users who prioritize privacy may use VPNs or public DNS services. Overly strict rules that block all data center or public resolver traffic could inadvertently block these real users, leading to false positives.
  • No Insight into Post-Click Behavior: DNS analysis happens before a user reaches a site. It cannot detect fraud that occurs after the landing page loads, such as ad stacking or invisible ad impressions.
  • Complexity in TLS Fingerprinting: While powerful, maintaining an up-to-date database of bot fingerprints (like JA3/JARM) is challenging, as bot developers constantly change their tools to avoid detection.

In scenarios where these limitations are significant, a hybrid approach combining DNS analysis with behavioral analytics and post-click verification is more suitable.

❓ Frequently Asked Questions

How does encrypted DNS analysis stop fraud if the content is hidden?

It works by analyzing metadata, not content. Security systems inspect signals like the reputation of the DNS resolver (e.g., is it a known data center?), the TLS fingerprint of the client making the request, and geographic consistency between the user and resolver. These signals reveal bot activity without needing to see the requested domain.

Does using a privacy-focused DNS resolver automatically flag a user as fraudulent?

Not necessarily. While many bots use public DNS resolvers, so do many privacy-conscious humans. A robust detection system does not rely on this single signal. It correlates the resolver information with other factors like IP reputation, behavioral patterns, and client fingerprinting to make a more accurate decision and avoid false positives.

Can this method detect ad fraud from residential proxies?

It can be challenging, but it’s possible. While a residential proxy provides a legitimate-looking user IP, the DNS resolver might still be a centralized service that can be flagged. Furthermore, inconsistencies like a residential IP in one country using a known resolver in another can be a strong indicator of proxy-based fraud.

Is analyzing encrypted DNS traffic compliant with privacy regulations like GDPR?

Yes, typically it is. Since the method focuses on non-personal metadata (like a resolver’s IP address or a TLS signature) and does not decrypt the user’s actual DNS query, it is considered a privacy-preserving security technique. It identifies fraud patterns without processing the sensitive content of the user’s online activity.

What is the main difference between DNS filtering and traditional IP blocklisting?

Traditional IP blocklisting blocks users based on a history of bad behavior from their IP address. However, bots can rapidly change IPs. DNS filtering is more durable because it analyzes the more stable network infrastructure (the DNS resolver) a bot uses. A botnet might use thousands of IPs but rely on a handful of resolvers, making DNS analysis more efficient for blocking large-scale attacks.

🧾 Summary

Encrypted DNS traffic analysis is a critical technique in modern click fraud prevention. It focuses on analyzing metadata from encrypted DNS queries, such as resolver reputation and TLS fingerprints, to identify non-human behavior. This method allows security systems to detect and block bots originating from data centers or using fraudulent patterns, ensuring traffic authenticity and protecting ad spend without decrypting private user data.