Continuous User Behavior Monitoring using DNS Cache Timing Attacks
Hannes Weissteiner
Network and Distributed System Security (NDSS) Symposium 2026 · Day 3 · Network Security
This paper presents a comprehensive **evict-and-reload style attack** on local DNS caches that enables continuous monitoring of a user's browsing activity. While prior work demonstrated that DNS cache timing could reveal recent website visits, those techniques were limited to one-shot measurements that destroyed the cached information upon observation. This research solves that limitation by identifying multiple reliable **eviction primitives** that allow an attacker to repeatedly flush and re-probe the DNS cache, enabling persistent surveillance of which domains a user visits over time.
AI review
A technically rigorous side-channel attack that turns the local DNS cache into a continuous browsing surveillance tool. The eviction primitives are novel, the cross-VM and browser-based PoCs are solid, and the error-based single-request cache flush on systemd-resolved is genuinely elegant. This is real systems security research with working exploits and measurable results.