Black Hat USA 2025 | Exploiting DNS for Stealthy User Tracking

The Black Hat USA 2025 presentation by Bitdefender researchers Yangabella and Yan Pedrian revealed how DNS traffic from smartphones can be weaponized to create persistent, cross‑network device fingerprints. By acting as a curious DNS resolver, they collected 985 million DNS events from roughly 30,000 iOS and Android devices over 35 days, demonstrating that even routine name lookups expose a rich behavioral signature.

Their analysis showed that iOS devices generate roughly ten times more DNS queries than Android, with dominant domains ranging from Apple services to major platforms like Facebook and YouTube. Using straightforward statistical tools—TF‑IDF weighting and cosine similarity—they could cluster and match device traces without resorting to opaque AI models, achieving explainable, high‑accuracy tracking within a two‑week MAC‑randomization window.

Key moments included the observation that “repetitive DNS sequences are visible to the naked eye,” and the admission that “MAC randomization only gives us a 14‑day window, while encrypted DNS merely shifts trust to the resolver.” The researchers also highlighted the computational challenge of processing tens of gigabytes of data, which they overcame with batch processing and feature hashing.

The findings underscore a critical privacy gap: current safeguards like MAC randomization and DNS over HTTPS delay but do not eliminate the ability to profile users via DNS. This raises urgent questions for regulators, DNS resolver operators, and security vendors about strengthening DNS privacy and limiting the data exposure inherent in everyday mobile app usage.