DNS cookies use DNS caches as a side-channel to identify related network flows.
As with traditional HTTP cookies, DNS cookies can be used to track users on the web. They have no concept of "first party" or "third party" and can be read across different websites or from a different browser. They can also be used outside the web environment, for instance to track a web conversion which occurs after reading an email but not clicking on a link, or to track a sign-up in a mobile application after viewing a website. They also have application in DDoS mitigation - especially on IPv6 networks.
It depends. A DNS server which uses the edns-client-subnet DNS extension can help ensure public recursive DNS servers cookie users more uniquely. Users sharing a local DNS cache (such as a home router or corporate firewall) will tend to receive the same DNS cookie.
It depends on the DNS implementation. The size of the DNS clients's cache and the degree to which it respects the TTL will determine how long a DNS cookie lasts. Some configurations will provide a maximum lifetime of minutes, while others will allow a DNS cookie to persist for days or even weeks. Depending on how a system is configured, a DNS cookie may not change when a user's IP address changes, such as when they connect to a VPN.
A custom DNS server responds to requests with an IP chosen randomly from a pool of IP addresses. The IP address used by the client to connect to a particular DNS label is observed. With 2 IP addresses available in the pool, a 32-bit identifier requires 32 correlated connections. With 256 IP addresses, a 32-bit identifier requires only 4 correlated connections. Connections can be correlated using application layer strategies (e.g. a random number used in multiple HTTP requests), or using techniques such as TCP fingerprints. Using IPv6, it's easy to obtain a /64 of IP space - a 64-bit identifier requires observing only a single network connection.
More advanced implementations may:
In this demonstration, DNS cookies are calculated in your browser and are not logged.