Ali Sadeghi Jahromi,AbdelRahman Abdou,Paul C. van Oorschot

2024-08-02

Abstract:The absence of security measures between DNS recursive resolvers and authoritative nameservers has been exploited by both inline and off-path attacks. While many security proposals have been made in practice and previous literature, they typically suffer from deployability barriers and/or inadequate security properties. The absence of a broadly adopted security solution between resolvers and nameservers motivates a new scheme that mitigates these issues in previous proposals. We present DNSSEC+, which addresses security and deployability downsides of DNSSEC, while retaining its benefits. DNSSEC+ takes advantage of the existent DNSSEC trust model and authorizes the nameservers within a zone for short intervals to serve the zone data securely, facilitating real-time security properties for DNS responses, without requiring long-term private keys to be duplicated (thus put at risk) on authoritative nameservers. Regarding name resolution latency, DNSSEC+ offers a performance comparable to less secure schemes. We define nine security, privacy, and deployability properties for name resolution, and show how DNSSEC+ fulfills these properties.

Cryptography and Security

Hung-Min Sun,Wen-Hsuan Chang,Shih-Ying Chang,Yue-Hsun Lin

DOI: https://doi.org/10.1007/978-3-642-10433-6_12

2009-01-01

Abstract:DNS cache poisoning attacks have been proposed for a long time. In 2008, Kaminsky enhanced the attacks to be powerful based on nonce query method. By leveraging Kaminsky's attack, phishing becomes large-scale since victims are hard to detect attacks. Hence, DNS cache poisoning is a serious threat in the current DNS infrastructure. In this paper, we propose a countermeasure, DepenDNS, to prevent from cache poisoning attacks. DepenDNS queries multiple resolvers concurrently to verify an trustworthy answer while users perform payment transactions, e.g., auction, banking. Without modifying any resolver or authority server, DepenDNS is conveniently deployed on client side. In the end of paper, we conduct several experiments on DepenDNS to show its efficiency. We believe DepenDNS is a comprehensive solution against cache poisoning attacks.

Guanglin Duan,Qing Li,Zhengxin Zhang,Dan Zhao,Guorui Xie,Yuan Yang,Zhenhui Yuan,Yong Jiang,Mingwei Xu

DOI: https://doi.org/10.1109/tdsc.2024.3409545

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:The Domain Name System (DNS) is a growing center of cyber attacks, including both volumetric and non-volumetric attacks. Programmable switches provide a new opportunity for more efficient defense against DNS attacks since they can offer better cost, performance, and flexibility trade-offs compared to traditional defense systems. However, programmable switches have strict limitations on the operations and storage space supported to ensure line-speed packet processing. In this paper, we propose DNSGuard, an intelligent in-network defense framework that can handle volumetric and non-volumetric DNS attacks on programmable switches. We propose a recursive incremental parsing algorithm that can effectively extract variable-length domain names. To achieve real-time and accurate detection against two types of DNS attacks, we design a switch-optimized and resource-efficient algorithm to extract both independent features of each packet and domain-based cumulative features. Then, we propose a multi-phase hybrid model architecture to perform dynamic packet analysis at different time phases of a domain. Further, we design efficient model representation mechanisms to deploy tree-based ensemble models in the data plane. Experimental results show that DNSGuard can defend against diverse DNS attacks at the line rate. In addition, DNSGuard introduces a minimal nanosecond latency to normal traffic in heavily loaded networks.

Xiang Li,Chaoyi Lu,Baojun Liu Fi,Qifan Zhang,Zhou Li,Haixin Duan,Qi Li

2023-01-01

Abstract:In this paper, we report MAGINOTDNS, a powerful cache poisoning attack against DNS servers that simultaneously act as recursive resolvers and forwarders (termed as CDNS). The attack is made possible through exploiting vulnerabilities in the bailiwick checking algorithms, one of the cornerstones of DNS security since the 1990s, and affects multiple versions of popular DNS software, including BIND and Microsoft DNS. Through field tests, we find that the attack is potent, allowing attackers to take over entire DNS zones, even including Top-Level Domains (e.g.,.com and.net). Through a large-scale measurement study, we also confirm the extensive usage of CDNSes in real-world networks (up to 41.8% of our probed open DNS servers) and find that at least 35.5% of all CDNSes are vulnerable to MAGINOTDNS. After interviews with ISPs, we show a wide range of CDNS use cases and real-world attacks. We have reported all the discovered vulnerabilities to DNS software vendors and received acknowledgments from all of them. 3 CVE-ids have been published, and 2 vendors have fixed their software. Our study brings attention to the implementation inconsistency of security checking logic in different DNS software and server modes (i.e., recursive resolvers and forwarders), and we call for standardization and agreements among software vendors.

Haider Salim Hmood,Zhitang Li,Hasan Khalaf Abdulwahid,Yang Zhang

DOI: https://doi.org/10.1093/comjnl/bxu023

2014-01-01

The Computer Journal

Abstract:It is well known that the domain name system (DNS) is responsible for translating domain names to the corresponding IP addresses. It plays a fundamental role in running efficiently all Internet application, such as web browsing, email, multimedia applications and other projects. However, using the technique of the DNS cache poisoning attack, an attacker can effectively introduce forged DNS information to the cache memory of the domain name resolvers, with the goal of manipulating the resolver data so as to make then unavailable or divert traffic to the wrong destination, which is considered a real threat to Internet users today. Thus, in this paper, we present a new prevention methodology called Adaptive-Cache of DNS (ACDNS). Our proposed solution relies on a caching mechanism to prevent these kinds of attacks. Conversely, domain name system security extension has been presented as a conclusive solution to overcome weaknesses in the DNS protocol, but from that time up to now it still has not been deployed on a large scale. ACDNS is designed to be backward compatible with the current standards of DNS and completely appropriate with the basic protocol processes and infrastructure. In particular, our modifications are only in caching-timing in case of the need to store a new mapping. To this end, we design and implement a novel protocol for extensively simulating our approach. At the same time, we compare the performance of the ACDNS with the DNS. We show that our methodology completely protects domain name resolvers against cache-poisoning attacks.

Amir Herzberg,Haya Shulman

DOI: https://doi.org/10.48550/arXiv.1209.1482

2012-09-07

Abstract:We investigate defenses against DNS cache poisoning focusing on mechanisms that can be readily deployed unilaterally by the resolving organisation, preferably in a single gateway or a proxy. DNS poisoning is (still) a major threat to Internet security; determined spoofing attackers are often able to circumvent currently deployed antidotes such as port randomisation. The adoption of DNSSEC, which would foil DNS poisoning, remains a long-term challenge. We discuss limitations of the prominent resolver-only defenses, mainly port and IP randomisation, 0x20 encoding and birthday protection. We then present two new (unilateral) defenses: the sandwich antidote and the NAT antidote. The defenses are simple, effective and efficient, and can be implemented in a gateway connecting the resolver to the Internet. The sandwich antidote is composed of two phases: poisoning-attack detection and then prevention. The NAT antidote adds entropy to DNS requests by switching the resolver's IP address to a random address (belonging to the same autonomous system). Finally, we show how to implement the birthday protection mechanism in the gateway, thus allowing to restrict the number of DNS requests with the same query to 1 even when the resolver does not support this.

Cryptography and Security

Keyu Man,Zhiyun Qian,Zhongjie Wang,Xiaofeng Zheng,Youjun Huang,Haixin Duan

DOI: https://doi.org/10.1145/3372297.3417280

2020-01-01

Abstract:In this paper, we report a series of flaws in the software stack that leads to a strong revival of DNS cache poisoning --- a classic attack which is mitigated in practice with simple and effective randomization-based defenses such as randomized source port. To successfully poison a DNS cache on a typical server, an off-path adversary would need to send an impractical number of $2^32 $ spoofed responses simultaneously guessing the correct source port (16-bit) and transaction ID (16-bit). Surprisingly, we discover weaknesses that allow an adversary to "divide and conquer'' the space by guessing the source port first and then the transaction ID (leading to only $2^16 +2^16 $ spoofed responses). Even worse, we demonstrate a number of ways an adversary can extend the attack window which drastically improves the odds of success. The attack affects all layers of caches in the DNS infrastructure, such as DNS forwarder and resolver caches, and a wide range of DNS software stacks, including the most popular BIND, Unbound, and dnsmasq, running on top of Linux and potentially other operating systems. The major condition for a victim being vulnerable is that an OS and its network is configured to allow ICMP error replies. From our measurement, we find over 34% of the open resolver population on the Internet are vulnerable (and in particular 85% of the popular DNS services including Google's 8.8.8.8). Furthermore, we comprehensively validate the proposed attack with positive results against a variety of server configurations and network conditions that can affect the success of the attack, in both controlled experiments and a production DNS resolver (with authorization).

Syed W. Shah. Lei Pan,Din Duc Nha Nguyen,Robin Doss,Warren Armstrong,Praveen Gauravaram

2024-11-12

Abstract:DNSSEC, a DNS security extension, is essential to accurately translating domain names to IP addresses. Digital signatures provide the foundation for this reliable translation, however, the evolution of 'Quantum Computers' has made traditional digital signatures vulnerable. In light of this, NIST has recently selected potential post-quantum digital signatures that can operate on conventional computers and resist attacks made with Quantum Computers. Since these post-quantum digital signatures are still in their early stages of development, replacing pre-quantum digital signature schemes in DNSSEC with post-quantum candidates is risky until the post-quantum candidates have undergone a thorough security analysis. Given this, herein, we investigate the viability of employing 'Double-Signatures' in DNSSEC, combining a post-quantum digital signature and a classic one. The rationale is that double-signatures will offer protection against quantum threats on conventional signature schemes as well as unknown non-quantum attacks on post-quantum signature schemes, hence even if one fails the other provides security guarantees. However, the inclusion of two signatures in the DNSSEC response message doesn't bode well with the maximum allowed size of DNSSEC responses (i.e., 1232B, a limitation enforced by MTU of physical links). To counter this issue, we leverage a way to do application-layer fragmentation of DNSSEC responses with two signatures. We implement our solution on top of OQS-BIND and through experiments show that the addition of two signatures in DNSSEC and application-layer fragmentation of all relevant resource records and their reassembly does not have any substantial impact on the efficiency of the resolution process and thus is suitable for the interim period at least until the quantum computers are fully realized.

Cryptography and Security

Tengchao Ma,Changqiao Xu,Shujie Yang,Yiting Huang,Xiaohui Kuang,Hong Tang,Luigi Alfredo Grieco

DOI: https://doi.org/10.1002/int.22934

IF: 8.993

2022-05-29

International Journal of Intelligent Systems

Abstract:A new class of poisoning attacks has recently emerged targeting the client‐side Domain Name System (DNS) cache. It allows users to visit fake websites unconsciously, thereby revealing their information, such as passwords. However, the current DNS defense architecture does not include DNS clients. Although relative encryption solutions can mitigate this attack, they require the cooperation of multiple parties, and the deployment speed is slow. Therefore, we propose an intelligent‐driven proactive defense strategy. First, we model the offensive and defensive process as a stochastic game based on moving target defense. Second, we adopt and optimize Proximal Policy Optimization (PPO), a deep reinforcement learning method, to solve problems caused by uncertain attack strategies and unknown state transition probability. Third, we design a self‐checking component in PPO to solve the uncertainty of action space caused by game state constraints based on our previous work. Thus the convergence speed and stability of PPO are improved. Finally, to the best of our knowledge, we are the first to game with intelligent attackers besides three conventional ones. Our strategy does not require any modifications to the DNS architecture. Through an extensive experimental campaign, the prototype system is proved to be effective against multiple attack modes. Its success rate is 98.5% approximately, and network round‐trip time is about 55 ms. Even for random attackers, our method can achieve the theoretical maximum defensive success rate.

computer science, artificial intelligence

Wenfeng Liu,Yu Zhang,Wenjia Zhang,Lu Liu,Hongli Zhang,Binxing Fang

DOI: https://doi.org/10.32604/cmc.2020.07982

2020-01-01

Abstract:As a critical Internet infrastructure, domain name system (DNS) protects the authenticity and integrity of domain resource records with the introduction of security extensions (DNSSEC). DNSSEC builds a single-center and hierarchical resource authentication architecture, which brings management convenience but places the DNS at risk from a single point of failure. When the root key suffers a leak or misconfiguration, top level domain (TLD) authority cannot independently protect the authenticity of TLD data in the root zone. In this paper, we propose self-certificating root, a lightweight security enhancement mechanism of root zone compatible with DNS/DNSSEC protocol. By adding the TLD public key and signature of the glue records to the root zone, this mechanism enables the TLD authority to certify the self-submitted data in the root zone and protects the TLD authority from the risk of root key failure. This mechanism is implemented on an open-source software, namely, Berkeley Internet Name Domain (BIND), and evaluated in terms of performance, compatibility, and effectiveness. Evaluation results show that the proposed mechanism enables the resolver that only supports DNS/DNSSEC to authenticate the root zone TLD data effectively with minimal performance difference.

Yong Wang,Xiaochun Yun,Gang Xiong,Zhen Li,Yao

DOI: https://doi.org/10.1109/chinacom.2012.6417444

2012-01-01

Abstract:Availability of DNSSEC resolution and validation service against man-in-the-middle attacks are analysed in this paper, and possible vulnerabilities are introduced and classified. Experiments show DNSSEC client is vulnerable because the attacks are always successful, but they are failed to recursive server, at the same time, attacks to recursive server will bring about numerous retries, and the number of retries depends on the number of root domain name servers, top-level servers and authority servers, and this can be exploited to launch denial of service attacks to recursive server. The results show the availability of DNSSEC service is poor against man-in-the-middle attacks. Conclusions are valuable to the optimization of DNSSEC recursive server application, as well as DNSSEC security analysis.

Haixin Duan,Nicholas Weaver,Zongxu Zhao,Meng Hu,Jinjin Liang,Jian Jiang,Kang Li,Vern Paxson

2012-01-01

Abstract:Several attacks on DNS inject forged DNS replies without suppressing the legitimate replies. Current implementations of DNS resolvers are vulnerable to accepting the injected replies if the attacker’s reply arrives before the legitimate one. In the case of regular DNS, this behavior allows an attacker to corrupt a victim’s interpretation of a name; for DNSSEC-protected names, it enables denial-of-service. We argue that the resolver should wait after receiving an initial reply for a “Hold-On” period to allow a subsequent legitimate reply to also arrive. We evaluate the feasibility of such an approach and discuss our implementation of a prototype stub resolver/forwarder that validates DNS replies using Hold-On. By validating the IP TTL and the timing of the replies, we show that the resolver can identify DNS packets injected by a nationstate censorship system, and that it functions without perceptible performance decrease for undisrupted lookups.

Amir Herzberg,Haya Shulman

DOI: https://doi.org/10.48550/arXiv.1205.5190

2012-05-23

Abstract:In spite of the availability of DNSSEC, which protects against cache poisoning even by MitM attackers, many caching DNS resolvers still rely for their security against poisoning on merely validating that DNS responses contain some 'unpredictable' values, copied from the re- quest. These values include the 16 bit identifier field, and other fields, randomised and validated by different 'patches' to DNS. We investigate the prominent patches, and show how attackers can circumvent all of them, namely: - We show how attackers can circumvent source port randomisation, in the (common) case where the resolver connects to the Internet via different NAT devices. - We show how attackers can circumvent IP address randomisation, using some (standard-conforming) resolvers. - We show how attackers can circumvent query randomisation, including both randomisation by prepending a random nonce and case randomisation (0x20 encoding). We present countermeasures preventing our attacks; however, we believe that our attacks provide additional motivation for adoption of DNSSEC (or other MitM-secure defenses).

Cryptography and Security

Elias Heftrig,Haya Shulman,Michael Waidner

DOI: https://doi.org/10.1145/3548606.3563517

2023-02-14

Abstract:Cryptographic algorithm agility is an important property for DNSSEC: it allows easy deployment of new algorithms if the existing ones are no longer secure. In this work we show that the cryptographic agility in DNSSEC, although critical for provisioning DNS with strong cryptography, also introduces a vulnerability. We find that under certain conditions, when new algorithms are listed in signed DNS responses, the resolvers do not validate DNSSEC. As a result, domains that deploy new ciphers may in fact cause the resolvers not to validate DNSSEC. We exploit this to develop DNSSEC-downgrade attacks and experimentally and ethically evaluate them against popular DNS resolver implementations, public DNS providers, and DNS services used by web clients worldwide. We find that major DNS providers as well as 45% of DNS resolvers used by web clients are vulnerable to our attacks.

Cryptography and Security

Sandra Siby,Marc Juarez,Claudia Diaz,Narseo Vallina-Rodriguez,Carmela Troncoso

DOI: https://doi.org/10.48550/arXiv.1906.09682

2019-10-07

Abstract:Virtually every connection to an Internet service is preceded by a DNS lookup which is performed without any traffic-level protection, thus enabling manipulation, redirection, surveillance, and censorship. To address these issues, large organizations such as Google and Cloudflare are deploying recently standardized protocols that encrypt DNS traffic between end users and recursive resolvers such as DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH). In this paper, we examine whether encrypting DNS traffic can protect users from traffic analysis-based monitoring and censoring. We propose a novel feature set to perform the attacks, as those used to attack HTTPS or Tor traffic are not suitable for DNS' characteristics. We show that traffic analysis enables the identification of domains with high accuracy in closed and open world settings, using 124 times less data than attacks on HTTPS flows. We find that factors such as location, resolver, platform, or client do mitigate the attacks performance but they are far from completely stopping them. Our results indicate that DNS-based censorship is still possible on encrypted DNS traffic. In fact, we demonstrate that the standardized padding schemes are not effective. Yet, Tor -- which does not effectively mitigate traffic analysis attacks on web traffic -- is a good defense against DoH traffic analysis.

Cryptography and Security

Mingxuan Liu,Yiming Zhang,Xiang Li,Chaoyi Lu,Baojun Liu,Haixin Duan,Xiaofeng Zheng

DOI: https://doi.org/10.14722/ndss.2024.24782

2024-01-01

Abstract:Domain names are often registered and abused for harmful and illegal Internet activities.To mitigate such threats, as an emerging security service, Protective DNS (PDNS) blocks access to harmful content by proactively offering rewritten DNS responses, which resolve malicious domains to controlled hosts.While it has become an effective tool against cybercrime, given their implementation divergence, little has been done from the security community in understanding the deployment, operational status and security policies of PDNS services.In this paper, we present a large-scale measurement study of the deployment and security implications of open PDNS services.We first perform empirical analysis over 28 popular PDNS providers and summarize major formats of DNS rewriting policies.Then, powered by the derived rules, we design a methodology that identifies intentional DNS rewriting enforced by open PDNS servers in the wild.Our findings are multi-faceted.On the plus side, the deployment of PDNS is now starting to scale: we identify 17,601 DNS servers (9.1% of all probed) offering such service.For DNS clients, switching from regular DNS to PDNS induces negligible query latency, despite additional steps (e.g., checking against threat intelligence and rewriting DNS response) being required from the server side.However, we also find flaws and vulnerabilities within PDNS implementation, including evasion of blocking policies and denial of service.Through responsible vulnerability disclosure, we have received 12 audit assessment results of high-risk vulnerabilities.Our study calls for proper guidance and best practices for secure PDNS operation.

Xiang Li,Dashuai Wu,Haixin Duan,Qi Li

DOI: https://doi.org/10.1109/sp54263.2024.00264

2024-01-01

Abstract:DNS employs a variety of mechanisms to guarantee availability, protect security, and enhance reliability. In this paper, however, we reveal that these inherent beneficial mechanisms, including timeout, query aggregation, and response fast-returning, can be transformed into malicious attack vectors.We propose a new practical and powerful pulsing DoS attack, dubbed the DNSBomb attack. DNSBomb exploits multiple widely-implemented DNS mechanisms to accumulate DNS queries that are sent at a low rate, amplify queries into large-sized responses, and concentrate all DNS responses into a short, high-volume periodic pulsing burst to simultaneously overwhelm target systems. Through an extensive evaluation on 10 mainstream DNS software, 46 public DNS services, and around 1.8M open DNS resolvers, we demonstrate all DNS resolvers could be exploited to conduct more practical-and-powerful DNSBomb attacks than previous pulsing DoS attacks. Small-scale experiments show the peak pulse magnitude can approach 8.7Gb/s and the bandwidth amplification factor could exceed 20,000x. Our controlled attacks cause complete packet loss or service degradation on both stateless and stateful connections (TCP, UDP, and QUIC). In addition, we present effective mitigation solutions with detailed evaluations. We have responsibly reported our findings to all affected vendors, and received acknowledgement from 24 of them, which are patching their software using our solutions, such as BIND, Unbound, PowerDNS, and Knot. 10 CVE-IDs are assigned.

Yong Wang,Xiao-chun Yun,Yao,Gang Xiong,Zhen Li

DOI: https://doi.org/10.1109/cit.2012.37

2012-01-01

Abstract:Method of DNSSEC traffic measurement is introduced based on the identification of resource records in DNSSEC. Through the analysis of DNSSEC traffic in several levels which are resource record type, packet length, signature property, and IP features, characteristics of DNSSEC traffic can be concluded. Results show that above 78% of DNSSEC packets are NSEC3 packets, and this means there are too many useless DNSSEC queries, which would not be measured in DNS, but can be measured accurately in DNSSEC with the introduction of NSEC3. In addition to it, validation packets coming from root or top server are more than authority servers. From the analysis of DNSKEY responses, it can be referred the DNSSEC deploying ratio is 54% ignoring the cache of DNSSEC recursive server. The conclusions are helpful to the further deployment and application of DNSSEC.

Eman Salem Alashwali,Pawel Szalachowski

DOI: https://doi.org/10.48550/arXiv.1809.05674

2018-09-15

Abstract:Most TLS clients such as modern web browsers enforce coarse-grained TLS security configurations. They support legacy versions of the protocol that have known design weaknesses, and weak ciphersuites that provide fewer security guarantees (e.g. non Forward-Secrecy), mainly to provide backward compatibility. This opens doors to downgrade attacks, as is the case of the POODLE attack [18], which exploits the client's silent fallback to downgrade the protocol version to exploit the legacy version's flaws. To achieve a better balance between security and backward compatibility, we propose a DNS-based mechanism that enables TLS servers to advertise their support for the latest version of the protocol and strong ciphersuites (that provide Forward-Secrecy and Authenticated-Encryption simultaneously). This enables clients to consider prior knowledge about the servers' TLS configurations to enforce a fine-grained TLS configurations policy. That is, the client enforces strict TLS configurations for connections going to the advertising servers, while enforcing default configurations for the rest of the connections. We implement and evaluate the proposed mechanism and show that it is feasible, and incurs minimal overhead. Furthermore, we conduct a TLS scan for the top 10,000 most visited websites globally, and show that most of the websites can benefit from our mechanism.

Cryptography and Security

Aziz Mohaisen,Zhongshu Gu,Kui Ren,Zhenhua Li,Charles A. Kamhoua,Laurent L. Njilla,DaeHun Nyang

DOI: https://doi.org/10.1109/tdsc.2018.2816026

2018-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:The Domain Name System Security Extension (DNSSEC) leverages public-key cryptography to provide data integrity, source authentication, and denial of existence for DNS responses. To complement DNSSEC operations, DNSSEC Look-aside Validation (DLV) is designed for alternative off-path validation. Although DNS privacy attracts a lot of attention, the privacy implications of DLV are not fully investigated and understood. In this paper, we take a first in-depth look into DLV, highlighting its lax specifications and privacy implications. By performing extensive experiments over datasets of domain names under comprehensive experimental settings, our findings firmly confirm the privacy leakages caused by DLV. We discover that a large number of domains that should not be sent to DLV servers are being leaked. We explore the root causes, including the lax specifications of DLV. We also propose two approaches to fix the privacy leakages. Our approaches require trivial modifications to the existing DNS standards, and we demonstrate their cost in terms of latency and communication.