Yao Wang,Mingyi Hu,Bin Li,Bin Yan

DOI: https://doi.org/10.1007/978-3-540-37275-2_66

2006-01-01

Abstract:The Domain Name System (DNS) is the most crucial infrastructure for mapping human-readable host names to the corresponding IP addresses and providing the routing information of Email. Comparing with the top-level domains (TLD) such as the root servers, the local authoritative servers are more vulnerable to device failures and malicious attacks. This paper described the existence condition of authoritative servers and presented a novel domain measurement tool named DNSAuth to collect the information of local authoritative servers automatically. Experiments to the real-life authoritative servers were conducted which highlighting three important aspects: the distribution, the geographic location and their impacts on performance and security. According to five representative attributes, the authoritative servers of China Top100 websites are evaluated and the result shows that only 32% of all the servers act preferably in performance and security.

Chao Li,Jian Chen,Zhaoxin Zhang,Zhiping Li,Yanan Cheng,Chendi Ma

DOI: https://doi.org/10.1016/j.cose.2024.103946

IF: 5.105

2024-01-01

Computers & Security

Abstract:The DNS root server is at the top of the hierarchical structure of the DNS system and is the initial node that bootstraps all DNS queries. If the root server resolves abnormally, all domain name resolutions will fail, and many users cannot access the Internet. For this reason, this paper detects the root server itself resolution anomalies and non-self resolution anomalies by constructing high-confidence root zone file and anomaly judgment rules. First, we use the weighted voting statistics method to build high-confidence root zone file by calculating the confidence of multi-source root zone files. Based on high-confidence root zone files, we construct three types of anomaly detection judgment rules: (1) root-side resolution anomaly judgment rules based on feature value matching, (2) response hijacking judgment rules by correlating response anomaly features and resolution routing information, (3) root zone file synchronization anomaly judgment rules by calculating the relative synchronization delay of multi-source root zone files. Finally, using three anomaly judgment rules, we perform anomaly detection on the root resolution data obtained by active measurement. Our detection results show that root zone file synchronization delay distributions of different root server instances vary greatly. Some instances even show minute-level convergence, resulting in incorrect resolution for some TLDs. We also detect one response hijacking incident for 2 TLDs resolution, caused by the domain takeover mechanism adopted by the ISP to reduce inter-domain traffic settlement and decrease resolution latency. Except for the unresponsive exception caused by network packet loss, no root-side resolution anomaly is found, indicating that there is no artificial manipulation of TLD resolution on the root server and reflecting the responsibility of each root server operator aiming to maintain global Internet interconnection. The detection results show that the detection rules proposed in this paper can effectively achieve the anomaly detection of root server resolution and help to maintain the health and stability of the DNS system.

WANG Yao,HU Ming-zeng,YUN Xiao-chun,LI Bin,YAN Bo-ru

DOI: https://doi.org/10.3321/j.issn:1000-436x.2006.02.023

2006-01-01

Abstract:Comparing with the top-level domains（TLD） such as the root servers,the local authoritative servers were more vulnerable to device failures and malicious attacks.It was described the existence of authoritative servers and presented a novel domain measurement tool named DNSAuth to collect the information of local authoritative servers automatically.Experiments to the real-life authoritative servers were conducted which highlighting three important aspects: the distribution,the geographic location and their impacts on performance and security.According to five representative attributes,the authoritative servers of China Top100 websites were evaluated and the result shows that only 32% of all the servers act better in performance and security.

Keyu Lu,Kaikun Dong,Cuihua Wang,Haiyan Xu

DOI: https://doi.org/10.1109/ICSAI.2014.7009359

2014-01-01

Abstract:The domain name system (DNS) plays a crucial role in the Internet. However, DNS configuration errors seriously affect the performance of DNS recently. In order to know current DNS configuration, we have studied and classified common configuration problems, proposed a DNS configuration detection model and detected the top 500 zones of China. The detection results show that DNS configuration errors are widespread. Percentages of misconfigured NS records in the top 500 zones, SOA records and MX records are all over 25%. And more than 25% of the zones do not allow TCP connection. Moreover, percentages of each configuration error class of the zones, such as delegation inconsistency, lame inconsistency and diminished server redundancy are all over 5%, especially delegation inconsistency, which accounts for 28%. Therefore, the DNS configuration is expected to improve to avoid DNS attack.

Shuhan Zhang,Shuai Wang,Dan Li

DOI: https://doi.org/10.1109/infocom52122.2024.10621098

2024-01-01

Abstract:DNS relies on domain delegation for good scalability, where domains delegate their resolution service to authoritative nameservers. However, such delegations lead to complex interdependencies between DNS zones. While a complex dependency might improve the robustness of domain resolution, it could also introduce security risks unexpectedly. In this work, we perform a large-scale measurement on nearly 217M domains to analyze their resolution dependencies at both zone level and infrastructure level. According to our analysis, domains under country-code TLDs and new generic TLDs generally present more complicated dependency relationships. For robustness consideration, popular domains prefer to configure more complex dependencies. However, the centralization of nameserver hosting and the silent outsourcing of DNS providers could lead to severe false redundancy at infrastructure level. Worse, considerable domain configurations in the wild are "not robust but risky": a more complex dependency may also indicate more vulnerabilities, e.g., domains with a 2x higher dependency complexity have a 2.87x larger proportion suffering from the hijacking risk brought by lame delegation.

HAN Dianfei,YUAN Ruixi,GUAN Xiaohong

DOI: https://doi.org/10.1016/b978-0-12-803306-7.00003-6

2007-01-01

Abstract:The correct configuration of domain name servers is the foundation of good and robust performance of network service.Past operation practice has shown that incorrect configuration has severe impact on network services.In recent years,the.CN domain,an important part of Internet developed very rapidly.However,there are many issues arising in its management.The DNS configuration errors in.CN domain are measured and analyzed.It is found that over 30% zones suffer from misconfiguration errors.This problem may pose serious hinder to efficient and secure operation of Internet in China and should be brought enough attentions.

Shanshan Hao,Renjie Liu,Deliang Chang,Chenhuan Liu,Xing Li

DOI: https://doi.org/10.1109/imcec46724.2019.8984017

2019-01-01

Abstract:The Domain Name System (DNS) is a critical Internet infrastructure that maps a name to an IP. The Top-Level Domain (TLD) of a name represents its administrative jurisdiction, and the location of the IP represents where the service is operating, however the two are sometimes inconsistent. This inconsistency can lead to anomalies in network accessibility in special cases, and has been exploited to evade regulation. In this work, we analyze the statistics, characteristics and causes of this inconsistency between whether a name is part of .cn ccTLD and whether its IP locates in China, using a dataset of the most requested 100k names generated from 157839692 queries collected during two weeks by the campus network resolver. As a result, 4% of .cn names locate out of China, up to 76% of names with IP within China are not part of .cn, and only 28% of them own a corresponding .cn name. Our work shows the threats of this inconsistency and provides insights for future network administration.

Fenglu Zhang,Baojun Liu,Eihal Alowaisheq,Jianjun Chen,Chaoyi Lu,Linjian Song,Yong Ma,Ying Liu,Haixin Duan,Min Yang

DOI: https://doi.org/10.1145/3576915.3616647

2023-01-01

Abstract:Authoritative nameservers are delegated to provide the final resource record. Since the security and robustness of DNS are critical to the general operation of the Internet, domain owners are required to deploy multiple candidate nameservers for load balancing. Once the load balancing mechanism is compromised, an adversary can manipulate a large number of legitimate DNS requests to a specified candidate nameserver. As a result, it may bypass the defense mechanisms used to filter malicious traffic that can overload the victim nameserver, or lower the bar for DNS traffic hijacking and cache poisoning attacks. In this study, we report on a class of DNS vulnerabilities and present a novel attack, named Disablance, that targets the domains with different NS records severing to multiple sites of authoritative servers. The attack is made possible by a misconfiguration of nameservers that ignores domains outside their authority, combined with recursive resolvers that use a globally shared status for nameserver selection. By targeting authoritative nameservers configured by a large number of domains, Disablance allows adversaries to stealthily sabotage the DNS load balancing for authoritative nameservers at a low cost. Through simply configuring the DNS records for a domain under their control to point to the targeted nameservers and performing a handful of requests, adversaries can temporarily manipulate a given DNS resolver to overload a specific authoritative server. Therefore, Disablance can redirect benign DNS requests for all hosted domains to the specific nameserver and disrupts the load balancing mechanism. Our extensive study proves the security threat of Disablance is realistic and prevalent. First, we demonstrated that mainstream DNS implementations, including BIND9, PowerDNS, and Microsoft DNS, are vulnerable to Disablance. Second, we developed a measurement framework to measure vulnerable authoritative servers in the wild. 22.24% of top 1M FQDNs and 3.94% of top 1M SLDs were proven can be the victims of Disablance. Our measurement results also show that 37.88% of stable open resolvers and 10 of 14 popular public DNS services can be exploited to conduct Disablance, including Cloudflare and Quad9. Furthermore, the critical security threats of Disablance were observed and acknowledged through in-depth discussion with a world-leading DNS service provider. We have reported discovered vulnerabilities and provided recommendations to the affected vendors. Until now, Tencent Cloud (DNSPod) and Amazon have taken action to fix this issue according to our suggestions.

Futai Zou,Siyu Zhang,Li Pang,Linsen Li,Jianhua Li,Bei Pei

DOI: https://doi.org/10.1109/dsc.2016.96

2016-01-01

Abstract:Domain Name System (DNS) is one of the most crucial components of the Internet. However, due to the vulnerability of DNS, its security has been continuously challenged in recent years. In order to thoroughly understand the root cause of the security risks in the DNS, researches in DNS security are surveyed, and vulnerabilities in DNS and corresponding countermeasures are summarized. First, based on the protocol design and implementation of DNS, weaknesses in DNS fall into 5 categories: cache poisoning, denial of service, software vulnerabilities, information leakage and unauthorized data manipulation. Then, fundamental properties and defense approaches for the 5 categories are analyzed. Next, to improve the Internet name service, new secure DNS architectures are analyzed and compared. And finally, future aspects of research in DNS security are discussed.

Wang Yong,Yun Xiaochun,Yao Yao,Xiong Gang

2012-01-01

Journal of Computer Research and Development

Abstract:With the introduction of public key infrastructure,DNSSEC ensures DNS data integrity, origin authentication. The extended finite automata is introduced to describe the DNSSEC protocol state including resolution and authentication process, and three types of trust relationship are presented to characterize trust transfer during the production of trust chain. Based on this, a quantitative analysis method for DNSSEC resolution probability is introduced, and main factors influencing it are analyzed. Results show that DNSSEC resolution probability is linear with the recursive server’s response rate approximately, and the influence of length of trust chain is secondary, but the number of authority server in every level has a great impact to the probability. In order to achieve a greater resolution probability, there should be at least three authority servers in every level and request ratio and authentication ratio of DNSSEC should be above 60%. The conclusions are valuable to the analysis of DNSSEC deployment and realization.

Yong Wang,Xiaochun Yun,Gang Xiong,Zhen Li,Yao

DOI: https://doi.org/10.1109/chinacom.2012.6417444

2012-01-01

Abstract:Availability of DNSSEC resolution and validation service against man-in-the-middle attacks are analysed in this paper, and possible vulnerabilities are introduced and classified. Experiments show DNSSEC client is vulnerable because the attacks are always successful, but they are failed to recursive server, at the same time, attacks to recursive server will bring about numerous retries, and the number of retries depends on the number of root domain name servers, top-level servers and authority servers, and this can be exploited to launch denial of service attacks to recursive server. The results show the availability of DNSSEC service is poor against man-in-the-middle attacks. Conclusions are valuable to the optimization of DNSSEC recursive server application, as well as DNSSEC security analysis.

Yao Wang,Ming-zeng Hu,Bin Li,Bo-ru Yan

DOI: https://doi.org/10.1007/11942634_37

2006-01-01

Abstract:This paper seeks to quantitatively understand the nature of the current threat towards the common name servers. A new tracking technique based on statistical model is proposed to locate the anomalous name servers by analyzing the real-world DNS traffic. After summarizing the attacks towards DNS, the detection method based on associative feature analysis is presented. Experiments are conducted which highlighting both the payload anomaly and the data flow anomaly, and the experimental results reveal the efficiency of our method in detecting the anomalous behaviors of name servers.

Petar D. Bojović,Slavko Gajin

DOI: https://doi.org/10.48550/arXiv.1711.05696

2017-11-16

Abstract:DNS is a basic Internet service which almost all other user services depend on. However, what has been perceived in practice are a lot of inconsistencies and errors in the configuration of servers that cause different problems. The majority of such cases are included in this research with the aim of identifying and classifying the major problems of DNS availability, performance and security. In order to analyze these problems in correlation with DNS administrators working practice, we have developed a methodology and tool for testing, quantifying and analysis of DNS misconfigurations. The methodology and tool were applied on three heterogeneous domain categories - the most popular Internet domains, academic domains and one national top level domain. Our results confirm relatively high percentage of misconfigured domains, especially in the academic and national categories. However, we have shown that fixing the configuration on relatively small number of name servers can have significant impact to great number of domains. Proper domain management, permanent testing and collaboration with other administrators are identified as measures to improve domains operation, stability and security.

Networking and Internet Architecture

Chao Li,Jiagui Xie,Yanan Cheng,Zhaoxin Zhang,Jian Chen,Haochuan Wang,Hanyu Tao

DOI: https://doi.org/10.3390/electronics12102264

IF: 2.9

2023-05-17

Electronics

Abstract:The root zone is located at the top level of the DNS system's hierarchical structure and serves as the entry point for all domain name resolutions. The accuracy of the root zone file determines whether domain names can be resolved correctly. To solve the problems of single-source distrust and inaccurate data in the use of root zone files, this paper utilizes multi-source root zone files to build an accurate, real-time, and highly trustworthy root zone file through the validation of data accuracy and integrity. First, we propose a weighted voting statistical verification method. We select top-level domain name records with the highest confidence from the multi-source root zone data, thereby improving data accuracy. Second, through a dynamic cyclic construction process, we achieve dynamic monitoring of root zone file version changes, effectively ensuring the real-time nature of root zone data. Finally, we adopt a DNSSEC verification mechanism to address the issue of unreliable transmission paths for actively probed root zone data, ensuring data integrity by verifying the signed top-level domain name records and their ZSK, KSK keys. In addition, through the analysis of experimental data, we find that the main reason for the inaccuracy and unreliability of the root zone file is the delay in updating and synchronizing the file. We also discover the presence of redundant KSK keys in some of the source root zone data, which led to failure in the DNSSEC validation chain. The high-trust root zone file constructed in this paper provides data support for research on the root-side resolution anomaly detection and localization application of root zone files and has wide-ranging practical value.

engineering, electrical & electronic,computer science, information systems,physics, applied

Chao Li,Yanan Cheng,Zhaoxin Zhang,Zundong Zhang

DOI: https://doi.org/10.1016/j.comnet.2024.110669

IF: 5.493

2024-01-01

Computer Networks

Abstract:The Domain Name System (DNS), as a critical component of Internet infrastructure, is crucial for maintaining network stability and security. However, vulnerabilities in the DNS resolution process make it susceptible to various network attacks. Current DNS resolution anomaly detection methods are challenged by the scarcity of diverse anomalous sample data and the difficulty in accurately capturing such anomalies. To address those challenges, we firstly introduce a proactive anomaly detection method based on bidirectional national censorship behavior, abbreviated as CB-BiDAM. This method can collect diverse anomalous resolution data from multiple network spaces, covering common types of resolution anomalies and effectively solving the problem of sample scarcity. Further, we extract multidimensional features from four key aspects: response content, DNS attributes, resolution paths, and timing, to gain a deeper understanding of the relationship between multifaceted information in the DNS resolution process and anomalous events. Finally, based on these multidimensional features, we construct a DNS resolution anomaly detection model named DRADC, using a stacked ensemble approach. Through a series of comparative experiments, the DRADC model significantly outperforms existing machine learning algorithms in key metrics such as accuracy (97.48%), recall (96.87%), and F1 score (97.09%). Feature ablation experiments further demonstrates that incorporating multidimensional features significantly improves model performance, with a 3% increase in accuracy and a 3.5% increase in precision compared to models relying solely on response content features. By providing an accurate detection model for DNS resolution anomalies, this study aids network administrators in more effectively identifying and countering network attacks. Additionally, our research also contributes to the detection and response to domain censorship mechanisms, which is crucial for maintaining the openness and free flow of the Internet.

Wenfeng Liu,Yu Zhang,Yongyue Li,Binxing Fang

DOI: https://doi.org/10.1109/icc.2019.8761698

2019-01-01

Abstract:The DNS system is gradually becoming the infrastructure of many services and applications. The availability and security of the domain name resolution process must be guaranteed. We propose a graph-based formal model and a general analysis method for quantifying the name resolution process. We define metrics to quantify the availability and security of resolution process for a domain name. We conducted four measurements of the top 1 million popular domains within a one-year period. Our survey shows that for more than 50% of domains, if the most critical authoritative server of the domain name becomes unavailable or compromised, the probability of resolution failure or insecure answer is over 50%.

Fenglu Zhang,Baojun Liu,Chaoyi Lu,Yunpeng Xing,Haixin Duan,Ying Liu,Liyuan Chang

DOI: https://doi.org/10.1109/tdsc.2024.3373530

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:DNS root servers are the starting point of most DNS queries. To ensure their security and stability, multiple anycast instances are operated worldwide, and new root instances have been rapidly deployed in recent years. Apart from authorized instances managed by Root Server System, some networks equip unauthorized instances to hijack queries from clients. Despite various root instances handling queries within their residing networks, few studies have focused on the deployment issues of these instances.       In this paper, we provide the first study to reveal the deployment issues of root instances from a nationwide view. With the support of 7,860 vantage points, we utilized a suite of methodologies to identify the deployment of unauthorized instances. 54 vantage points witnessed the evidence of unauthorized instances, and 70.4% of them further observed security issues of unauthorized instances, including DoS, unavailability of DNSSEC validation, and vulnerable DNS software. Additionally, we utilized the side-channel information of censorship mechanisms to measure the catchment area of authorized instances. We found that most authorized instances in the Chinese mainland serve with limited catchment areas due to restricted BGP policies. Through discussions with ISPs and network operators, we make recommendations to improve the deployment status of different root instances.

computer science, information systems, software engineering, hardware & architecture

Fenglu Zhang,Yunyi Zhang,Baojun Liu,Eihal Alowaisheq,Lingyun Ying,Xiang Li,Zaifeng Zhang,Ying Liu,Haixin Duan,Min Zhang

DOI: https://doi.org/10.1145/3618257.3624839

2023-01-01

Abstract:Leveraging DNS for covert communications is appealing since most networks allow DNS traffic, especially the ones directed toward renowned DNS hosting services. Unfortunately, most DNS hosting services overlook domain ownership verification, enabling miscreants to host undelegated DNS records of a domain they do not own. Consequently, miscreants can conduct covert communication through such undelegated records for whitelisted domains on reputable hosting providers. In this paper, we shed light on the emerging threat posed by undelegated records and demonstrate their exploitation in the wild. To the best of our knowledge, this security risk has not been studied before. We conducted a comprehensive measurement to reveal the prevalence of the risk. In total, we observed 1,580,925 unique undelegated records that are potentially abused. We further observed that a considerable portion of these records are associated with malicious behaviors. By utilizing threat intelligence and malicious traffic collected by malware sandbox, we extracted malicious IP addresses from 25.41% of these records, spanning 1,369 Tranco top 2K domains and 248 DNS hosting providers, including Cloudflare and Amazon. Furthermore, we discovered that the majority of the identified malicious activities are Trojan-related. Moreover, we conducted case studies on two malware families (Dark.IOT and Specter) that exploit undelegated records to obtain C2 servers, in addition to the masquerading SPF records to conceal SMTP-based covert communication. Also, we provided mitigation options for different entities. As a result of our disclosure, several popular hosting providers have taken action to address this issue.

Mingxuan Liu,Yiming Zhang,Xiang Li,Chaoyi Lu,Baojun Liu,Haixin Duan,Xiaofeng Zheng

DOI: https://doi.org/10.14722/ndss.2024.24782

2024-01-01

Abstract:Domain names are often registered and abused for harmful and illegal Internet activities.To mitigate such threats, as an emerging security service, Protective DNS (PDNS) blocks access to harmful content by proactively offering rewritten DNS responses, which resolve malicious domains to controlled hosts.While it has become an effective tool against cybercrime, given their implementation divergence, little has been done from the security community in understanding the deployment, operational status and security policies of PDNS services.In this paper, we present a large-scale measurement study of the deployment and security implications of open PDNS services.We first perform empirical analysis over 28 popular PDNS providers and summarize major formats of DNS rewriting policies.Then, powered by the derived rules, we design a methodology that identifies intentional DNS rewriting enforced by open PDNS servers in the wild.Our findings are multi-faceted.On the plus side, the deployment of PDNS is now starting to scale: we identify 17,601 DNS servers (9.1% of all probed) offering such service.For DNS clients, switching from regular DNS to PDNS induces negligible query latency, despite additional steps (e.g., checking against threat intelligence and rewriting DNS response) being required from the server side.However, we also find flaws and vulnerabilities within PDNS implementation, including evasion of blocking policies and denial of service.Through responsible vulnerability disclosure, we have received 12 audit assessment results of high-risk vulnerabilities.Our study calls for proper guidance and best practices for secure PDNS operation.