Shuhan Zhang,Shuai Wang,Dan Li

DOI: https://doi.org/10.1109/infocom52122.2024.10621098

2024-01-01

Abstract:DNS relies on domain delegation for good scalability, where domains delegate their resolution service to authoritative nameservers. However, such delegations lead to complex interdependencies between DNS zones. While a complex dependency might improve the robustness of domain resolution, it could also introduce security risks unexpectedly. In this work, we perform a large-scale measurement on nearly 217M domains to analyze their resolution dependencies at both zone level and infrastructure level. According to our analysis, domains under country-code TLDs and new generic TLDs generally present more complicated dependency relationships. For robustness consideration, popular domains prefer to configure more complex dependencies. However, the centralization of nameserver hosting and the silent outsourcing of DNS providers could lead to severe false redundancy at infrastructure level. Worse, considerable domain configurations in the wild are "not robust but risky": a more complex dependency may also indicate more vulnerabilities, e.g., domains with a 2x higher dependency complexity have a 2.87x larger proportion suffering from the hijacking risk brought by lame delegation.

Wenfeng Liu,Yu Zhang,Yongyue Li,Binxing Fang

DOI: https://doi.org/10.1109/icc.2019.8761698

2019-01-01

Abstract:The DNS system is gradually becoming the infrastructure of many services and applications. The availability and security of the domain name resolution process must be guaranteed. We propose a graph-based formal model and a general analysis method for quantifying the name resolution process. We define metrics to quantify the availability and security of resolution process for a domain name. We conducted four measurements of the top 1 million popular domains within a one-year period. Our survey shows that for more than 50% of domains, if the most critical authoritative server of the domain name becomes unavailable or compromised, the probability of resolution failure or insecure answer is over 50%.

Futai Zou,Siyu Zhang,Li Pang,Linsen Li,Jianhua Li,Bei Pei

DOI: https://doi.org/10.1109/dsc.2016.96

2016-01-01

Abstract:Domain Name System (DNS) is one of the most crucial components of the Internet. However, due to the vulnerability of DNS, its security has been continuously challenged in recent years. In order to thoroughly understand the root cause of the security risks in the DNS, researches in DNS security are surveyed, and vulnerabilities in DNS and corresponding countermeasures are summarized. First, based on the protocol design and implementation of DNS, weaknesses in DNS fall into 5 categories: cache poisoning, denial of service, software vulnerabilities, information leakage and unauthorized data manipulation. Then, fundamental properties and defense approaches for the 5 categories are analyzed. Next, to improve the Internet name service, new secure DNS architectures are analyzed and compared. And finally, future aspects of research in DNS security are discussed.

Deliang Chang,Shanshan Hao,Zhou Li,Baojun Liu,Xing Li

DOI: https://doi.org/10.1109/access.2021.3112926

IF: 3.9

2021-01-01

IEEE Access

Abstract:DNS (Domain Name System) is one fundamental Internet infrastructure related to most network activities. As a feasible tool to govern the Internet, DNS’s stability and interoperability will be impacted by the countries’ policies or actions along the path. Especially now that many countries have stricter control over the Internet and even sometimes “unplug” it. But there was no study to quantify the countries’ impact systematically. To fill this research gap, we present DNSWeight . This new data-driven approach utilizes a large-scale DNS dataset and BGP (Border Gateway Protocol) routing information to calculate the country-importance score so that a country’s impact on DNS can be gauged. By applying DNSWeight on large-scale DNS and BGP datasets jointly, our study shows the importance among different countries is divided. A handful of countries show dominant significance to the current DNS ecosystem. Some countries with a history of Internet shutdowns are too influential to be ignored if they choose to break themselves from the Internet. We also examine the impact of IPv6 (IP Version 6) and reveal the “loop” phenomenon that occurs in some DNS queries. In conjunction with our findings, some discussion and suggestions are given. In summary, our study shows that DNS reliability needs to be reconsidered at the country’s level.

HAN Dianfei,YUAN Ruixi,GUAN Xiaohong

DOI: https://doi.org/10.1016/b978-0-12-803306-7.00003-6

2007-01-01

Abstract:The correct configuration of domain name servers is the foundation of good and robust performance of network service.Past operation practice has shown that incorrect configuration has severe impact on network services.In recent years,the.CN domain,an important part of Internet developed very rapidly.However,there are many issues arising in its management.The DNS configuration errors in.CN domain are measured and analyzed.It is found that over 30% zones suffer from misconfiguration errors.This problem may pose serious hinder to efficient and secure operation of Internet in China and should be brought enough attentions.

Shanshan Hao,Renjie Liu,Deliang Chang,Chenhuan Liu,Xing Li

DOI: https://doi.org/10.1109/imcec46724.2019.8984017

2019-01-01

Abstract:The Domain Name System (DNS) is a critical Internet infrastructure that maps a name to an IP. The Top-Level Domain (TLD) of a name represents its administrative jurisdiction, and the location of the IP represents where the service is operating, however the two are sometimes inconsistent. This inconsistency can lead to anomalies in network accessibility in special cases, and has been exploited to evade regulation. In this work, we analyze the statistics, characteristics and causes of this inconsistency between whether a name is part of .cn ccTLD and whether its IP locates in China, using a dataset of the most requested 100k names generated from 157839692 queries collected during two weeks by the campus network resolver. As a result, 4% of .cn names locate out of China, up to 76% of names with IP within China are not part of .cn, and only 28% of them own a corresponding .cn name. Our work shows the threats of this inconsistency and provides insights for future network administration.

Hongyu Gao,Vinod Yegneswaran,Jian Jiang,Yan Chen,Phillip Porras,Shalini Ghosh,Haixin Duan

DOI: https://doi.org/10.1109/tnet.2014.2358637

2016-01-01

IEEE/ACM Transactions on Networking

Abstract:The performance and operational characteristics of the Domain Name System (DNS) protocol are of deep interest to the research and network operations community. In this paper, we present measurement results from a unique dataset containing more than 26 billion DNS query-response pairs collected from more than 600 globally distributed recursive DNS resolvers. We use this dataset to reaffirm findings in published work and notice some significant differences that could be attributed both to the evolving nature of DNS traffic and to our differing perspective. For example, we find that although characteristics of DNS traffic vary greatly across networks, the resolvers within an organization tend to exhibit similar behavior. We further find that more than 50% of DNS queries issued to root servers do not return successful answers, and that the primary cause of lookup failures at root servers is malformed queries with invalid top-level domains (TLDs). Furthermore, we propose a novel approach that detects malicious domain groups using temporal correlation in DNS queries. Our approach requires no comprehensive labeled training set, which can be difficult to build in practice. Instead, it uses a known malicious domain as anchor and identifies the set of previously unknown malicious domains that are related to the anchor domain. Experimental results illustrate the viability of this approach, i. e., we attain a true positive rate of more than 96%, and each malicious anchor domain results in a malware domain group with more than 53 previously unknown malicious domains on average.

Yao Wang,Mingyi Hu,Bin Li,Bin Yan

DOI: https://doi.org/10.1007/978-3-540-37275-2_66

2006-01-01

Abstract:The Domain Name System (DNS) is the most crucial infrastructure for mapping human-readable host names to the corresponding IP addresses and providing the routing information of Email. Comparing with the top-level domains (TLD) such as the root servers, the local authoritative servers are more vulnerable to device failures and malicious attacks. This paper described the existence condition of authoritative servers and presented a novel domain measurement tool named DNSAuth to collect the information of local authoritative servers automatically. Experiments to the real-life authoritative servers were conducted which highlighting three important aspects: the distribution, the geographic location and their impacts on performance and security. According to five representative attributes, the authoritative servers of China Top100 websites are evaluated and the result shows that only 32% of all the servers act preferably in performance and security.

Chao Li,Jian Chen,Zhaoxin Zhang,Zhiping Li,Yanan Cheng,Chendi Ma

DOI: https://doi.org/10.1016/j.cose.2024.103946

IF: 5.105

2024-01-01

Computers & Security

Abstract:The DNS root server is at the top of the hierarchical structure of the DNS system and is the initial node that bootstraps all DNS queries. If the root server resolves abnormally, all domain name resolutions will fail, and many users cannot access the Internet. For this reason, this paper detects the root server itself resolution anomalies and non-self resolution anomalies by constructing high-confidence root zone file and anomaly judgment rules. First, we use the weighted voting statistics method to build high-confidence root zone file by calculating the confidence of multi-source root zone files. Based on high-confidence root zone files, we construct three types of anomaly detection judgment rules: (1) root-side resolution anomaly judgment rules based on feature value matching, (2) response hijacking judgment rules by correlating response anomaly features and resolution routing information, (3) root zone file synchronization anomaly judgment rules by calculating the relative synchronization delay of multi-source root zone files. Finally, using three anomaly judgment rules, we perform anomaly detection on the root resolution data obtained by active measurement. Our detection results show that root zone file synchronization delay distributions of different root server instances vary greatly. Some instances even show minute-level convergence, resulting in incorrect resolution for some TLDs. We also detect one response hijacking incident for 2 TLDs resolution, caused by the domain takeover mechanism adopted by the ISP to reduce inter-domain traffic settlement and decrease resolution latency. Except for the unresponsive exception caused by network packet loss, no root-side resolution anomaly is found, indicating that there is no artificial manipulation of TLD resolution on the root server and reflecting the responsibility of each root server operator aiming to maintain global Internet interconnection. The detection results show that the detection rules proposed in this paper can effectively achieve the anomaly detection of root server resolution and help to maintain the health and stability of the DNS system.

Keyu Lu,Kaikun Dong,Cuihua Wang,Haiyan Xu

DOI: https://doi.org/10.1109/ICSAI.2014.7009359

2014-01-01

Abstract:The domain name system (DNS) plays a crucial role in the Internet. However, DNS configuration errors seriously affect the performance of DNS recently. In order to know current DNS configuration, we have studied and classified common configuration problems, proposed a DNS configuration detection model and detected the top 500 zones of China. The detection results show that DNS configuration errors are widespread. Percentages of misconfigured NS records in the top 500 zones, SOA records and MX records are all over 25%. And more than 25% of the zones do not allow TCP connection. Moreover, percentages of each configuration error class of the zones, such as delegation inconsistency, lame inconsistency and diminished server redundancy are all over 5%, especially delegation inconsistency, which accounts for 28%. Therefore, the DNS configuration is expected to improve to avoid DNS attack.

Yong Wang,Xiao-chun Yun,Yao,Gang Xiong,Zhen Li

DOI: https://doi.org/10.1109/cit.2012.37

2012-01-01

Abstract:Method of DNSSEC traffic measurement is introduced based on the identification of resource records in DNSSEC. Through the analysis of DNSSEC traffic in several levels which are resource record type, packet length, signature property, and IP features, characteristics of DNSSEC traffic can be concluded. Results show that above 78% of DNSSEC packets are NSEC3 packets, and this means there are too many useless DNSSEC queries, which would not be measured in DNS, but can be measured accurately in DNSSEC with the introduction of NSEC3. In addition to it, validation packets coming from root or top server are more than authority servers. From the analysis of DNSKEY responses, it can be referred the DNSSEC deploying ratio is 54% ignoring the cache of DNSSEC recursive server. The conclusions are helpful to the further deployment and application of DNSSEC.

Zhen Qin,Chunjing Xiao,Qiyao Wang,Yuehui Jin,Aleksandar Kuzmanovic

DOI: https://doi.org/10.1016/j.comcom.2014.03.021

IF: 5.047

2014-01-01

Computer Communications

Abstract:To enhance end-user experiences, Content Distribution Networks (CDNs) effectively exploit the Domain Name System (DNS) to redirect end-users to close-by content replicas over short time scales. While the use of DNS has brought a significant advantage to CDNs, in this paper we confirm that reliance on DNS also poses a fundamental threat to large-scale CDNs' content distribution model. In particular, we demonstrate that a considerable penetration of public DNS resolving services (e.g., OpenDNS and GoogleDNS) effectively corrupts the CDN approach, equally the large-scale server distribution and quick DNS redirections. Our contributions are threefold. First, we systematically evaluate and quantify how the use of public DNS resolving services impacts Akamai's content distribution model, the corresponding end-user service performance, and ISPs that host CON edge servers. Second, we show that a CDN-based DNS architecture, which can effectively function as both the current authoritative nameservers and resolvers, coexist with the current DNS infrastructure, and directly response end-users with authoritative DNS records. Third, we implement a prototype CDN-based DNS system by using popular Web 2.0 websites as a vehicle to publish DNS records onto CDN edge servers. We demonstrate that in an extreme setting, such an approach can achieve one order of magnitude faster lookup times relative to existing DNS resolving systems. Most importantly, we argue that the proposed design provides a realistic way to change DNS and address a number of long-lasting and emerging problems associated with this basic Internet service. (C) 2014 Elsevier B.V. All rights reserved.

CAO Rui,WU Jianping,XU Mingwei

DOI: https://doi.org/10.3321/j.issn:1000-0054.2009.11.037

2009-01-01

Abstract:The domain naming system can not resolve or update domain names fast enough and is vulnerable to single point failures. A fast naming system, called FNS, was developed based on the hierarchical structure of the DNS with the DHT structure used in local zone. The system uses a special mechanism to store the domain name information and can quickly locate the authoritative name server to reduce resolution delays. The system also uses an active update mechanism to spread changes of the name servers' address over the Internet. Tests show that the system has better name resolution performance and name server update speeds than DNS, with the active update mechanism not introducing much extra load into the Internet.

Xianran Liao,Jiacen Xu,Qifan Zhang,Zhou Li

DOI: https://doi.org/10.1109/access.2022.3215753

IF: 3.9

2022-01-01

IEEE Access

Abstract:Domain Name System (DNS) is a fundamental component for today’s Internet communications, enabling the domain-to-IP translations for billions of users and numerous applications. Yet, the operational failures of DNS are not rare and sometimes lead to severe consequences like Internet outages. To gain a better understanding of DNS operational failures, previous works examined large-scale DNS logs (DNS queries and responses between Internet users and DNS servers), but the DNS logs cannot offer a comprehensive view of the failures (e.g., errors at domain registrars) and explain the failures at a finer grain. In this paper, we try to assess DNS operational failures from another data source, the supporting forums built by DNS service providers. Specifically, we mined 4 DNS forums and crawled more than 10000 posts and 50000 replies. With a new analysis framework developed by us, we are able to tag the forum posts by different categories (e.g., general concerns, issue locations, and record types), and gain new insights regarding how and why users encounter DNS failures. In the end, we offer suggestions to DNS service providers and users to mitigate DNS operational issues.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jia Zhang,Haixin Duan,Jian Jiang,Jinjin Liang,Jianping Wu

DOI: https://doi.org/10.1007/s11432-017-9370-2

2018-01-01

Science China Information Sciences

Abstract:>Dear editor,Public domain name system (DNS) and authoritative DNS service providers have adopted various methods to optimize the accuracy of their resolution [1]. The public DNS server supports EDNS client subnet (ECS)[2], which can send the subnet information of the end users to the authoritative DNS server, and the authoritative DNS also grad-

Wang Yong,Yun Xiaochun,Yao Yao,Xiong Gang

2012-01-01

Journal of Computer Research and Development

Abstract:With the introduction of public key infrastructure,DNSSEC ensures DNS data integrity, origin authentication. The extended finite automata is introduced to describe the DNSSEC protocol state including resolution and authentication process, and three types of trust relationship are presented to characterize trust transfer during the production of trust chain. Based on this, a quantitative analysis method for DNSSEC resolution probability is introduced, and main factors influencing it are analyzed. Results show that DNSSEC resolution probability is linear with the recursive server’s response rate approximately, and the influence of length of trust chain is secondary, but the number of authority server in every level has a great impact to the probability. In order to achieve a greater resolution probability, there should be at least three authority servers in every level and request ratio and authentication ratio of DNSSEC should be above 60%. The conclusions are valuable to the analysis of DNSSEC deployment and realization.

Chao Li,Jian Chen,Zhaoxin Zhang,Yanan Cheng,Zhiping Li,Zijun Li

DOI: https://doi.org/10.1109/miccis58901.2023.00033

2023-01-01

Abstract:As one of the most significant Internet infrastructures, the domain name system is vital to provide a reliable operation. The root server is primarily in charge of resolving top-level domain names. There are only 13 root servers in existence right now. For purpose of enhancing resolution efficiency and service quality, the root server deploys a large number of root image nodes in the world using anycast technology. Through using different operator detection points in different provinces in China, we actively requested the NS records of TLDS from 13 root servers. According to the obtained data, we evaluated the 13 root servers’s service scope, and finally found that K root had the best service scope and the largest number of requests. At the same time, we examine the elements that influence the root server's services quality and discover that the root image's deployment type, routing rotation, and enterprise routing announcement are the primary influencing factors.

Liz Izhikevich,Gautam Akiwate,Briana Berger,Spencer Drakontaidis,Anna Ascheman,Paul Pearce,David Adrian,Zakir Durumeric

DOI: https://doi.org/10.1145/3517745.3561434

2023-09-24

Abstract:Active DNS measurement is fundamental to understanding and improving the DNS ecosystem. However, the absence of an extensible, high-performance, and easy-to-use DNS toolkit has limited both the reproducibility and coverage of DNS research. In this paper, we introduce ZDNS, a modular and open-source active DNS measurement framework optimized for large-scale research studies of DNS on the public Internet. We describe ZDNS' architecture, evaluate its performance, and present two case studies that highlight how the tool can be used to shed light on the operational complexities of DNS. We hope that ZDNS will enable researchers to better -- and in a more reproducible manner -- understand Internet behavior.

Networking and Internet Architecture

Chao Li,Yanan Cheng,Zhaoxin Zhang,Ping Yu

DOI: https://doi.org/10.1016/j.cose.2023.103426

2023-08-18

Abstract:Authoritative domain name servers (referred to as authoritative servers) play a critical role in the Domain Name System (DNS) by resolving domain names to specific IP or CNAME records, ensuring seamless internet access. However, misconfigurations in authoritative servers can introduce risks to domain name resolution. This paper proposes a comprehensive approach to analyze and evaluate the configuration risks of authoritative servers. We develop a tool called "AuthDetect" to detect configuration anomalies in authoritative servers, and leveraging this tool, we conduct anomaly detection and analyze resolution risks from three perspectives: resolution latency, content, and reliability. Our evaluation indicates that 90% of the domains have a favorable overall resolution risk (below 0.13), but varying levels of risks exist: (1) 60% face resolution latency risk, (2) only 8.33% of domain names exhibit content risk, and (3) almost all domain names (99.8%) experience resolution reliability risk, primarily due to inadequate server configuration. These findings offer valuable data support for domain name managers, providing insights into the current configuration status of authoritative servers and contributing to maintaining a healthy and stable DNS system operation.

computer science, information systems