Yao Wang,Kexin Yu,Ziyi Wang,Kaiqiang Hu,Haizhou Du,Qiao Xiang,Xing Fang,Geng Li,Ruiting Zhou,Linghe Kong,Jiwu Shu

DOI: https://doi.org/10.1145/3663408.3663412

2024-01-01

Abstract:DNS misconfiguration can result in severe social and financial consequences. Existing DNS configuration verification tools employ a centralized architecture, where all zone files are collected for verification. This architecture faces significant scalability issues (e.g., the verifier becoming the performance bottleneck and not supporting incremental verification). Inspired by the recent proposal of distributed data plane verification and the resemblance between the network data plane and DNS configuration, we propose to rearchitect DNS configuration verification with a distributed design. Our key insight is that by analyzing the query processing behavior of each DNS zone file in parallel and stitching the results in a symbolic way, we can substantially scale up the verification of DNS configuration. Evaluation shows that an up to 9.51x speed up on a dataset with over 410,000 resource records while having small overhead.

Yahui Li,Zhiliang Wang,Xia Yin,Xingang Shi,Jianping Wu,Fangdan Ye,Jiangyuan Yao,Han Zhang

DOI: https://doi.org/10.1016/j.comnet.2020.107326

IF: 5.493

2020-01-01

Computer Networks

Abstract:Configuring a network is always difficult and error-prone because of low-level configuration languages and complex routing mechanisms. Most network outages occur when network the configuration is updated. Thus, it is important to proactively verify network configurations. Unfortunately, there are two practical obstacles that inhibit the performance of existing configuration verification tools: (i) Lack of knowledge. Network users often do not know which input verification queries need to be verified. (ii) Limited scalability. Even the state-of-the-art tool (i.e., Minesweeper [1]) takes approximately 500 seconds to complete a single reachability query for a network with tens of routers. Considering the total number of queries that must be verified, real networks often make such techniques impractical. In this paper, we propose NUV, a framework for performing network configuration update verification. NUV outputs verification queries for only the endpoints whose forwarding behavior has changed under the updated network configuration. Based on the network forwarding model, NUV infers the potential traffic impact and eliminates endpoints whose forwarding behavior is equivalent in both the original network configuration and the updated configuration. The NUV outputs can be used as input to a rich collection of existing configuration verification tools. Evaluations on a series of benchmark networks show that NUV can solve the lack of knowledge problem, and it enables query verification to execute at speeds orders of magnitude faster than existing tools; thus, it also improves verification scalability.

Yong Wang,Xiaochun Yun,Gang Xiong,Zhen Li,Yao

DOI: https://doi.org/10.1109/chinacom.2012.6417444

2012-01-01

Abstract:Availability of DNSSEC resolution and validation service against man-in-the-middle attacks are analysed in this paper, and possible vulnerabilities are introduced and classified. Experiments show DNSSEC client is vulnerable because the attacks are always successful, but they are failed to recursive server, at the same time, attacks to recursive server will bring about numerous retries, and the number of retries depends on the number of root domain name servers, top-level servers and authority servers, and this can be exploited to launch denial of service attacks to recursive server. The results show the availability of DNSSEC service is poor against man-in-the-middle attacks. Conclusions are valuable to the optimization of DNSSEC recursive server application, as well as DNSSEC security analysis.

Chao Li,Jiagui Xie,Yanan Cheng,Zhaoxin Zhang,Jian Chen,Haochuan Wang,Hanyu Tao

DOI: https://doi.org/10.3390/electronics12102264

IF: 2.9

2023-05-17

Electronics

Abstract:The root zone is located at the top level of the DNS system's hierarchical structure and serves as the entry point for all domain name resolutions. The accuracy of the root zone file determines whether domain names can be resolved correctly. To solve the problems of single-source distrust and inaccurate data in the use of root zone files, this paper utilizes multi-source root zone files to build an accurate, real-time, and highly trustworthy root zone file through the validation of data accuracy and integrity. First, we propose a weighted voting statistical verification method. We select top-level domain name records with the highest confidence from the multi-source root zone data, thereby improving data accuracy. Second, through a dynamic cyclic construction process, we achieve dynamic monitoring of root zone file version changes, effectively ensuring the real-time nature of root zone data. Finally, we adopt a DNSSEC verification mechanism to address the issue of unreliable transmission paths for actively probed root zone data, ensuring data integrity by verifying the signed top-level domain name records and their ZSK, KSK keys. In addition, through the analysis of experimental data, we find that the main reason for the inaccuracy and unreliability of the root zone file is the delay in updating and synchronizing the file. We also discover the presence of redundant KSK keys in some of the source root zone data, which led to failure in the DNSSEC validation chain. The high-trust root zone file constructed in this paper provides data support for research on the root-side resolution anomaly detection and localization application of root zone files and has wide-ranging practical value.

engineering, electrical & electronic,computer science, information systems,physics, applied

Chao Li,Yanan Cheng,Zhaoxin Zhang,Ping Yu

DOI: https://doi.org/10.1016/j.cose.2023.103426

2023-08-18

Abstract:Authoritative domain name servers (referred to as authoritative servers) play a critical role in the Domain Name System (DNS) by resolving domain names to specific IP or CNAME records, ensuring seamless internet access. However, misconfigurations in authoritative servers can introduce risks to domain name resolution. This paper proposes a comprehensive approach to analyze and evaluate the configuration risks of authoritative servers. We develop a tool called "AuthDetect" to detect configuration anomalies in authoritative servers, and leveraging this tool, we conduct anomaly detection and analyze resolution risks from three perspectives: resolution latency, content, and reliability. Our evaluation indicates that 90% of the domains have a favorable overall resolution risk (below 0.13), but varying levels of risks exist: (1) 60% face resolution latency risk, (2) only 8.33% of domain names exhibit content risk, and (3) almost all domain names (99.8%) experience resolution reliability risk, primarily due to inadequate server configuration. These findings offer valuable data support for domain name managers, providing insights into the current configuration status of authoritative servers and contributing to maintaining a healthy and stable DNS system operation.

computer science, information systems

Xing Fang,Feiyan Ding,Bang Huang,Ziyi Wang,Gao Han,Rulan Yang,Lizhao You,Qiao Xiang,Linghe Kong,Yutong Liu,Jiwu Shu

DOI: https://doi.org/10.1109/infocom52122.2024.10621215

2024-01-01

Abstract:Satisfiability Modulo Theories (SMT) based network configuration verification tools are powerful tools in preventing network configuration errors. However, their fundamental limitation is efficiency, because they rely on generic SMT solvers to solve SMT problems, which are in general NP-complete. In this paper, we show that by leveraging network domain knowledge, we can substantially accelerate SMT-based network configuration verification. Our key insights are: given a network configuration verification formula, network domain knowledge can (1) guide the search of solutions to the formula by avoiding unnecessary search spaces; and (2) help simplify the formula, reducing the problem scale. We leverage these insights to design a new SMT- based network configuration verification tool called NetSMT. Extensive evaluation using real-world topologies and synthetic network configurations shows that NetSMT achieves orders of magnitude improvements compared to state-of-the-art methods.

Wang Yong,Yun Xiaochun,Yao Yao,Xiong Gang

2012-01-01

Journal of Computer Research and Development

Abstract:With the introduction of public key infrastructure,DNSSEC ensures DNS data integrity, origin authentication. The extended finite automata is introduced to describe the DNSSEC protocol state including resolution and authentication process, and three types of trust relationship are presented to characterize trust transfer during the production of trust chain. Based on this, a quantitative analysis method for DNSSEC resolution probability is introduced, and main factors influencing it are analyzed. Results show that DNSSEC resolution probability is linear with the recursive server’s response rate approximately, and the influence of length of trust chain is secondary, but the number of authority server in every level has a great impact to the probability. In order to achieve a greater resolution probability, there should be at least three authority servers in every level and request ratio and authentication ratio of DNSSEC should be above 60%. The conclusions are valuable to the analysis of DNSSEC deployment and realization.

Wenfeng Liu,Yu Zhang,Yongyue Li,Binxing Fang

DOI: https://doi.org/10.1109/icc.2019.8761698

2019-01-01

Abstract:The DNS system is gradually becoming the infrastructure of many services and applications. The availability and security of the domain name resolution process must be guaranteed. We propose a graph-based formal model and a general analysis method for quantifying the name resolution process. We define metrics to quantify the availability and security of resolution process for a domain name. We conducted four measurements of the top 1 million popular domains within a one-year period. Our survey shows that for more than 50% of domains, if the most critical authoritative server of the domain name becomes unavailable or compromised, the probability of resolution failure or insecure answer is over 50%.

Yao Wang,Mingyi Hu,Bin Li,Bin Yan

DOI: https://doi.org/10.1007/978-3-540-37275-2_66

2006-01-01

Abstract:The Domain Name System (DNS) is the most crucial infrastructure for mapping human-readable host names to the corresponding IP addresses and providing the routing information of Email. Comparing with the top-level domains (TLD) such as the root servers, the local authoritative servers are more vulnerable to device failures and malicious attacks. This paper described the existence condition of authoritative servers and presented a novel domain measurement tool named DNSAuth to collect the information of local authoritative servers automatically. Experiments to the real-life authoritative servers were conducted which highlighting three important aspects: the distribution, the geographic location and their impacts on performance and security. According to five representative attributes, the authoritative servers of China Top100 websites are evaluated and the result shows that only 32% of all the servers act preferably in performance and security.

Wenfeng Liu,Yu Zhang,Wenjia Zhang,Lu Liu,Hongli Zhang,Binxing Fang

DOI: https://doi.org/10.32604/cmc.2020.07982

2020-01-01

Abstract:As a critical Internet infrastructure, domain name system (DNS) protects the authenticity and integrity of domain resource records with the introduction of security extensions (DNSSEC). DNSSEC builds a single-center and hierarchical resource authentication architecture, which brings management convenience but places the DNS at risk from a single point of failure. When the root key suffers a leak or misconfiguration, top level domain (TLD) authority cannot independently protect the authenticity of TLD data in the root zone. In this paper, we propose self-certificating root, a lightweight security enhancement mechanism of root zone compatible with DNS/DNSSEC protocol. By adding the TLD public key and signature of the glue records to the root zone, this mechanism enables the TLD authority to certify the self-submitted data in the root zone and protects the TLD authority from the risk of root key failure. This mechanism is implemented on an open-source software, namely, Berkeley Internet Name Domain (BIND), and evaluated in terms of performance, compatibility, and effectiveness. Evaluation results show that the proposed mechanism enables the resolver that only supports DNS/DNSSEC to authenticate the root zone TLD data effectively with minimal performance difference.

Yahui Li,Han Zhang,Jilong Wang,Xingang Shi,Xia Yin,Zhiliang Wang,Jiankun Hu,Congcong Miao,Jianping Wu

DOI: https://doi.org/10.1109/tifs.2024.3409935

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Network managers configure networks to enforce various high-level policies, and to respond to the wide range of network events (e.g., attacks, intrusions, malicious route announcements from neighbors) that may occur. It is incredibly difficult to specify these high-level policies in terms of distributed low-level configuration. These high-level policies hold only if the distributed configurations are well equipped to react to unsafe and unreliable environments (e.g., malicious route announcements, unsafe components and devices). Therefore, it is important to proactively verify whether network policies hold across continually changing environments in terms of current network configurations. State-of-the-art policy verification techniques are limited because they can check only the Boolean policies (e.g., forwarding reachability, waypoint or blackhole-freeness). However, many policy violations express themselves in quantitative ways (e.g., a link becomes overloaded). In this paper, we propose quantitative network verification (QNV) analyzing the quantitative policies of networks across unsafe and unreliable environments. QNV translates network configurations into a symbolic simulation model that captures the stable states to which the network forwarding will converge as a result of interactions between routing protocols. It then generates a logical formula matrix that describes network forwarding in the event of failures and verifies quantitative policies based on the formula matrix. We implement QNV and evaluate it on realistic and synthetic configurations. Our evaluation shows that QNV can precisely verify quantitative policies in only a few minutes, even in large networks.

Qifan Zhang,Xuesong Bai,Xiang Li,Haixin Duan,Qi Li,Zhou Li

2023-10-05

Abstract:Domain Name System (DNS) is a critical component of the Internet. DNS resolvers, which act as the cache between DNS clients and DNS nameservers, are the central piece of the DNS infrastructure, essential to the scalability of DNS. However, finding the resolver vulnerabilities is non-trivial, and this problem is not well addressed by the existing tools. To list a few reasons, first, most of the known resolver vulnerabilities are non-crash bugs that cannot be directly detected by the existing oracles (or sanitizers). Second, there lacks rigorous specifications to be used as references to classify a test case as a resolver bug. Third, DNS resolvers are stateful, and stateful fuzzing is still challenging due to the large input space. In this paper, we present a new fuzzing system termed ResolverFuzz to address the aforementioned challenges related to DNS resolvers, with a suite of new techniques being developed. First, ResolverFuzz performs constrained stateful fuzzing by focusing on the short query-response sequence, which has been demonstrated as the most effective way to find resolver bugs, based on our study of the published DNS CVEs. Second, to generate test cases that are more likely to trigger resolver bugs, we combine probabilistic context-free grammar (PCFG) based input generation with byte-level mutation for both queries and responses. Third, we leverage differential testing and clustering to identify non-crash bugs like cache poisoning bugs. We evaluated ResolverFuzz against 6 mainstream DNS software under 4 resolver modes. Overall, we identify 23 vulnerabilities that can result in cache poisoning, resource consumption, and crash attacks. After responsible disclosure, 19 of them have been confirmed or fixed, and 15 CVE numbers have been assigned.

Cryptography and Security,Networking and Internet Architecture,Software Engineering

Fenglu Zhang,Baojun Liu,Eihal Alowaisheq,Jianjun Chen,Chaoyi Lu,Linjian Song,Yong Ma,Ying Liu,Haixin Duan,Min Yang

DOI: https://doi.org/10.1145/3576915.3616647

2023-01-01

Abstract:Authoritative nameservers are delegated to provide the final resource record. Since the security and robustness of DNS are critical to the general operation of the Internet, domain owners are required to deploy multiple candidate nameservers for load balancing. Once the load balancing mechanism is compromised, an adversary can manipulate a large number of legitimate DNS requests to a specified candidate nameserver. As a result, it may bypass the defense mechanisms used to filter malicious traffic that can overload the victim nameserver, or lower the bar for DNS traffic hijacking and cache poisoning attacks. In this study, we report on a class of DNS vulnerabilities and present a novel attack, named Disablance, that targets the domains with different NS records severing to multiple sites of authoritative servers. The attack is made possible by a misconfiguration of nameservers that ignores domains outside their authority, combined with recursive resolvers that use a globally shared status for nameserver selection. By targeting authoritative nameservers configured by a large number of domains, Disablance allows adversaries to stealthily sabotage the DNS load balancing for authoritative nameservers at a low cost. Through simply configuring the DNS records for a domain under their control to point to the targeted nameservers and performing a handful of requests, adversaries can temporarily manipulate a given DNS resolver to overload a specific authoritative server. Therefore, Disablance can redirect benign DNS requests for all hosted domains to the specific nameserver and disrupts the load balancing mechanism. Our extensive study proves the security threat of Disablance is realistic and prevalent. First, we demonstrated that mainstream DNS implementations, including BIND9, PowerDNS, and Microsoft DNS, are vulnerable to Disablance. Second, we developed a measurement framework to measure vulnerable authoritative servers in the wild. 22.24% of top 1M FQDNs and 3.94% of top 1M SLDs were proven can be the victims of Disablance. Our measurement results also show that 37.88% of stable open resolvers and 10 of 14 popular public DNS services can be exploited to conduct Disablance, including Cloudflare and Quad9. Furthermore, the critical security threats of Disablance were observed and acknowledged through in-depth discussion with a world-leading DNS service provider. We have reported discovered vulnerabilities and provided recommendations to the affected vendors. Until now, Tencent Cloud (DNSPod) and Amazon have taken action to fix this issue according to our suggestions.

Hongyu Gao,Vinod Yegneswaran,Jian Jiang,Yan Chen,Phillip Porras,Shalini Ghosh,Haixin Duan

DOI: https://doi.org/10.1109/tnet.2014.2358637

2016-01-01

IEEE/ACM Transactions on Networking

Abstract:The performance and operational characteristics of the Domain Name System (DNS) protocol are of deep interest to the research and network operations community. In this paper, we present measurement results from a unique dataset containing more than 26 billion DNS query-response pairs collected from more than 600 globally distributed recursive DNS resolvers. We use this dataset to reaffirm findings in published work and notice some significant differences that could be attributed both to the evolving nature of DNS traffic and to our differing perspective. For example, we find that although characteristics of DNS traffic vary greatly across networks, the resolvers within an organization tend to exhibit similar behavior. We further find that more than 50% of DNS queries issued to root servers do not return successful answers, and that the primary cause of lookup failures at root servers is malformed queries with invalid top-level domains (TLDs). Furthermore, we propose a novel approach that detects malicious domain groups using temporal correlation in DNS queries. Our approach requires no comprehensive labeled training set, which can be difficult to build in practice. Instead, it uses a known malicious domain as anchor and identifies the set of previously unknown malicious domains that are related to the anchor domain. Experimental results illustrate the viability of this approach, i. e., we attain a true positive rate of more than 96%, and each malicious anchor domain results in a malware domain group with more than 53 previously unknown malicious domains on average.

Xiaobo Ma,Junjie Zhang,Zhenhua Li,Jianfeng Li,Jing Tao,Xiaohong Guan,John C. S. Lui,Don Towsley

DOI: https://doi.org/10.1016/j.jnca.2014.09.016

IF: 7.574

2015-01-01

Journal of Network and Computer Applications

Abstract:As the hidden backbone of today׳s Internet, the Domain Name System (DNS) provides name resolution service for almost every networked application. To exploit the rich DNS query information for traffic engineering or user behavior analysis, both passive capturing and active probing techniques have been proposed in recent years. Despite its full visibility of DNS behaviors, the passive capturing technique suffers from prohibitive management cost and results in tremendous privacy concerns towards its large-scale and collaborative deployment. Comparatively, the active probing technique overcomes these limitations, providing broad-view and privacy-preserving DNS query analysis at the cost of constrained visibility of fine-grained DNS behavior. This paper aims to accurately estimate DNS query characteristics based on DNS cache activities, which can be acquired via active probing on a large scale at negligible management cost and minimized privacy concerns. Specifically, we have made three contributions: (1) we propose a novel solution, which integrates the renewal theory-based DNS caching formulation and the hyper-exponential distribution model. The solution offers great flexibility to model various domains; (2) we perform a large-scale real-world DNS trace measurement, and demonstrate that our solution significantly improves the estimation accuracy; (3) we apply our solution to estimate the malware-infected host population in remote management networks. The experimental results have demonstrated that our solution can achieve high estimation accuracy and outperforms the existing method.

Z ZANG,G LUO,C YIN,臧志远,罗贵明,殷翀元

DOI: https://doi.org/10.1016/S1007-0214(09)70011-2

2009-01-01

Abstract:In networks, the stable path problem (SPP) usually results in oscillations in interdomain systems and may cause systems to become unstable. With the rapid development of internet technology, the occurrence of SPPs in interdomain systems has quite recently become a significant focus of research. A framework for checking SPPs is presented in this paper with verification of an interdomain routing system using formal methods and the NuSMV software. Sufficient conditions and necessary conditions for determining SPP occurrence are presented with proof of the method's effectiveness. Linear temporal logic was used to model an interdomain routing system and its properties were analyzed. An example is included to demonstrate the method's reliability.

Keyu Man,Zhiyun Qian,Zhongjie Wang,Xiaofeng Zheng,Youjun Huang,Haixin Duan

DOI: https://doi.org/10.1145/3372297.3417280

2020-01-01

Abstract:In this paper, we report a series of flaws in the software stack that leads to a strong revival of DNS cache poisoning --- a classic attack which is mitigated in practice with simple and effective randomization-based defenses such as randomized source port. To successfully poison a DNS cache on a typical server, an off-path adversary would need to send an impractical number of $2^32 $ spoofed responses simultaneously guessing the correct source port (16-bit) and transaction ID (16-bit). Surprisingly, we discover weaknesses that allow an adversary to "divide and conquer'' the space by guessing the source port first and then the transaction ID (leading to only $2^16 +2^16 $ spoofed responses). Even worse, we demonstrate a number of ways an adversary can extend the attack window which drastically improves the odds of success. The attack affects all layers of caches in the DNS infrastructure, such as DNS forwarder and resolver caches, and a wide range of DNS software stacks, including the most popular BIND, Unbound, and dnsmasq, running on top of Linux and potentially other operating systems. The major condition for a victim being vulnerable is that an OS and its network is configured to allow ICMP error replies. From our measurement, we find over 34% of the open resolver population on the Internet are vulnerable (and in particular 85% of the popular DNS services including Google's 8.8.8.8). Furthermore, we comprehensively validate the proposed attack with positive results against a variety of server configurations and network conditions that can affect the success of the attack, in both controlled experiments and a production DNS resolver (with authorization).

Qiao Xiang,Chenyang Huang,Ridi Wen,Yuxin Wang,Xiwen Fan,Zaoxing Liu,Linghe Kong,Dennis Duan,Franck Le,Wei Sun

DOI: https://doi.org/10.1145/3603269.3604843

2023-01-01

Abstract:Centralized data plane verification (DPV) faces significant scalability issues in large networks (i.e. , the verifier being a performance bottleneck and single point of failure and requiring a reliable management network). We tackle this scalability challenge by introducing Tulkun, a distributed, on-device DPV framework. Our key insight is that DPV can be transformed into a counting problem on a directed acyclic graph, which can be naturally decomposed into lightweight tasks executed at network devices, enabling fast data plane checking in networks of various scales and types. With this insight, Tulkun consists of (1) a declarative invariant specification language, (2) a planner that employs a novel data structure DPVNet to systematically decompose global verification into on-device counting tasks, (3) a distributed verification messaging (DVM) protocol that specifies how on-device verifiers efficiently communicate task results to jointly verify the invariants, and (4) a mechanism to verify invariant fault-tolerance with minimal involvement of the planner. Extensive experiments with real-world datasets (WAN/LAN/DC) show that Tulkun verifies a real, large DC in 41 seconds while others tools need minutes or up to tens of hours, and shows an up to 2355× speed up on 80% quantile of incremental verification with small overhead on commodity network devices.

Lancheng Qin,Libin Liu,Li Chen,Dan Li,Yuqian Shi,Hongbing Yang

DOI: https://doi.org/10.1145/3673422.3674888

2024-01-01

Abstract:To mitigate the threats of source address spoofing, many source address validation (SAV) solutions have been proposed over the past few years. However, none of them are widely deployed in practice due to lack of understanding, lack of open source implementation, and performance concerns. To address these problems, we develop a unified framework UniSAV to facilitate the understanding, design, implementation, and evaluation of existing and future SAV solutions. With UniSAV, we implement existing SAV solutions and evaluate their performance in real topologies. UniSAV further helps us to design and implement a new SAV solution to improve the performance upon existing SAV solutions.

Xiaoli Zhang,Cong Wang,Qi Li,Jianping Wu

DOI: https://doi.org/10.1109/MNET.001.1800330

IF: 10.294

2020-01-01

IEEE Network

Abstract:Guaranteeing that large scale networks are always operated as policy goals dictate is critical for network availability, security, and performance. The problem is challenging, as it should not only assure the correctness of policy configurations across various network devices, but also guarantee the faithfulness of policy enforcement on actual packet forwarding behaviors. In this article, we provide a systematic overview of the direction of network verification, which covers both verification of network configurations and assurance of device actual behaviors. In particular, we summarize state-of-the-art designs with focuses from early stateless data planes with switches/routers to more recent stateful ones containing middleboxes. After analyzing and comparing these works, we also specify future directions in the verification of stateful networks.