Naiqian Zheng,Mengqi Liu,Yuxing Xiang,Linjian Song,Dong Li,Feng Han,Nan Wang,Yong Ma,Zhuo Liang,Dennis Cai,Ennan Zhai,Xuanzhe Liu,Xin Jin

DOI: https://doi.org/10.1145/3600006.3613153

2023-01-01

Abstract:This paper presents DNS-V, a verification framework for our in-production DNS authoritative engine, which is the core of our DNS service. The key idea for automated verification in general is based on the layered verification principle. However, we face the challenge that our in-production DNS authoritative engine lacks modularity, more specifically, as can be seen with unclean interfaces and poor data structure encapsulation. This makes the layered verification hard to apply. To address this challenge, we propose a summarization approach that performs full-path symbolic execution to accumulate all path conditions and computation effects, and then represents a module's behavior in an abstract form as a set of input-effect pairs. In addition, for portability to future iterated versions of our DNS authoritative engine, we identify common dependency library modules that remain stable across different versions, and carefully design their abstractions to make them amenable to automated reasoning. Our framework has been successful in identifying and preventing tens of critical bugs in different versions of our DNS authoritative engine from reaching production, with a porting effort of less than one person-week.

LEI Kai,SHU Fangxing,HUANG Lei,ZHANG Qichao

DOI: https://doi.org/10.11959/j.issn.2096-109x.2020024

2020-01-01

Abstract:The domain name system (DNS) is an important internet infrastructure. However, current DNS utilizes centralized hierarchical structure with severe dependence on root server, which causes defects such as the risk of single-point failure and the abuse of central rights. Designing new decentralized DNS mainly focuses on transforming the domain name system from a single trust domain which relies on the center to multiple trust domains with the top-level domain name as the root parallel to each other, but also faces cross-domain credible challenges. To design a cross-domain trusted architecture, the concept of separating control and analysis was adopted, and a dual-blockchain DNS architecture was proposed. At data layer, a novel cross-domain verification was designed based on a one-way accumulator verification scheme, with the time complexity of the verification process O(N) reducing to O(1) nearly. The CDBFT algorithm was proposed by combining the DPoS mechanism and the BFT algorithm, whose average throughput reaches 736 TPS. The theoretical derivation and experimental results have demonstrated the advantages of this new DNS architecture on security, performance, and scalability.

Chao Li,Jiagui Xie,Yanan Cheng,Zhaoxin Zhang,Jian Chen,Haochuan Wang,Hanyu Tao

DOI: https://doi.org/10.3390/electronics12102264

IF: 2.9

2023-05-17

Electronics

Abstract:The root zone is located at the top level of the DNS system's hierarchical structure and serves as the entry point for all domain name resolutions. The accuracy of the root zone file determines whether domain names can be resolved correctly. To solve the problems of single-source distrust and inaccurate data in the use of root zone files, this paper utilizes multi-source root zone files to build an accurate, real-time, and highly trustworthy root zone file through the validation of data accuracy and integrity. First, we propose a weighted voting statistical verification method. We select top-level domain name records with the highest confidence from the multi-source root zone data, thereby improving data accuracy. Second, through a dynamic cyclic construction process, we achieve dynamic monitoring of root zone file version changes, effectively ensuring the real-time nature of root zone data. Finally, we adopt a DNSSEC verification mechanism to address the issue of unreliable transmission paths for actively probed root zone data, ensuring data integrity by verifying the signed top-level domain name records and their ZSK, KSK keys. In addition, through the analysis of experimental data, we find that the main reason for the inaccuracy and unreliability of the root zone file is the delay in updating and synchronizing the file. We also discover the presence of redundant KSK keys in some of the source root zone data, which led to failure in the DNSSEC validation chain. The high-trust root zone file constructed in this paper provides data support for research on the root-side resolution anomaly detection and localization application of root zone files and has wide-ranging practical value.

engineering, electrical & electronic,computer science, information systems,physics, applied

Yahui Li,Zhiliang Wang,Xia Yin,Xingang Shi,Jianping Wu,Fangdan Ye,Jiangyuan Yao,Han Zhang

DOI: https://doi.org/10.1016/j.comnet.2020.107326

IF: 5.493

2020-01-01

Computer Networks

Abstract:Configuring a network is always difficult and error-prone because of low-level configuration languages and complex routing mechanisms. Most network outages occur when network the configuration is updated. Thus, it is important to proactively verify network configurations. Unfortunately, there are two practical obstacles that inhibit the performance of existing configuration verification tools: (i) Lack of knowledge. Network users often do not know which input verification queries need to be verified. (ii) Limited scalability. Even the state-of-the-art tool (i.e., Minesweeper [1]) takes approximately 500 seconds to complete a single reachability query for a network with tens of routers. Considering the total number of queries that must be verified, real networks often make such techniques impractical. In this paper, we propose NUV, a framework for performing network configuration update verification. NUV outputs verification queries for only the endpoints whose forwarding behavior has changed under the updated network configuration. Based on the network forwarding model, NUV infers the potential traffic impact and eliminates endpoints whose forwarding behavior is equivalent in both the original network configuration and the updated configuration. The NUV outputs can be used as input to a rich collection of existing configuration verification tools. Evaluations on a series of benchmark networks show that NUV can solve the lack of knowledge problem, and it enables query verification to execute at speeds orders of magnitude faster than existing tools; thus, it also improves verification scalability.

Hongyu Gao,Vinod Yegneswaran,Jian Jiang,Yan Chen,Phillip Porras,Shalini Ghosh,Haixin Duan

DOI: https://doi.org/10.1109/tnet.2014.2358637

2016-01-01

IEEE/ACM Transactions on Networking

Abstract:The performance and operational characteristics of the Domain Name System (DNS) protocol are of deep interest to the research and network operations community. In this paper, we present measurement results from a unique dataset containing more than 26 billion DNS query-response pairs collected from more than 600 globally distributed recursive DNS resolvers. We use this dataset to reaffirm findings in published work and notice some significant differences that could be attributed both to the evolving nature of DNS traffic and to our differing perspective. For example, we find that although characteristics of DNS traffic vary greatly across networks, the resolvers within an organization tend to exhibit similar behavior. We further find that more than 50% of DNS queries issued to root servers do not return successful answers, and that the primary cause of lookup failures at root servers is malformed queries with invalid top-level domains (TLDs). Furthermore, we propose a novel approach that detects malicious domain groups using temporal correlation in DNS queries. Our approach requires no comprehensive labeled training set, which can be difficult to build in practice. Instead, it uses a known malicious domain as anchor and identifies the set of previously unknown malicious domains that are related to the anchor domain. Experimental results illustrate the viability of this approach, i. e., we attain a true positive rate of more than 96%, and each malicious anchor domain results in a malware domain group with more than 53 previously unknown malicious domains on average.

Xiaoli Zhang,Cong Wang,Qi Li,Jianping Wu

DOI: https://doi.org/10.1109/MNET.001.1800330

IF: 10.294

2020-01-01

IEEE Network

Abstract:Guaranteeing that large scale networks are always operated as policy goals dictate is critical for network availability, security, and performance. The problem is challenging, as it should not only assure the correctness of policy configurations across various network devices, but also guarantee the faithfulness of policy enforcement on actual packet forwarding behaviors. In this article, we provide a systematic overview of the direction of network verification, which covers both verification of network configurations and assurance of device actual behaviors. In particular, we summarize state-of-the-art designs with focuses from early stateless data planes with switches/routers to more recent stateful ones containing middleboxes. After analyzing and comparing these works, we also specify future directions in the verification of stateful networks.

Chao Li,Yanan Cheng,Zhaoxin Zhang,Ping Yu

DOI: https://doi.org/10.1016/j.cose.2023.103426

2023-08-18

Abstract:Authoritative domain name servers (referred to as authoritative servers) play a critical role in the Domain Name System (DNS) by resolving domain names to specific IP or CNAME records, ensuring seamless internet access. However, misconfigurations in authoritative servers can introduce risks to domain name resolution. This paper proposes a comprehensive approach to analyze and evaluate the configuration risks of authoritative servers. We develop a tool called "AuthDetect" to detect configuration anomalies in authoritative servers, and leveraging this tool, we conduct anomaly detection and analyze resolution risks from three perspectives: resolution latency, content, and reliability. Our evaluation indicates that 90% of the domains have a favorable overall resolution risk (below 0.13), but varying levels of risks exist: (1) 60% face resolution latency risk, (2) only 8.33% of domain names exhibit content risk, and (3) almost all domain names (99.8%) experience resolution reliability risk, primarily due to inadequate server configuration. These findings offer valuable data support for domain name managers, providing insights into the current configuration status of authoritative servers and contributing to maintaining a healthy and stable DNS system operation.

computer science, information systems

Zhenyu Li,Yong Ding,Honghao Gao,Bo Qu,Yujue Wang,Jun Li

DOI: https://doi.org/10.1145/3511901

IF: 5.3

2022-03-24

ACM Transactions on Internet Technology

Abstract:Edge networks are providing services for an increasing number of companies, and they can be used for communication between edge devices and edge gateways. However, the performance of edge devices varies greatly, and it is not easy to upgrade low-performance edge devices. Therefore, cyber attackers can use the vulnerability of edge devices to implement advanced persistent threat (APT) attacks. This paper proposes a network verification framework for edge networks that can minimize the upgrades needed to strengthen edge network security. First, the communication parties use the data transmitted by the given edge network. Our method uses our proposed PacketVerifier to attach verification information to the packet after it is sent and to verify and restore the packet before it reaches the receiver. Second, due to the performance requirements of edge networks, we design a new data processing structure, namely, a sliding window double ring (SWDR), to improve the performance of strict sequential protocols in parallel validation. Finally, experimental simulations show that our parallel processing algorithm has good performance in terms of network bandwidth compared with two existing packet processing algorithms. Furthermore, the proposed packet with verification information is compatible with the existing network topology, which helps PacketVerifier establish trustworthy transmission in a zero-trust environment.

computer science, information systems, software engineering

Yufan Fu,Jiuqi Wei,Ying Li,Botao Peng,Xiaodong Li

2023-12-07

Abstract:Domain Name System (DNS) is a critical component of the Internet infrastructure, responsible for translating domain names into IP addresses. However, DNS is vulnerable to some malicious attacks, including DNS cache poisoning, which redirects users to malicious websites displaying offensive or illegal content. Existing countermeasures often suffer from at least one of the following weakness: weak attack resistance, high overhead, or complex implementation. To address these challenges, this paper presents TI-DNS, a blockchain-based DNS resolution architecture designed to detect and correct the forged DNS records caused by the cache poisoning attacks in the DNS resolution process. TI-DNS leverages a multi-resolver Query Vote mechanism to ensure the credibility of verified records on the blockchain ledger and a stake-based incentive mechanism to promote well-behaved participation. Importantly, TI-DNS is easy to be adopted as it only requires modifications to the resolver side of current DNS infrastructure. Finally, we develop a prototype and evaluate it against alternative solutions. The result demonstrates that TI-DNS effectively and efficiently solves DNS cache poisoning.

Cryptography and Security

Qi Li,Xingqun Qi,Jiaming Liu,Hongfeng Han

DOI: https://doi.org/10.1109/icctec.2017.00303

2017-01-01

Abstract:Hosts need to identify their location on the Internet. One way is to use an IP address. In IPV4 networks, each computer is identified by a unique 4-byte number, which is generally written as a four-point format, such as 199.1.35.90. When data are transmitted via the network, the header of the packet will contain the IP address of the destination host. Another method is to use the host name to identify themselves, such as www.yahoo.com, www.google.com. Compared with the IP address, it is more memorable. However, the host name provides little or no information about the host's location in the network. In addition, since host names are usually composed of alphanumeric characters of varying lengths, routers are better at handling fixed-length, hierarchical IP addresses. Therefore, domain name system (DNS) has been developed for converting host names that are easy to be remembered by humans into digital Internet addresses. But the use of DNS sometimes reduces the efficiency of accessing the network because the network environment varies all the time, which results in the transmission rate of information between the client and the DNS server. If the package losses due to timeout, the respond of the DNS server cannot be received. As a result, this paper designs a model that can decrease the probability of these problems by introducing a local DNS database.

Cheng Huang,Ivan Batanov,Jin Li

DOI: https://doi.org/10.1145/2185376.2185381

2012-01-01

Computer Communication Review

Abstract:Internet services are often deployed in multiple (tens to hundreds) of geographically distributed data centers. They rely on Global Traffic Management (GTM) solutions to direct clients to the optimal data center based on a number of criteria like network performance, geographic location, availability, etc. The GTM solutions, however, have a fundamental design limitation in their ability to accurately map clients to data centers - they use the IP address of the local DNS resolver (LDNS) used by a client as a proxy for the true client identity, which in some cases causes suboptimal performance. This issue is known as the client-LDNS mismatch problem. We argue that recent proposals to address the problem suffer from serious limitations. We then propose a simple new solution, named ``FQDN extension'', which can solve the client-LDNS mismatch problem completely. We build a prototype system and demonstrate the effectiveness of the proposed solution. Using JavaScript, the solution can be deployed immediately for some online services, such as Web search, without modifying either client or local resolver.

HAN Dianfei,YUAN Ruixi,GUAN Xiaohong

DOI: https://doi.org/10.1016/b978-0-12-803306-7.00003-6

2007-01-01

Abstract:The correct configuration of domain name servers is the foundation of good and robust performance of network service.Past operation practice has shown that incorrect configuration has severe impact on network services.In recent years,the.CN domain,an important part of Internet developed very rapidly.However,there are many issues arising in its management.The DNS configuration errors in.CN domain are measured and analyzed.It is found that over 30% zones suffer from misconfiguration errors.This problem may pose serious hinder to efficient and secure operation of Internet in China and should be brought enough attentions.

Jie Li,Jianping Wu,Ke Xu

DOI: https://doi.org/10.1109/glocom.2011.6133740

2012-01-01

Chinese Journal of Computers

Abstract:Next generation Internet is highly concerned with the issue of trustworthy. An important foundation of trustworthy is authentication of the source IP address. With existing signature-and-verification based defense mechanisms, there is a lack of hierarchical architecture, which makes the structure of the trust alliance excessively flat and single. Moreover, with the increasing scale of trust alliances, costs of validation grow so quickly that they do not adapt to incremental deployment. Via comparison with traditional solutions, this article proposes a hierarchical, inter-domain authenticated source address validation solution named SafeZone. SafeZone employs two intelligent designs: lightweight tag replacement and a hierarchical partitioning scheme, each of which helps to ensure that SafeZone can construct trustworthy and hierarchical trust alliances without the negative influences and complex operations on de facto networks. Extensive experiments also indicate that SafeZone can effectively obtain the design goals of a hierarchical architecture, along with lightweight, loose coupling and "multi-fence support" as well as supporting incremental deployment.

Fangdan Ye,Da Yu,Ennan Zhai,Hongqiang Harry Liu,Bingchuan Tian,Qiaobo Ye,Chunsheng Wang,Xin Wu,Tianchen Guo,Cheng Jin,Duncheng She,Qing Ma,Biao Cheng,Hui Xu,Ming Zhang,Zhiliang Wang,Rodrigo Fonseca

DOI: https://doi.org/10.1145/3387514.3406217

2020-01-01

Abstract:This paper presents Hoyan-- the first reported large scale deployment of configuration verification in a global-scale wide area network (WAN). Hoyan has been running in production for more than two years and is currently used for all critical configuration auditing and updates on the WAN. We highlight our innovative designs and real-life experience to make Hoyan accurate and scalable in practice. For accuracy under the inconsistencies of devices' vendor-specific behaviors (VSBs), Hoyan continuously discovers the flaws in device behavior models, thus aiding the operators in fixing the models. For scalability to verify our global WAN, Hoyan introduces a "global-simulation & local formal-modeling" strategy to model uncertainties in small scales and perform aggressive pruning of possibilities during the protocol simulations. Hoyan achieves near-100% verification accuracy after it detected and fixed O(10) VSBs on our WAN. Hoyan has prevented many potential service failures resulting from misconfiguration and reduced the failure rate of updates of our WAN by more than half in 2019.

Klaus-Tycho Foerster,Stefan Schmid

DOI: https://doi.org/10.48550/arXiv.1908.10086

2019-08-27

Abstract:While SDNs enable more flexible and adaptive network operations, (logically) centralized reconfigurations introduce overheads and delays, which can limit network reactivity. This paper initiates the study of a more distributed approach, in which the consistent network updates are implemented by the switches and routers directly in the data plane. In particular, our approach leverages concepts from local proof labeling systems, which allows the data plane elements to locally check network properties, and we show that this is sufficient to obtain global network guarantees. We demonstrate our approach considering three fundamental use cases, and analyze its benefits in terms of performance and fault-tolerance.

Distributed, Parallel, and Cluster Computing,Networking and Internet Architecture

Shenshen Chen,Geng Li,Dennis Duan,Kerim Gokarslan,Bin Li,Qiao Xiang,Haitao Yu,Franck Le,Richard Yang,Ying Zhang

DOI: https://doi.org/10.48550/arXiv.2005.11425

2022-01-13

Abstract:Achieving highly reliable networks is essential for network operators to ensure proper packet delivery in the event of software errors or hardware failures. Networks must ensure reachability and routing correctness, such as subnet isolation and waypoint traversal. Existing work in network verification relies on centralized computation at the cost of fault tolerance, while other approaches either build an over-engineered, complex control plane, or compose multiple control planes without providing any guarantee on correctness. This paper presents Carbide, a novel system to achieve high reliability in networks through distributed verification and multiple control plane composition. The core of Carbide is a simple, generic, efficient distributed verification framework that transforms a generic network verification problem to a reachability verification problem on a directed acyclic graph (DAG), and solves the latter via an efficient distributed verification protocol (DV-protocol). Equipped with verification results, Carbide allows the systematic composition of multiple control planes and realization of operator-specified consistency. Carbide is fully implemented. Extensive experiments show that (1) Carbide reduces downtime by 43% over the most reliable individual underlying control plane, while enforcing correctness requirements on all traffic; and (2) by systematically decomposing computation to devices and pruning unnecessary messaging between devices during verification, Carbide scales to a production data center network.

Networking and Internet Architecture

Keyu Man,Zhiyun Qian,Zhongjie Wang,Xiaofeng Zheng,Youjun Huang,Haixin Duan

DOI: https://doi.org/10.1145/3372297.3417280

2020-01-01

Abstract:In this paper, we report a series of flaws in the software stack that leads to a strong revival of DNS cache poisoning --- a classic attack which is mitigated in practice with simple and effective randomization-based defenses such as randomized source port. To successfully poison a DNS cache on a typical server, an off-path adversary would need to send an impractical number of $2^32 $ spoofed responses simultaneously guessing the correct source port (16-bit) and transaction ID (16-bit). Surprisingly, we discover weaknesses that allow an adversary to "divide and conquer'' the space by guessing the source port first and then the transaction ID (leading to only $2^16 +2^16 $ spoofed responses). Even worse, we demonstrate a number of ways an adversary can extend the attack window which drastically improves the odds of success. The attack affects all layers of caches in the DNS infrastructure, such as DNS forwarder and resolver caches, and a wide range of DNS software stacks, including the most popular BIND, Unbound, and dnsmasq, running on top of Linux and potentially other operating systems. The major condition for a victim being vulnerable is that an OS and its network is configured to allow ICMP error replies. From our measurement, we find over 34% of the open resolver population on the Internet are vulnerable (and in particular 85% of the popular DNS services including Google's 8.8.8.8). Furthermore, we comprehensively validate the proposed attack with positive results against a variety of server configurations and network conditions that can affect the success of the attack, in both controlled experiments and a production DNS resolver (with authorization).

Heyu Chang,Xiaobing Zhang,Nianwen Si,Ping Wu

DOI: https://doi.org/10.1016/j.cose.2024.103906

IF: 5.105

2024-05-28

Computers & Security

Abstract:By decoupling the control plane and the data plane, Software Defined Networking (SDN) has reshaped the ossified network architecture and improved the programmability of the network. However, SDN is also susceptible to malicious injection, tampering, dropping and hijacking attacks against forwarding packets, and the SDN architecture cannot perceive the real behavior of switches in the data plane. Packet forwarding verification and exception localization are recognized as effective and promising methods, enabling reliable packet delivery in the data plane and allowing the controller in SDN to identify abnormal links. While existing mechanisms embed the linear-scale cryptographic tags into the packet header space as the transmission path lengthens to realize packet verification and exception localization, which cannot achieve a feasible tradeoff between efficiency and security. Leveraging the central controllability of SDN, we propose a lightweight packet forwarding verification mechanism. This mechanism splits the runtime of a flow into consecutive epochs by address hopping. The switches in the data plane forward packets based on hopping address, collecting the information of packets forwarded in a compact data structure, namely traffic sketch. The controller verifies traffic sketches and localizes exception in the epoch. We further prototype the proposed mechanism based on simulation network. The analysis and experiments demonstrate that the cost of proposed scheme is lower than the similar mechanisms, introducing no more than 9% additional forwarding delay and less than 8% throughput degradation.

computer science, information systems

Shuhan Zhang,Shuai Wang,Dan Li

DOI: https://doi.org/10.1109/infocom52122.2024.10621098

2024-01-01

Abstract:DNS relies on domain delegation for good scalability, where domains delegate their resolution service to authoritative nameservers. However, such delegations lead to complex interdependencies between DNS zones. While a complex dependency might improve the robustness of domain resolution, it could also introduce security risks unexpectedly. In this work, we perform a large-scale measurement on nearly 217M domains to analyze their resolution dependencies at both zone level and infrastructure level. According to our analysis, domains under country-code TLDs and new generic TLDs generally present more complicated dependency relationships. For robustness consideration, popular domains prefer to configure more complex dependencies. However, the centralization of nameserver hosting and the silent outsourcing of DNS providers could lead to severe false redundancy at infrastructure level. Worse, considerable domain configurations in the wild are "not robust but risky": a more complex dependency may also indicate more vulnerabilities, e.g., domains with a 2x higher dependency complexity have a 2.87x larger proportion suffering from the hijacking risk brought by lame delegation.

Chaoyi Lu,Baojun Liu,Zhou Li,Shuang Hao,Haixin Duan,Mingming Zhang,Chunying Leng,Ying Liu,Zaifeng Zhang,Jianping Wu

DOI: https://doi.org/10.1145/3355369.3355580

2019-01-01

Abstract:DNS packets are designed to travel in unencrypted form through the Internet based on its initial standard. Recent discoveries show that real-world adversaries are actively exploiting this design vulnerability to compromise Internet users' security and privacy. To mitigate such threats, several protocols have been proposed to encrypt DNS queries between DNS clients and servers, which we jointly term as DNS-over-Encryption. While some proposals have been standardized and are gaining strong support from the industry, little has been done to understand their status from the view of global users. This paper performs by far the first end-to-end and large-scale analysis on DNS-over-Encryption. By collecting data from Internet scanning, user-end measurement and passive monitoring logs, we have gained several unique insights. In general, the service quality of DNS-over-Encryption is satisfying, in terms of accessibility and latency. For DNS clients, DNS-over-Encryption queries are less likely to be disrupted by in-path interception compared to traditional DNS, and the extra overhead is tolerable. However, we also discover several issues regarding how the services are operated. As an example, we find 25% DNS-over-TLS service providers use invalid SSL certificates. Compared to traditional DNS, DNS-over-Encryption is used by far fewer users but we have witnessed a growing trend. As such, we believe the community should push broader adoption of DNS-over-Encryption and we also suggest the service providers carefully review their implementations.