Figure 1 - uploaded by Zhou Li
Content may be subject to copyright.
Domain resolution process with a recursive resolver

Domain resolution process with a recursive resolver

Source publication
Conference Paper
Full-text available
DNS is a critical service for almost all Internet applications. DNS queries from end users are handled by recursive DNS servers for scalability. For convenience, Internet Service Providers (ISPs) assign recursive servers for their clients automatically when the clients choose the default network settings. On the other hand, users should also have t...

Contexts in source publication

Context 1
... a client requests resolution of a domain, the res- olution is typically executed by a recursive DNS resolver at first, which can be either assigned by ISP or specified by Internet users. Illustrated in Figure 1, the recursive resolver iteratively contacts root, TLD and SLD name- servers to resolve a domain name, and eventually returns the answer to the client. Therefore, intercepting DNS traffic to a recursive resolver directly affects the domain resolution process for users. ...
Context 2
... total, out-of-band requests of 14,590 reso- lutions (84.63%, of 17,239 replicated requests) arrive at our authoritative nameservers faster than in-band ones. Zooming into ASes, Figure 10 presents the top 10 ASes with most replicated requests to Google. While repli- cated requests from most ASes arrive faster, in AS4812 (China Telecom Group), all out-of-band requests lag be- hind. ...
Context 3
... illustrated in Section 3.2, TTL values re- turned by our authoritative nameservers are randomly se- lected from 1 to 86400. However, for our clients, we find that about 20% of the TTL values are replaced, mostly with a smaller value, as shown in Figure 11(a). By scat- tering each request onto Figure 11(b), we find that there are preferred values for modified TTL, such as 1800, 3600 and 7200. ...
Context 4
... for our clients, we find that about 20% of the TTL values are replaced, mostly with a smaller value, as shown in Figure 11(a). By scat- tering each request onto Figure 11(b), we find that there are preferred values for modified TTL, such as 1800, 3600 and 7200. DNS record values. ...

Citations

... In a large-scale survey by Chung et al. in 2017 [28], 88% of all DNSSEC-enabled recursive DNS resolvers returned supposedly DNSSEC-verified responses, without actually verifying the certificate chain. If the certificate chain from the DNS root certificate is not verified before an entry is cached, then DNSSEC does not provide any security and is vulnerable to the same attacks as regular DNS, while Fig. 3. DNS is a prime example of the benefits of PILA as it is (1) unauthenticated, (2) interception and redirection of requests are widespread [29], and (3) DNS servers are mostly identified by their local end-host, i.e., IP, addresses. It is important to note that DNS PILA operates between the client and resolver, unlike DNSSEC, where authoritative nameservers publish DNSSEC entries which are distributed by resolvers. ...
Article
Full-text available
In a world with increasing simplicity to store, transfer, and analyze large volumes of data, preserving data confidentiality and integrity of Internet traffic by default becomes more and more important. Unfortunately, a large gap exists between low-security opportunistic encryption and trust-on-first-use (TOFU) protocols, and high-security communication, such as TLS using server certificates or DNSSEC. Our goal is to reduce this gap and provide a base layer for authentication and secrecy that is strictly better than TOFU security. We achieve this by integrating the authentication method PILA into the future Internet architecture SCION. This combines PILA’s address-based authentication, which leverages irrefutable cryptographic proof of misbehavior, and the flexibility of SCION’s control-plane PKI and its per-AS independent addressing scheme. In this work, two concrete issues of PILA are addressed: (1) the reliance on the hierarchical RPKI which introduces a single global trust root, i.e., a single point of failure regarding the security of PILA, and (2) the necessity of an out-of-band communication to prevent downgrade attacks, which can incur a latency overhead and might be used as a resource exhaustion attack vector. We describe how PILA in combination with SCION mitigates these issues and analyze the security of the system. Finally, we discuss several interesting use cases including the SSH, TLS, and DNS protocols.
... However, many methods cause DNS facilities to respond to incorrect results. For example, as studied in this paper, DNS filtering, also known as DNS redirection or poisoning, causes the DNS resolvers to return incorrect domain records (e.g., IP addresses) to the clients [1][2][3][4][5]. This method may be used for malicious purposes such as phishing, for security and business purposes by a company [6,7] (providing parental control or antivirus filtering services), for advertising purposes of Internet service providers (ISPs), or for the governments to block access to specific domains [8][9][10]. ...
... Scenario Two Resolver-Resolver Root Server TLD Server Authoritative Name Server DNS Filtering Devices Generally, DNS filtering is an on-path DNS hijacking method that can passively observe every DNS query request "passing through" its devices [4]. At the same time, it can directly return forged response packets to the DNS resolvers or clients [18]. ...
Article
Full-text available
DNS filtering is the practice of blocking access to certain sites for a specific purpose, often content-based filtering. Unlike previous studies that focused on the behavior of national-level DNS filtering itself (e.g., location of filtering devices), we demonstrate and evaluate in depth the impact of DNS filtering on different types (public, ISP, and open) of DNS resolvers in the censored networks. In particular, we actively send DNS queries for 83 well-selected domain names to three types of DNS resolvers and keep track of the resolvers’ responses changing over time and space in China. Here, we present the results of our system running for 40 days, during which we obtained a total of 1.7 billion DNS records. Using these collected data, we found that specific DNS resolvers are unaffected by DNS filtering devices and can respond with the correct IP addresses for particular blocked domains. Furthermore, we revealed that three factors should be considered to evaluate the impact of a country-level DNS filtering mechanism: DNS resolver, client location, and blocked domain. Finally, we propose and implement a system to identify the correct IP addresses of blocked domain names in censored networks based on the characteristics of country-level DNS filtering.
... Many previous works only consider DNS servers and the network they are located, e.g., topological distribu-tion of authoritative nameservers. It is insufficient since DNS manipulation is generally enacted using Man-In-The-Middle methods [2]. ...
... The second approach issues DNS queries from vantage points against DNS servers for performance measurement or anomaly identification. Platforms like RIPE Atlas [9], [10], [21], [80], [81], proxy networks [2], [82] and ad networks [83] were leveraged as crowd-sourced vantage points. In addition, researchers use open resolvers, which can be identified through scanning IPv4 address space [3], [39], [84], to forward DNS requests and conduct active measurement [26], [80], [85]. ...
Article
Full-text available
DNS (Domain Name System) is one fundamental Internet infrastructure related to most network activities. As a feasible tool to govern the Internet, DNS’s stability and interoperability will be impacted by the countries’ policies or actions along the path. Especially now that many countries have stricter control over the Internet and even sometimes "unplug" it. But there was no study to quantify the countries’ impact systematically. To fill this research gap, we present DNSWeight. This new data-driven approach utilizes a large-scale DNS dataset and BGP (Border Gateway Protocol) routing information to calculate the country-importance score so that a country’s impact on DNS can be gauged. By applying DNSWeight on large-scale DNS and BGP datasets jointly, our study shows the importance among different countries is divided. A handful of countries show dominant significance to the current DNS ecosystem. Some countries with a history of Internet shutdowns are too influential to be ignored if they choose to break themselves from the Internet. We also examine the impact of IPv6 (IP Version 6) and reveal the "loop" phenomenon that occurs in some DNS queries. In conjunction with our findings, some discussion and suggestions are given. In summary, our study shows that DNS reliability needs to be reconsidered at the country’s level.
... Ideally, our detection method does not introduce any false negatives or false positives since our control server provides a ground truth of resolution responses. However, ISPs may deploy DNS cache proxies as a part of network infrastructures to serve their users so that popular DNS records can be reused, improving the performance of DNS resolution [34]. These cache proxies may intercept the connections between our vantage points and control server, perform their own DNS resolution on the behalf of our vantage points, and finally return valid DNS responses to the requested domains. ...
... DNS security has been an attractive topic for both industry and academia, especially on integrity of DNS records [45], [27], [28], and vulnerabilities of DNS infrastructure to volumetric attacks [33], [44], [24]. ...
... Integrity problems can also arise during DNS lookups from legitimate users. Unsecured DNS communication can be easily hijacked and manipulated by third parties [27]. To address this problem, secured extensions such as DNSSEC [4] and DNS-over-HTTPS [22] have been proposed. ...
Article
Domain Name System (DNS) is a critical service for enterprise operations, and is often made openly accessible across firewalls. Malicious actors use this fact to attack organizational DNS servers, or use them as reflectors to attack other victims. Further, attackers can operate with little resources, can hide behind open recursive resolvers, and can amplify their attack volume manifold. The rising frequency and effectiveness of DNS-based DDoS attacks make this a growing concern for organizations. Solutions available today, such as firewalls and intrusion detection systems, use combinations of black-lists of malicious sources and thresholds on DNS traffic volumes to detect and defend against volumetric attacks, which are not robust to attack sources that morph their identity or adapt their rates to evade detection. We propose a method for detecting distributed DNS attacks that uses a hierarchical graph structure to track DNS traffic at three levels of host, subnet, and autonomous system (AS), combined with machine learning that identifies anomalous behaviors at various levels of the hierarchy. Our method can detect distributed attacks even with low rates and stealthy patterns. Our contributions are three-fold: (1) We analyze real DNS traffic over a week (nearly 400M packets) from the edges of two large enterprise networks to highlight various types of incoming DNS queries and the behavior of malicious entities generating query scans and floods; (2) We develop a hierarchical graph structure to monitor DNS activity, identify key attributes, and train/tune/evaluate anomaly detection models for various levels of the hierarchy, yielding more than 99% accuracy at each level; and (3) We apply our scheme to a month’s worth of DNS data from the two enterprises and compare the results against blacklists and firewall logs to demonstrate its ability in detecting distributed attacks that might be missed by legacy methods while maintaining a decent real-time performance.
... Unfortunately, the DNS system suffers from known vulnerabilities, such as DDoS [27], spoofing [24] and other exploits [8,30,36]. To defend against these attacks, approaches such as [10,18,24] Qi Li is the corresponding author. ...
Chapter
Full-text available
DNS is a key protocol of the Internet infrastructure, which ensures network connectivity. However, DNS suffers from various threats. In particular, DNS covert communication is one serious threat in enterprise networks, by which attackers establish stealthy communications between internal hosts and remote servers. In this paper, we propose D \({^2}\)C\(^2\) (Detection of DNS Covert Communication), a practical and flexible machine learning-based framework to detect DNS covert communications. D \({^2}\)C\(^2\) is an end-to-end framework contains modular detection models including supervised and unsupervised ones, which detect multiple types of threats efficiently and flexibly. We have deployed D \({^2}\)C\(^2\) in a large commercial bank with 100 millions of DNS queries per day. During the deployment, D \({^2}\)C\(^2\) detected over 4k anomalous DNS communications per day, achieving high precision over 0.97 on average. It uncovers a significant number of unnoticed security issues including seven compromised hosts in the enterprise network.
... The DNS TTL modification can be conducted by using transparent DNS proxies even if we do not control the local DNS server (Vavrusa and Grant, 2018;Kührer et al., 2015;Liu et al., 2018). These proxies are being used by several ISPs to intercept all the user's DNS lookup requests and to transparently proxy and cache the results. ...
... However, we have not been able to find any study that reported and effectively demonstrated the existence of ISPs that manipulate DNS responses to increase the collection of information about their clients. Another study (Liu et al., 2018) suggests a method for identifying DNS resolvers that are intercepting DNS queries that are made by Internet clients, but it does not provide information about DNS manipulations that are conducted by legitimate DNS resolvers. Reference (Pearce et al., 2017) describes a method for measuring DNS manipulation at a global scale, but it does not provide a method that could be used by regular Internet users to check whether their ISP is manipulating the DNS service or not. ...
Article
Full-text available
The domain name system (DNS) is an Internet network service that is used by hosts to resolve IP addresses from symbolic names. This basic service has been attacked and abused many times, as it is one of the oldest and most vulnerable services on the Internet. Some DNS resolvers conduct DNS manipulation, in which authoritative DNS responses are modified. This DNS manipulation is sometimes used for legitimate reasons (e.g., parental control) and other times is used to support malicious activities, such as DNS poisoning or data collection. Between these DNS manipulation activities, some Internet service providers (ISPs) are changing the DNS cache timeout of the DNS responses with which their DNS resolvers responded to obtain additional data about their subscribers. These data can be a detailed web browsing profile of the user. This approach does not require a large investment and can yield huge benefits if the information is used or sold. Therefore, user privacy is disputed. We conducted a study in which we analyse how ISPs use this DNS manipulation, propose a method for identifying this DNS manipulation by the end-user and determine the amount of information an ISP can collect by using it. We also developed a public web tool, for which the source code is available, that can help Internet users determine whether their privacy is being compromised by their ISP via the exploitation of DNS cache timeouts. This service can facilitate the collection of data on how many people are victims of this abuse and which ISPs around the world are utilizing this technique.
... Our work complements this prior work by motivating deployment of defences. Liu et al. looks at DNS spoofing when users use public DNS servers [18]. This work points out that interception happens about 10 times more than injection in TLD DNS queries. ...
Preprint
DNS is important in nearly all interactions on the Internet. All large DNS operators use IP anycast, announcing servers in BGP from multiple physical locations to reduce client latency and provide capacity. However, DNS is easy to spoof: third parties intercept and respond to queries for benign or malicious purposes. Spoofing is of particular risk for services using anycast, since service is already announced from multiple origins. In this paper, we describe methods to identify DNS spoofing, infer the mechanism being used, and identify organizations that spoof from historical data. Our methods detect overt spoofing and some covertly-delayed answers, although a very diligent adversarial spoofer can hide. We use these methods to study more than six years of data about root DNS servers from thousands of vantage points. We show that spoofing today is rare, occurring only in about 1.7% of observations. However, the rate of DNS spoofing has more than doubled in less than seven years, and it occurs globally. Finally, we use data from B-Root DNS to validate our methods for spoof detection, showing a true positive rate over 0.96. B-Root confirms that spoofing occurs with both DNS injection and proxies, but proxies account for nearly all spoofing we see.
... With the development of the Internet, the original DNS infrastructure [3] exposes several security risks. DNSSEC [33] is designed to protect the DNS data integrity, i.e., defending from DNS forgery [34]; DNSIntercept [35] describes the threat from attackers to intercept the DNS resolution path. T 2 DNS is compatible to work with these solutions in practical deployment. ...
... As an example, released secret documents show that NSA has been covertly monitoring and hijacking DNS traffic, under the MoreCow-Bell [44] and QuantumDNS [12] projects. A recent study also shows that network middleboxes are actively intercepting DNS packets and rerouting them to alternative resolvers [60]. ...
... For traditional DNS, studies have shown that public DNS services can be broken for some DNS clients, such as inability to connect [60,74]. Meanwhile, for common users, there have been concerns on the performance overhead of encrypting DNS transactions [62,68]. ...
... In practice, we first leverage ProxyRack [5], a residential TCP SOCKS proxy network. This network has been examined as a representative platform by previous studies [60,64], with more than 600,000 endpoints in over 150 countries. While gaining a global view, we are also interested in DNS-over-Encryption usability in censored networks, where DNS traffic is oftentimes manipulated [27,66]. ...
Conference Paper
Full-text available
DNS packets are designed to travel in unencrypted form through the Internet based on its initial standard. Recent discoveries show that real-world adversaries are actively exploiting this design vulnerability to compromise Internet users' security and privacy. To mitigate such threats, several protocols have been proposed to encrypt DNS queries between DNS clients and servers, which we jointly term as DNS-over-Encryption. While some proposals have been standardized and are gaining strong support from the industry, little has been done to understand their status from the view of global users. This paper performs by far the first end-to-end and large-scale analysis on DNS-over-Encryption. By collecting data from Internet scanning, user-end measurement and passive monitoring logs, we have gained several unique insights. In general, the service quality of DNS-over-Encryption is satisfying, in terms of accessibility and latency. For DNS clients, DNS-over-Encryption queries are less likely to be disrupted by in-path interception compared to traditional DNS, and the extra overhead is tolerable. However, we also discover several issues regarding how the services are operated. As an example, we find 25% DNS-over-TLS service providers use invalid SSL certificates. Compared to traditional DNS, DNS-over-Encryption is used by far fewer users but we have witnessed a growing trend. As such, we believe the community should push broader adoption of DNS-over-Encryption and we also suggest the service providers carefully review their implementations.