Guardians of DNS Integrity: A Remote Method for Identifying DNSSEC Validators Across the Internet
0
Sign in to get full access
Overview
- This paper presents a remote method for identifying DNSSEC validators across the internet.
- DNSSEC is a security protocol that helps protect the Domain Name System (DNS) from certain types of attacks, such as cache poisoning.
- The authors develop a technique to detect which DNS servers are validating DNSSEC responses, which can provide insights into the global adoption and deployment of this security mechanism.
Plain English Explanation
The Domain Name System (DNS) is a critical piece of internet infrastructure that translates human-readable website names (like "example.com") into the numerical addresses that computers use to communicate. However, the original DNS protocol had security flaws that could allow attackers to hijack and redirect internet traffic, a technique known as "cache poisoning."
To address these vulnerabilities, a security extension called DNSSEC was developed. DNSSEC adds digital signatures to DNS responses, allowing receiving servers to verify the authenticity of the information. By validating these signatures, DNSSEC can prevent cache poisoning attacks and help maintain the integrity of the DNS.
The researchers in this paper created a way to remotely detect which DNS servers are actually validating DNSSEC responses. This provides valuable insights into the global adoption and deployment of this important security technology. By understanding where DNSSEC is being used, the researchers can help identify areas that may be more vulnerable to DNS-based attacks and inform efforts to improve internet security.
Technical Explanation
The key innovation in this paper is a remote method for identifying DNSSEC validators across the internet. The authors developed a technique that involves sending specially crafted DNS queries and analyzing the responses to determine if a given DNS server is validating DNSSEC signatures.
Specifically, the researchers constructed queries for domains with DNSSEC-signed records and then monitored the responses. DNS servers that are DNSSEC validators will include the digital signature in the response, whereas non-validating servers will not. By sending these queries from various vantage points around the internet and observing the responses, the researchers were able to build a global map of DNSSEC deployment.
The authors validated their approach through a series of experiments, including comparing their findings to other DNSSEC measurement efforts. They also explored factors that can influence DNSSEC validation, such as network location and server configuration.
Critical Analysis
The researchers acknowledge several limitations in their work. First, their method relies on a relatively small number of vantage points, which may not provide a comprehensive view of DNSSEC deployment. Additionally, some DNS servers may employ caching or other techniques that could skew the results.
The paper also does not delve deeply into the reasons why certain networks or regions may have lower DNSSEC adoption. Further research would be needed to understand the underlying drivers and barriers to wider DNSSEC implementation.
That said, this work represents an important step forward in monitoring the global state of DNSSEC. By providing a remote and scalable way to identify validating servers, the authors have created a valuable tool for internet security researchers and policymakers. Their findings can help guide efforts to strengthen the resilience of the Domain Name System against various attacks.
Conclusion
This paper introduces a novel technique for remotely detecting DNSSEC validators across the internet. By sending crafted DNS queries and analyzing the responses, the researchers were able to map the global deployment of this critical security technology.
The insights gained from this work can help inform efforts to improve the overall security and integrity of the Domain Name System. As internet-based services and applications continue to grow in importance, ensuring the reliability of DNS infrastructure will be essential for maintaining a stable and trustworthy online environment.
This summary was produced with help from an AI and may contain inaccuracies - check out the links to read the original source documents!
Related Papers
0
Guardians of DNS Integrity: A Remote Method for Identifying DNSSEC Validators Across the Internet
Yevheniya Nosyk, Maciej Korczy'nski, Andrzej Duda
DNS Security Extensions (DNSSEC) provide the most effective way to fight DNS cache poisoning attacks. Yet, very few DNS resolvers perform DNSSEC validation. Identifying such systems is non-trivial and the existing methods are not suitable for Internet-scale measurements. In this paper, we propose a novel remote technique for identifying DNSSEC-validating resolvers. The proposed method consists of two steps. In the first step, we identify open resolvers by scanning 3.1 billion end hosts and request every non-forwarder to resolve one correct and seven deliberately misconfigured domains. We then build a classifier that discriminates validators from non-validators based on query patterns and DNS response codes. We find that while most open resolvers are DNSSEC-enabled, less than 18% in IPv4 (38% in IPv6) validate received responses. In the second step, we remotely identify closed non-forwarders in networks that do not have inbound Source Address Validation (SAV) in place. Using the classifier built in step one, we identify 37.4% IPv4 (42.9% IPv6) closed DNSSEC validators and cross-validate the results using RIPE Atlas probes. Finally, we show that the discovered (non)-validators actively send requests to DNS root servers, suggesting that we deal with operational recursive resolvers rather than misconfigured machines.
Read more5/31/2024
0
Don't Get Hijacked: Prevalence, Mitigation, and Impact of Non-Secure DNS Dynamic Updates
Yevheniya Nosyk, Maciej Korczy'nski, Carlos H. Ga~n'an, Micha{l} Kr'ol, Qasim Lone, Andrzej Duda
DNS dynamic updates represent an inherently vulnerable mechanism deliberately granting the potential for any host to dynamically modify DNS zone files. Consequently, this feature exposes domains to various security risks such as domain hijacking, compromise of domain control validation, and man-in-the-middle attacks. Originally devised without the implementation of authentication mechanisms, non-secure DNS updates were widely adopted in DNS software, subsequently leaving domains susceptible to a novel form of attack termed zone poisoning. In order to gauge the extent of this issue, our analysis encompassed over 353 million domain names, revealing the presence of 381,965 domains that openly accepted unsolicited DNS updates. We then undertook a comprehensive three-phase campaign involving the notification of Computer Security Incident Response Teams (CSIRTs). Following extensive discussions spanning six months, we observed substantial remediation, with nearly 54% of nameservers and 98% of vulnerable domains addressing the issue. This outcome serves as evidence that engaging with CSIRTs can prove to be an effective approach for reporting security vulnerabilities. Moreover, our notifications had a lasting impact, as evidenced by the sustained low prevalence of vulnerable domains.
Read more5/31/2024
๐งช
0
From the Beginning: Key Transitions in the First 15 Years of DNSSEC
Eric Osterweil, Pouyan Fotouhi Tehrani, Thomas C. Schmidt, Matthias Wahlisch
When the global rollout of the DNS Security Extensions (DNSSEC) began in 2005, a first-of-its-kind trial started: The complexity of a core Internet protocol was magnified in favor of better security for the overall Internet. Thereby, the scale of the loosely-federated delegation in DNS became an unprecedented cryptographic key management challenge. Though fundamental for current and future operational success, our community lacks a clear notion of how to empirically evaluate the process of securely transitioning keys. In this paper, we propose two building blocks to formally characterize and assess key transitions. First, the anatomy of key transitions, i.e., measurable and well-defined properties of key changes; and second, a novel classification model based on this anatomy for describing key transition practices in abstract terms. This abstraction allows for classifying operational behavior. We apply our proposed transition anatomy and transition classes to describe the global DNSSEC deployment. Specifically, we use measurements from the first 15 years of the DNSSEC rollout to detect and understand which key transitions have been used to what degree and which rates of errors and warnings occurred. In contrast to prior work, we consider all possible transitions and not only 1:1 key rollovers. Our results show measurable gaps between prescribed key management processes and key transitions in the wild. We also find evidence that such noncompliant transitions are needed in operations.
Read more9/12/2024
0
DarkDNS: Revisiting the Value of Rapid Zone Update
Raffaele Sommese, Gautam Akiwate, Antonia Affinito, Moritz Muller, Mattijs Jonker, KC Claffy
Malicious actors exploit the DNS namespace to launch spam campaigns, phishing attacks, malware, and other harmful activities. Combating these threats requires visibility into domain existence, ownership and nameservice activity that the DNS protocol does not itself provide. To facilitate visibility and security-related study of the expanding gTLD namespace, ICANN introduced the Centralized Zone Data Service (CZDS) that shares daily zone file snapshots of new gTLD zones. However, a remarkably high concentration of malicious activity is associated with domains that do not live long enough make it into these daily snapshots. Using public and private sources of newly observed domains, we discover that even with the best available data there is a considerable visibility gap in detecting short-lived domains. We find that the daily snapshots miss at least 1% of newly registered and short-lived domains, which are frequently registered with likely malicious intent. In reducing this critical visibility gap using public sources of data, we demonstrate how more timely access to TLD zone changes can provide valuable data to better prevent abuse. We hope that this work sparks a discussion in the community on how to effectively and safely revive the concept of sharing Rapid Zone Updates for security research. Finally, as a contribution of this work, we are releasing a public live feed of newly registered domains, with the aim of enabling further research in early abuse identification.
Read more9/10/2024