The widespread usage of computers and communication networks affects people's social activities effectively in terms of intercommunication and the communication generally begins with domain name ...resolutions which are mainly provided by DNS (Domain Name System). Meanwhile, continuous cyber threats to DNS such as cache poisoning also affects computer networks critically. DNSSEC (DNS Security Extensions) is designed to provide secure name resolution between authoritative zone servers and DNS full resolvers. However high workload of DNSSEC validation on DNS full resolvers and complex key management on authoritative zone servers hinder its wide deployment. Moreover, querying clients use the name resolution results validated on DNS full resolvers, therefore they only get errors when DNSSEC validation fails or times out. In addition, name resolution failure can occur on querying clients due to technical and operational issues of DNSSEC. In this paper, we propose a client based DNSSEC validation system with adaptive alert mechanism considering minimal querying client timeout. The proposed system notifies the user of alert messages with answers even when the DNSSEC validation on the client fails or timeout so that the user can determine how to handle the received answers. We also implemented a prototype system and evaluated the features on a local experimental network as well as in the Internet. The contribution of this article is that the proposed system not only can mitigate the workload of DNS full resolvers but also can cover querying clients with secure name resolution, and by solving the existing operation issues in DNSSEC, it also can promote DNSSEC deployment.
Behind the Scenes of RPKI Hlavacek, Tomas; Jeitner, Philipp; Mirdita, Donika ...
Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security,
11/2022
Conference Proceeding
Odprti dostop
Best practices for making RPKI resilient to failures and attacks recommend using multiple URLs and certificates for publication points as well as multiple relying parties. We find that these ...recommendations are already supported by 63% of the ASes with RPKI.
In this work we explore the dependency of the RPKI deployments on their DNS components. We find that the resilience of RPKI can be subverted through DNS. We identify two key factors.
First, we find that 42.8% of the ASes with multiple relying parties use a single resolver for looking up the RPKI publication points and the DNS resolvers of 82.9% of the relying parties are all located on a single AS. Both introduce a single point of failure. Second, we also find problems with DNSSEC deployments: more than 24% of the resolvers in RPKI experience failures with signed DNS responses and as a result cannot locate the RPKI publication points and cannot validate RPKI, and 60% of the resolvers that support DNSSEC do not validate records signed with new algorithms, accepting responses also with invalid signatures.
We experimentally find that adversaries can disable RPKI in 56.7% of the ASes that have vulnerable DNS components. Our simulations show that disabling RPKI exposes ASes to prefix hijack attacks. Our work demonstrates, that resilience of systems, like RPKI, cannot be achieved in isolation due to complex inter-dependencies with other systems.
Reputația numelor de domenii de Internet se referă la evaluarea credibilității, securității și fiabilității unui domeniu pe baza comportamentului și a caracteristicilor istorice ale acestuia. Aceasta ...implică analizarea factorilor care influențează calitatea percepută, securitatea și riscurile asociate pentru a determina reputația unui domeniu. Domeniile de nivel superior (TLD) reprezintă cel mai înalt nivel din ierarhia sistemului de nume de domenii. Reputația domeniului influențează clasamentele motoarelor de căutare, experiența utilizatorului și securitatea online. Registrele de domenii TLD, organizațiile și persoanele fizice au nevoie de sisteme de monitorizare automată a reputației domeniilor deținute din motive de securitate, în special atunci când utilizează date cu caracter personal, pentru a proteja utilizatorii și a menține o prezență online pozitivă. Principalele obiective ale acestui studiu includ identificarea parametrilor Sistemului de Nume de Domenii (DNS) relevanți pentru stabilirea reputației și analiza impactului stărilor unui domeniu asupra reputației, utilizând setul de date deținut de Registrul de domenii .ro.
Security protocols are very important in every communication over the Internet. They aim to deliver safe services by ensuring authentication, confidentiality and integrity of the data transiting in ...the network. So, each new proposed security protocol should be tested and formally verified to be sure of security features since deploying new protocols without analyzing their security properties could causes bad impact on sensitive data. In this paper, we present a formal model for the verification of the E-DNSSEC protocol which is proposed to add confidentiality property to the DNSSEC protocol. For that purpose, the article provides first a brief description of DNSSEC and E-DNSSEC protocols. After that, we present the resolution process of both DNSSEC and E-DNSSEC protocols. Then, we give a formal specification of these protocols in the applied ‘pi-calculus’. Relying on this modeling, the confidentiality property of E-DNSSEC is verified by ProVerif.
As a backbone of all communications over the Internet, DNS (Domain Name
System) is crucial for all entities that need to be visible and provide
services outside their internal networks. Public ...administration is a prime
example for various services that have to be provided to citizens. This
manuscript presents one possible approach, implemented in the administration
of the City of Nis, for improving the robustness and resilience of external
domain space, as well as securing it with DNSSEC (DNS Security Extensions).
nema
Poster Heftrig, Elias; Shulman, Haya; Waidner, Michael
Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security,
11/2022
Conference Proceeding
Cryptographic algorithm agility is an important property for DNSSEC: it allows easy deployment of new algorithms if the existing ones are no longer secure. In this work we show that the cryptographic ...agility in DNSSEC, although critical for provisioning DNS with strong cryptography, also introduces a vulnerability. We find that under certain conditions, when new algorithms are listed in signed DNS responses, the resolvers do not validate DNSSEC. As a result, domains that deploy new ciphers may in fact cause the resolvers not to validate DNSSEC. We exploit this to develop DNSSEC-downgrade attacks and experimentally and ethically evaluate them against popular DNS resolver implementations, public DNS providers, and DNS services used by web clients worldwide. We find that major DNS providers as well as 45% of DNS resolvers used by web clients are vulnerable to our attacks.
IoT devices provide with real-time data to a rich ecosystems of services and applications that will be of uttermost importance for ubiquitous computing. The volume of data and the involved ...subscribe/notify signaling will likely become a challenge also for access and core netkworks. Designers may opt for microservice architectures and fog computing to address this challenge while offering the required flexibility for the main players of ubiquitous computing: nomadic users. Microservices require strong security support for Fog computing, to rely on nodes in the boundary of the network for secure data collection and processing. IoT low cost devices face outdated certificates and security support, due to the elapsed time from manufacture to deployment. In this paper we propose a solution based on microservice architectures and DNSSEC, DANE and chameleon signatures to overcome these difficulties. We will show how trap doors included in the certificates allow a secure and flexible delegation for off-loading data collection and processing to the fog. The main result is showing this requires minimal manufacture device configuration, thanks to DNSSEC support.
The Domain Name System (DNS) plays a crucial role in connecting services and users on the Internet. Since its first specification, DNS has been extended in numerous documents to keep it fit for ...today’s challenges and demands. And these challenges are many. Revelations of snooping on DNS traffic led to changes to guarantee confidentiality of DNS queries. Attacks to forge DNS traffic led to changes to shore up the integrity of the DNS. Finally, denial-of-service attack on DNS operations have led to new DNS operations architectures. All of these developments make DNS a highly interesting, but also highly challenging research topic. This tutorial – aimed at graduate students and early-career researchers – provides a overview of the modern DNS, its ongoing development and its open challenges. This tutorial has four major contributions. We first provide a comprehensive overview of the DNS protocol. Then, we explain how DNS is deployed in practice. This lays the foundation for the third contribution: a review of the biggest challenges the modern DNS faces today and how they can be addressed. These challenges are (i) protecting the confidentiality and (ii) guaranteeing the integrity of the information provided in the DNS, (iii) ensuring the availability of the DNS infrastructure, and (iv) detecting and preventing attacks that make use of the DNS. Last, we discuss which challenges remain open, pointing the reader towards new research areas.
It is without doubt that the Domain Name System (DNS) is one of the most decisive elements of the Internet infrastructure; even a slight disruption to the normal operation of a DNS server could cause ...serious impairment to network services and thus hinder access to network resources. Hence, it is straightforward that DNS nameservers are constantly under the threat of Denial of Service (DoS) attacks. This paper presents a new, stealthy from the attacker's viewpoint, flavor of DNSSEC-powered amplification attack that takes advantage of the vast number of DNS forwarders out there. Specifically, for augmenting the amplification factor, the attacker utilizes only those forwarders that support DNSSEC-related resource records and advertize a large DNS size packet. The main benefits of the presented attack scenario as compared to that of the typical amplification attack are: (a) The revocation of the need of the aggressor to control a botnet, and (b) the elimination of virtually all traces that may be used toward disclosing the attacker's actions, true identity and geographical location. The conducted experiments taking into consideration three countries, namely Greece, Ireland and Portugal demonstrate that with a proper but simple planning and a reasonable amount of resources, a determined perpetrator is able to create a large torrent of bulky DNS packets towards its target. In the context of the present study this is translated to a maximum amplification factor of 44.
Display omitted
•We introduce a new breed of DNS amplification attack.•The attack relies on DNS forwarders and takes advantage of large DNSSEC RRs.•The attacker enjoys anonymity.•We assess the strength of the attack and witnessed a maximum amplification factor of 44.•We examine the existence of open forwarders in the IP address space of 3 EU countries.
When the global rollout of the DNS Security Extensions (DNSSEC) began in 2005, a first-of-its-kind trial started: The complexity of a core Internet protocol was magnified in favor of better security ...for the overall Internet. Thereby, the scale of the loosely-federated delegation in DNS became an unprecedented cryptographic key management challenge. Though fundamental for current and future operational success, our community lacks a clear notion of how to empirically evaluate the process of securely transitioning keys. In this paper, we propose two building blocks to formally characterize and assess key transitions. First, the anatomy of key transitions, i.e., measurable and well-defined properties of key changes; and second, a novel classification model based on this anatomy for describing key transition practices in abstract terms. This abstraction allows for classifying operational behavior. We apply our proposed transition anatomy and transition classes to describe the global DNSSEC deployment. Specifically, we use measurements from the first 15 years of the DNSSEC rollout to detect and understand which key transitions have been used to what degree and which rates of errors and warnings occurred. In contrast to prior work, we consider all possible transitions and not only 1:1 key rollovers. Our results show measurable gaps between prescribed key management processes and key transitions in the wild. We also find evidence that such noncompliant transitions are needed in operations.
PDF
