Domain Name System Resolution Research Articles

The Closed Resolver Project: Measuring the Deployment of Inbound Source Address Validation

Ingress filtering, commonly referred to as Source Address Validation (SAV), is a practice aimed at discarding packets with spoofed source IP addresses at the network periphery. <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Outbound</i> SAV, i.e., dropping traffic with spoofed source IP addresses as it leaves its source network, has received widespread attention in operational and research communities. It is one of the most effective ways to prevent Reflection-based Distributed Denial-of-Service (DDoS) attacks. Contrariwise, <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">inbound</i> SAV, i.e., dropping incoming spoofed traffic at the destination network edge, has received less attention, even though it provides protection for the deploying network. In this paper, we present the results of the Closed Resolver Project, our initiative aimed at finding networks without inbound SAV and raising awareness of the issue. We perform the first Internet-wide active measurement study to enumerate networks that enforce (or not) inbound SAV. We reach open and closed Domain Name System (DNS) resolvers in tested networks and determine whether they resolve requests with spoofed source IP addresses. Our method provides unprecedented insight into <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">inbound</i> SAV deployment by network operators, revealing 49% IPv4 and 26% IPv6 Autonomous Systems (AS) that suffer from a consistent or partial absence of inbound filtering. By identifying dual-stack DNS resolvers and ASes, we further show that inbound filtering is generally deployed consistently across IPv4 and IPv6. Finally, the lack of inbound SAV exposes 2.5M IPv4 and 100K IPv6 purportedly closed DNS resolvers to many types of external attacks, including NXNSAttack, zone poisoning, or zero-day vulnerabilities in DNS software.

A Multi-Path Approach to Protect DNS Against DDoS Attacks

Domain Name System (DNS) is considered a vital service for the internet and networks operations, and practically this service is configured and accessible across networks’ firewall. Therefore, attackers take advantage of this open configuration to attack a network’s DNS server in order to use it as a reflector to achieve Denial of Service (DoS) attacks. Most of protection methods such as intrusion prevention and detection systems use blended tactics such as blocked-lists for suspicious sources, and thresholds for traffic volumes to detect and defend against DoS flooding attacks. However, these protection methods are not often successful. In this paper, we propose a new method to sense and protect DNS systems from DoS and Distributed DoS (DDoS) attacks. The main idea in our approach is to distribute the DNS request mapping into more than one DNS resolver such that an attack on one server should not affect the entire DNS services. Our approach uses the Multi-Protocol Label Switching (MPLS) along with multi-path routing to achieve this goal. Also, we use threshold secret sharing to code the distributed DNS requests. Our findings and results show that this approach performs better when compared with the traditional DNS structure.

DNS4EU: a step change in the EU’s strategic autonomy?

ABSTRACT The Domain Name System (DNS) is vital to the internet, enabling everyday uses such as browsing, emailing and chatting. One function in particular – the DNS resolution, performed by resolver operators – allows us to reach what we are looking for online. The market of recursive resolution is highly dynamic and is currently shifting towards open or public resolvers, which tend to belong to large tech companies. In 2022, the European Commission launched the DNS4EU initiative, which established a European resolver as part of the new EU cybersecurity strategy, in order to respond to the resilience, security and privacy needs of the union. This article provides a comprehensive analysis of the DNS4EU project, which provided seed funding to a European competitor in a market increasingly dominated by non-EU players. As a critical infrastructure service, the DNS4EU represents one of the first concrete steps towards enhancing the strategic autonomy of the union. But it also constitutes an unprecedented public intervention in a largely private market relying on voluntary adoption. This article contextualises the DNS4EU initiative, outlining both advantages and limitations of the European strategy and related tender process and implementation plan, concluding with a discussion on the future of DNS resolution.

DNS Poisoning of Operating System Caches: Attacks and Mitigations

The Domain Name System (DNS) is a protocol supporting name resolution from Fully Qualified Domain Names (FQDNs) to the IP address of the machines corresponding to them. This resolution process is critical to the operation of the Internet, but is susceptible to a range of attacks. One of the most dangerous attack vectors is DNS poisoning where an attacker injects malicious entries into the DNS resolution forcing clients to be redirected from legitimate to malicious servers. Typically, poisoning attacks target a DNS resolver allowing attackers to poison a DNS entry for all machines that use the compromised resolver. However, recent defenses protect resolvers substantially limiting these attacks. In this paper, we present a new class of DNS poisoning attacks targeting the client-side DNS cache, which is used in mainstream operating systems, circumventing defenses protecting resolvers. We implemented the attack on Windows, Mac OS, and Ubuntu Linux machines. We also generalize the attack to work even when the client is behind a Network Address Translation (NAT) router. Our results show that we can reliably inject malicious DNS mappings, with on average, an order of tens of seconds. We also propose client-side mitigations and demonstrate that they can effectively mitigate the vulnerability.

DoH Tunneling Detection System for Enterprise Network Using Deep Learning Technique

In spite of protection mechanisms for Domain Name System (DNS), such as IP blacklist and DNS Firewall, DNS still has privacy issues in reality, since DNS is a plain-text protocol. Recently, to resolve this problem, an encrypted DNS, called DNS-over-HTTPS (DoH), has been developed, and is becoming more widespread. As the secured version of DNS, DoH guarantees privacy and security to prevent various attacks such as eavesdropping and manipulating DNS data by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. DoH is one of the best security options for an enterprise network where more sensitive data protection is required. However, DoH may cause an unintended security breach, i.e., information leakage via malicious DoH tunneling. Since the DoH traffic is encrypted and indistinguishable from other HTTPS traffic, data hidden inside DoH packets can be easily leaked out of an enterprise network. Although some countermeasures to detect DoH tunneling attacks have been proposed, they still have limitations. Previous research used Supervised Machine Learning methods to detect DoH tunneling, which required a high volume of labeled data. In practice, collecting and labeling all of the data is an impossible task, especially in DoH, when all of the data are encrypted. Furthermore, Supervised Machine Learning methods rely heavily on human-engineered feature extraction, which makes classifying encrypted DoH traffic difficult. Furthermore, no previous research has mentioned a complete functional DoH detection applied to network infrastructure. Therefore, we propose a detection system for DoH tunneling attacks based on Transformer to detect a malicious DoH tunneling and build a fully functional DoH detection system that can be integrated with the security operation system of an enterprise network. The experiment results show a significant improvement compared with previous works.

Never Query Alone: A distributed strategy to protect Internet users from DNS fingerprinting attacks

The Domain Name System (DNS) plays an essential role in everyday Internet activities. However, unauthorized access to DNS-generated traffic also poses some serious privacy concerns. For instance, DNS traffic traces can be processed by third parties to identify an Internet user by means of behavioral analysis (i.e., a technique that employs machine learning classifiers to link multiple pieces of traffic belonging to the same person). In general, the more sessions an attacker can link, the more he or she will learn about the interests of an individual, and the more likely that the identity of this user will be revealed. The development of such methods of user identification has been the focus of several pieces of research, and currently, there are several strategies to obtain behavioral fingerprints from DNS traces. However, only a few works have proposed countermeasures to protect users against this privacy threat on the Internet. Furthermore, new technologies such as DNS-over-TLS, DNS-over-HTTPS, or DNS over QUIC can potentially render available countermeasures ineffective. This paper proposes Never Query Alone (NQA), a strategy that allows a set of nodes to modify their DNS query patterns to mitigate the risk of being tracked by DNS resolvers. In NQA, users forward their DNS queries through their neighbors in such a way that the identification accuracy achieved by the attackers is proportionally reduced as the number of participant nodes is increased. A second strategy, called NQA-SA, is also proposed. NQA-SA decreases the accuracy of the attackers to nearly 1%, independently of the number of participant nodes. Both proposed countermeasures reduce the accuracy of the classifiers at the cost of increasing the delay of the DNS query resolution process. Thus, a trade-off between privacy and delay arises, which is theoretically studied in this work by means of queueing analysis. Experimental results with real networks demonstrate that the proposed countermeasures can significantly degrade the accuracy of commonly used machine learning classifiers, thus increasing the privacy protection of individuals on the Internet.

Research on Unexpected DNS Response from Open DNS Resolvers

Abstract As the backbone of the domain name system (DNS), DNS resolvers are essential to the Internet. Nowadays, the measurement of DNS resolvers, especially open DNS resolvers, has become a research focus. Previous research works show that DNS responses returned from some open DNS resolvers are not expected for clients and the Internet. We call these DNS responses ‘unexpected DNS responses’. Research on unexpected DNS responses is beneficial to the research, usage and management of open DNS resolvers. This paper explores unexpected DNS responses returned from open DNS resolvers in terms of identification and classification to better understand the behaviours of open DNS resolvers. First, an identification method is proposed to identify all kinds of DNS responses from each section of DNS messages. Second, a classification method is proposed to classify unexpected DNS responses by their influences on clients and the Internet. Furthermore, an efficient identification and classification method is proposed to simplify the above process. Among about 9 million responding open DNS resolvers in the experiments on the IPv4 address space, about 40% return unexpected DNS responses. Experimental results show that the proposed methods can identify and classify all kinds of DNS responses returned from open DNS resolvers.

Big Data Architecture for Scalable and Trustful DNS based on Sharded DAG Blockchain

Internet applications remain exposed to pervasive Domain Name System (DNS)–based threats. Blockchain technologies provide a new way for tackling DNS vulnerability issues, and have been highlighted recently. However, traditional blockchain is still not well suited for big data applications such as DNS, because the performance of blockchain consensus greatly limits its practical adoption. In this paper, we present DagGridLedger, a sharded directed acyclic graph (DAG) blockchain that provides scalable big data architecture for trustful DNS management. To achieve this goal, DagGridLedger proposes a radical new architecture that combines blockchain sharding and DAG techniques on the DNS resolver side, thereby making it a promising solution to enhance the security and stability of large-scale DNS system. To be specific, DagGridLedger provides a blockchain structure targeting DNS application, which employs a high-performance DAG consensus algorithm named DagGrid. DagGrid consensus realizes a multi-DNS negotiation mechanism through block sharding in generating a block. With an improved asynchronous leaderless Byzantine consensus, DagGrid implements total order determination, which guarantees the trustful DNS management. Further experiments verified the performance of DagGridLedger as well as the applicability of the proposed blockchain architecture in traditional DNS. To this end, DagGridLedger consistently achieves a big data architecture for secure DNS record management, with a novel shared DAG consensus designed for high throughput. This makes DagGridLedger a promising architecture for highly secure and efficient DNS solution.

A Quantitative Method for the DNS Isolation Management Risk Estimation

The domain name system (DNS) is an important infrastructure of the Internet, providing domain name resolution services for almost all Internet communication systems. However, the current DNS is centrally managed, leading to unfair sovereignty of the Internet among countries. A domestic DNS is unable to work normally, noted as isolated management risk (IMR), especially when the national network is isolated from the rest of the Internet. To improve understanding of the DNS isolated management risk for better DNS resource deployment, it is critical to determine how serious the IMR is among various countries. In order to quantify DNS isolated management risk, this paper proposed an effective approach to collect DNS resolution demand data from the network used by various intelligent devices and to conduct data analysis to estimate isolated management risk of certain country’s domestic DNSs. Our idea is to quantify the domain name resolution demand and its relationship with the overseas resolution processes. We further used our quantitative method to compare the IMR of the USA and China and analyzed the difference between them.

Consolidation in the DNS resolver market – how much, how fast, how dangerous?

ABSTRACT Almost all online services use a domain name resolution function to translate names typed by the user into numbers that computers understand. This basic, recursive function, performed in milliseconds and invisible to the user, was integrated from the beginning into the operation of Internet Service Providers (ISPs). This started to change with the advent of new players – such as Google, Cloudflare, Oracle – operating public resolvers and rendering the market more dynamic in the last decade. As more technologies are developed to increase the privacy and security of the domain name system (DNS) protocol, large internet companies with global operations appear better equipped to integrate the latest requirements and offer their services free to users and ISPs, further consolidating their position in the market. This article provides a timely analysis of the emerging trends of consolidation in the recursive DNS services market, focusing on its evolution in the last decade and discussing empirical evidence for the shifts occurring from 2016 to mid-2019.

Reducing User Perceived Latency in Smart Phones Exploiting IP Network Diversity

The Fifth Generation (5G) wireless networks set its standard to provide very high data rates, Ultra-Reliable Low Latency Communications (URLLC), and significantly improved Quality of Service (QoS). 5G networks and beyond will power up billions of connected devices as it expands wireless services to edge computing and the Internet of Things (IoT). The Internet protocol suite continues its evolution from IPv4 addresses to IPv6 addresses by increasing the adoption rate and prioritizing IPv6. Hence, Internet Service Providers (ISP's) are using the address transition method called dual-stack to prioritize the IPv6 while supporting the existing IPv4. But this causes more connectivity overhead in dual-stack as compared to the single-stack network due to its preference schema towards the IPv6. The dual-stack network increases the Domain Name System (DNS) resolution and Transmission Control Protocol (TCP) connection time that results in higher page loading time, thereby significantly impacting the user experience. Hence, we propose a novel connectivity mechanism, called NexGen Connectivity Optimizer (NexGenCO), which redesigns the DNS resolution and TCP connection phases to reduce the user-perceived latency in the dual-stack network for mobile devices. Our solution utilizes the IP network diversity to improve connectivity through concurrency and intelligent caching. NexGenCO is successfully implemented in Samsung flagship devices with Android Pie and further evaluated using both simulated and live-air networks. It significantly reduces connectivity overhead and improves page loading time up to 18%.

Blockzone: A Decentralized and Trustworthy Data Plane for DNS

The domain name system (DNS) provides a mapping service between memorable names and numerical internet protocol addresses, and it is a critical infrastructure of the Internet. The authenticity of DNS resolution results is crucial for ensuring the accessibility of Internet services. Hundreds of supplementary specifications of protocols have been proposed to compensate for the security flaws of DNS. However, DNS security incidents still occur frequently. Although DNS is a distributed system, for a specified domain name, only authorized authoritative servers can resolve it. Other servers must obtain the resolution result through a recursive or iterative resolving procedure, which renders DNS vulnerable to various attacks, such as DNS cache poisoning and distributed denial of service (DDoS) attacks. This paper proposes a novel decentralized architecture for a DNS data plane, which is called Blockzone. First, Blockzone utilizes novel mechanisms, which include on-chain authorization and off-chain storage, to implement a decentralized and trustworthy DNS data plane. Second, in contrast to the hierarchical authentication and recursive query of traditional DNS, Blockzone implements a decentralized operation model. This model significantly increases the efficiency of domain name resolution and verification and enhances the security of DNS against DDoS and cache poisoning attacks. In addition, Blockzone is fully compatible with the traditional DNS implementation and can be incrementally deployed as a plug-in service of DNS without changing the DNS protocol or system architecture. The Blockzone scheme can also be generalized to address security issues in other areas, such as the Internet of things and edge computing.

Cache Effect of Shared DNS Resolver

The Domain Name System (DNS) is a key part of the infrastructure of the Internet. Recent discussions have centered on the removal of the shared DNS resolver and the use of a local full-service resolver instead. From the viewpoint of the cache mechanism, these discussions involve removing the shared DNS cache from the Internet. Although the removal of unnecessary parts from a total system tends to simplify the system, such a large configuration change in the system would need to be be carefully analyzed before its actual deployment. This paper presents our analysis of the effect of a shared DNS resolver based on the campus network traffic. Our findings were as follows: 1) this removal can be expected to amplify the DNS traffic by about 3.3 times, 2) the amplification ratio on the root DNS is much higher (about 10.9 times), and 3) removal of all caching systems from the Internet is likely to amplify the DNS traffic by approximately 12.1 times. Thus, the above-mentioned shared DNS resolver removal should not be considered. Our data analysis also revealed: 4) an increase in the number of clients that do not have a local DNS cache and generate repeated queries at short intervals (less than 1 min). 5) Since the amount of traffic from such clients is not small (about 95.0% of total DNS traffic), the deployment of a local cache itself is feasible.

Measuring the Global Recursive DNS Infrastructure: A View From the Edge

The Domain Name System (DNS) is one of the most critical Internet subsystems. While the majority of ISPs deploy and operate their own DNS infrastructure, many end users resort to third-party DNS providers with hopes of enhancing their privacy, security, and web performance. However, bad user choices and the uneven geographical deployment of DNS providers could render insecure and inefficient DNS configurations for millions of users. In this paper, we propose a novel and flexible measurement method to (1) study the infrastructure of recursive DNS resolvers, including both ISP's and third-party DNS providers' deployment strategies; and (2) study end-user DNS choices, both in a timely manner and at a global scale. For that, we leverage the outreach capacity of online advertising networks to distribute lightweight JavaScript-based DNS measurement scripts. To showcase the potential of our technique, we launch two separate ad campaigns that triggered more than 3M DNS lookups, which allow us to identify and study more than 76k recursive DNS resolvers giving support to more than 25k eyeball ASes in 178 countries. The analysis of the data offers new insights into the DNS infrastructure, such as user preferences towards third-party DNS providers (namely, Google, OpenDNS, Level3, and Cloudflare recursive DNS resolvers account for ~13% of the total DNS requests triggered by our campaigns), and into deployment decisions of many ISPs providing both mobile and fixed access networks to separate the DNS infrastructure serving each type of access technology.

The Performance Impact of Elliptic Curve Cryptography on DNSSEC Validation

The domain name system (DNS) is a core Internet infrastructure that translates names to machine-readable information, such as IP addresses. Security flaws in DNS led to a major overhaul, with the introduction of the DNS security (DNSSEC) extensions. DNSSEC adds integrity and authenticity to the DNS using digital signatures. DNSSEC, however, has its own concerns. It suffers from availability problems due to packet fragmentation and is a potent source of distributed denial-of-service attacks. In earlier work, we argued that many issues with DNSSEC stem from the choice of RSA as default signature algorithm. A switch to alternatives based on elliptic curve cryptography (ECC) can resolve these issues. Yet switching to ECC introduces a new problem: ECC signature validation is much slower than RSA validation. Thus, switching DNSSEC to ECC imposes a significant additional burden on DNS resolvers, pushing load toward the edges of the network. Therefore, in this paper, we study the question: will switching DNSSEC to ECC lead to problems for DNS resolvers, or can they handle the extra load? To answer this question, we developed a model that accurately predicts how many signature validations DNS resolvers have to perform. This allows us to calculate the additional CPU load ECC imposes on a resolver. Using real-world measurements from four DNS resolvers and with two open-source DNS implementations, we evaluate future scenarios where DNSSEC is universally deployed. Our results conclusively show that switching DNSSEC to ECC signature schemes does not impose an insurmountable load on DNS resolvers, even in worst case scenarios.

Reexamining DNS From a Global Recursive Resolver Perspective

The performance and operational characteristics of the Domain Name System (DNS) protocol are of deep interest to the research and network operations community. In this paper, we present measurement results from a unique dataset containing more than 26 billion DNS query-response pairs collected from more than 600 globally distributed recursive DNS resolvers. We use this dataset to reaffirm findings in published work and notice some significant differences that could be attributed both to the evolving nature of DNS traffic and to our differing perspective. For example, we find that although characteristics of DNS traffic vary greatly across networks, the resolvers within an organization tend to exhibit similar behavior. We further find that more than 50% of DNS queries issued to root servers do not return successful answers, and that the primary cause of lookup failures at root servers is malformed queries with invalid top-level domains (TLDs). Furthermore, we propose a novel approach that detects malicious domain groups using temporal correlation in DNS queries. Our approach requires no comprehensive labeled training set, which can be difficult to build in practice. Instead, it uses a known malicious domain as anchor and identifies the set of previously unknown malicious domains that are related to the anchor domain. Experimental results illustrate the viability of this approach, i.e., we attain a true positive rate of more than 96%, and each malicious anchor domain results in a malware domain group with more than 53 previously unknown malicious domains on average.

Domain Name System during the Transition from IPv4 to IPv6

IPv4 and IPv6 will coexist for a long time, due to ISPes’ inertia in the transition from IPv4 to IPv6. Domain Name System (DNS) is a very important functional unit in the Internet. This paper describres the hierarchy and operating process of IPv6 DNS, IPv6 DNS resolver, and presents the DNS transition from IPv4 to IPv6 in particular. We suggest two methods to implement DNS service during the transition period: DNS-Application Level Gateway (DNS-ALG) with Network Address Translation-Protocol Translation (NAT-PT), and dual stacks. And we also propose their respective operational principles. This paper is of valuable reference for network engineers to construct DNS in the transition phase.

Combating phishing attacks via brand identity and authorization features

AbstractPhishing, also called brand spoofing, has become the most troubling scam on the Internet, which seriously threatens the Web security. The essence of phish is that “robbers” use false sites, which look like a trustworthy brand site, where favicon, logo and copyright notice are important brand identities. We analyzed 78‐day phishing data of PhishTank and Anti‐Phishing Working Group (APWG). The statistics show that more than 98.93% phishing sites contain at least one brand entity—favicon, logo or copyright notice. Indeed, only a few lowest‐quality phishing campaigns do not use such brand elements. Obviously, brand entities are powerful weapons of phishers to trick users. By analyzing the characteristics of brand entities in phishing sites, several brand identity features are extracted. However, only brand entities do not consider whether the Web page with brand entities belongs to the corresponding brand or has an authorization to use the brand entities. To solve this problem, redirection, incoming links and Domain Name System (DNS) information‐based brand authorization features are further extracted to discriminate the sites with branding rights from phishing sites. Based on extracted features, statistical anti‐phishing classification models are trained. We collected a diverse spectrum of corpora containing 3863 phishing cases from PhishTank and APWG, and 17 571 legitimate samples from DMOZ, Google and DNS resolution log. Experimental evaluations show that the model achieves 98.8% true positive rate and 0.09% false positive rate, which demonstrates the competitive performances of extracted features for statistical anti‐phishing in practice. Copyright © 2014 John Wiley &amp; Sons, Ltd.

English

The domain name system (DNS) resolution service often migrates from the one set of authoritative servers to another. The basic requirements for such transition are to ensure zero down time and minimize the transition delay. The optimum transition schemes are proposed favoring seamless and fast DNS resolution service migration. The transition of DNS authoritative servers may take place horizontally or vertically. For the horizontal case, the delegated authority is handovered from the old set of authoritative servers to the new one. For the vertical case, a zone cut is initiated from the parent zone to a newly delegated set of authoritative servers. For the DNSSEC signed zones, the DNSSEC-aware transition schemes are proposed to ensure the continuity of the trust chain. The transition delays as well as how to optimize them are discussed. &nbsp; Key words: Domain name system (DNS), authoritative server, service migration.

Resolvers Revealed

The Domain Name System (DNS) allows clients to use resolvers, sometimes called caches, to query a set of authoritative servers to translate host names into IP addresses. Prior work has proposed using the interaction between these DNS resolvers and the authoritative servers as an access control mechanism. However, while prior work has examined the DNS from many angles, the resolver component has received little scrutiny. Essential factors for using a resolver in an access control system, such as whether a resolver is part of an ISP’s infrastructure or running on an end-user’s system, have not been examined. In this study, we examine DNS resolver behavior and usage, from query patterns and reactions to nonstandard responses to passive association techniques to pair resolvers with their client hosts. In doing so, we discover evidence of security protocol support, misconfigured resolvers, techniques to fingerprint resolvers, and features for detecting automated clients. These measurements can influence the implementation and design of these resolvers and DNS-based access control systems.