Spoofing Attacks of Domain Name System Internet (original) (raw)

Addressing weaknesses in the domain name system protocol

1993

The Domain Name System DNS is a widely implemented distributed database system used throughout the Internet, providing name resolution between host names and Internet Protocol addresses. This thesis describes problems with the DNS and one of its implementations that allow the abuse of name based authentication. This leads to situations where the name resolution process cannot be trusted, and security m a y be compromised. This thesis outlines the current design and implementation of the DNS. It states the main problem both on a high level and as applied to the DNS in a more concrete fashion. We examine the weaknesses in the DNS and exploit a method to abuse the DNS for system break ins. We demonstrate these weaknesses by describing the necessary modi cations in authoritative DNS data and Domain Name System code. We list experiences gained during experiments with several setups of name servers and trusting hosts in a local area network. Too weak assumptions during the authentication processes cause many security breaches. We state the security considerations in the o cial design documents and analyze the algorithms used in the DNS protocol looking for weak assumptions. Using a wide variety of criteria, we discuss several approaches to solve the main problem in the Domain Name System protocol. Two of these solutions, hardening the name server and using cryptographic methods for strong authentication, receive more attention than the other solutions.

A survey on Domain Name System Security

2018

Security analysis and solution for thwarting cache poisoning attacks in the Domain Name System

2012 19th International Conference on Telecommunications (ICT), 2012

The Domain Name System is a crucial part of the Internet's infrastructure, as it provides basic information that is vital for the proper operation of the Internet. The importance of DNS has caused it to be targeted by malicious attackers who are interested in causing damage and gaining personal benefits. Thus nowadays, DNS faces many security threats such as DNS spoofing and cache poisoning attacks. This paper presents S-DNS, an efficient security solution for thwarting cache poisoning attacks in the DNS hierarchy. The contribution of the S-DNS protocol lies in: (1) decreasing the success probability of DNS spoofing and cache poisoning by preventing man-in-the-middle attacks, (2) providing a backward compatible and simple security solution with low computation and communication overheads, (3) targeting the different DNS query interaction models from iterative, recursive, and caching schemes, and (4) employing an efficient Identity-Based Encryption key management scheme that relieves the different DNS interacting entities from the burden and complexities of traditional public-key infrastructures.

A Fair Solution to DNS Amplification Attacks

2007

Recent serious security incidents reported several attackers employing IP spoofing to massively exploit recursive name servers to amplify DDoS attacks against numerous networks. DNS amplification attack scenarios utilize DNS servers mainly for performing bandwidth consumption DoS attacks. This kind of attack takes advantage of the fact that DNS response messages may be substantially larger than DNS query messages. In this paper we present a novel, simple and practical scheme that enable administrators to distinguish between genuine and falsified DNS replies. The proposed scheme, acts proactively by monitoring in real time DNS traffic and alerting security supervisors when necessary. It also acts reactively in co-operation with the firewalls by automatically updating rules to ban bogus packets. Our analysis and the corresponding experimental results show that the proposed scheme offers an effective solution, when the specific attack unfolds.

Survey on domain name system security

2007

DNS (Domain Name System) represents mapping between domain names and their numerical identifiers. DNS designer has not taken care about security issues related to DNS in the beginning as main goal to develop DNS is to provide mapping. With wide spread and usage of internet, DNS is one of the most vital component for internet now a days. In daily internet usage like accessing e-mails, website surfing or using chat applications, DNS plays major role for every internet user. Also, many other protocols depend on its function. Thus, various cyber-attacks like denial of service attack, cache poisoning, malicious domain names etc. are being done on DNS and security of DNS has been continually challenged due to its vulnerability to these cyber-attacks. DNS vulnerability may lead to access of wrong websites or no access to websites. That can cause a huge economic loss for the user. In this paper, Survey on DNS security has been performed to identify the types of attacks possible on DNS. Also, Survey on various DNS security systems has been performed based on protection they are giving against cyber-attacks. Among of them, detailed analysis has been performed on DNSSEC (DNS Security Extension), an extension to the original DNS protocol proposed in RFC 2535 (later updated in RFC 3007, 3008 and 3090) that provides authentication and integrity for the data transferred by DNS. DNSSEC uses public key cryptography to provide authentication and integrity for the data transferred by DNS. Existing public key cryptographic algorithms like RSA (Rivest Shamir Adelman Algorithm) and ECC (Elliptic Curve Cryptography) are used by DNSSEC to provide authenticity and integrity of data transferred by DNS. Analysis and comparison of these algorithms has been performed based on various factors used for public key cryptography. Also, advantages and disadvantages of using ECC in DNSSEC has been discussed. Finally, DNS security future aspects has been discussed.

Increased DNS forgery resistance through 0x20-bit encoding

Proceedings of the 15th ACM conference on Computer and communications security - CCS '08, 2008

We describe a novel, practical and simple technique to make DNS queries more resistant to poisoning attacks: mix the upper and lower case spelling of the domain name in the query. Fortuitously, almost all DNS authority servers preserve the mixed case encoding of the query in answer messages. Attackers hoping to poison a DNS cache must therefore guess the mixed-case encoding of the query, in addition to all other fields required in a DNS poisoning attack. This increases the difficulty of the attack. We describe and measure the additional protections realized by this technique. Our analysis includes a basic model of DNS poisoning, measurement of the benefits that come from case-sensitive query encoding, implementation of the system for recursive DNS servers, and large-scale real-world experimental evaluation. Since the benefits of our technique can be significant, we have simultaneously made this DNS encoding system a proposed IETF standard. Our approach is practical enough that, just weeks after its disclosure, it is being implemented by numerous DNS vendors.

Threat Analysis of the Domain Name System (DNS)

2004

Threat Analysis of the Domain Name System (DNS) Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

Spoofing Attacks of Domain Name System Internet (original) (raw)

Related papers