Guardians of DNS Integrity: A Remote Method for Identifying DNSSEC Validators Across the Internet
- URL: http://arxiv.org/abs/2405.19851v1
- Date: Thu, 30 May 2024 08:58:18 GMT
- Title: Guardians of DNS Integrity: A Remote Method for Identifying DNSSEC Validators Across the Internet
- Authors: Yevheniya Nosyk, Maciej KorczyĆski, Andrzej Duda,
- Abstract summary: We propose a novel technique for identifying DNSSEC-validating resolvers.
We find that while most open resolvers are DNSSEC-enabled, less than 18% in IPv4 (38% in IPv6) validate received responses.
- Score: 0.9319432628663636
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: DNS Security Extensions (DNSSEC) provide the most effective way to fight DNS cache poisoning attacks. Yet, very few DNS resolvers perform DNSSEC validation. Identifying such systems is non-trivial and the existing methods are not suitable for Internet-scale measurements. In this paper, we propose a novel remote technique for identifying DNSSEC-validating resolvers. The proposed method consists of two steps. In the first step, we identify open resolvers by scanning 3.1 billion end hosts and request every non-forwarder to resolve one correct and seven deliberately misconfigured domains. We then build a classifier that discriminates validators from non-validators based on query patterns and DNS response codes. We find that while most open resolvers are DNSSEC-enabled, less than 18% in IPv4 (38% in IPv6) validate received responses. In the second step, we remotely identify closed non-forwarders in networks that do not have inbound Source Address Validation (SAV) in place. Using the classifier built in step one, we identify 37.4% IPv4 (42.9% IPv6) closed DNSSEC validators and cross-validate the results using RIPE Atlas probes. Finally, we show that the discovered (non)-validators actively send requests to DNS root servers, suggesting that we deal with operational recursive resolvers rather than misconfigured machines.
Related papers
- MTDNS: Moving Target Defense for Resilient DNS Infrastructure [2.8721132391618256]
DNS (Domain Name System) is one of the most critical components of the Internet.
Researchers have been constantly developing methods to detect and defend against the attacks against DNS.
Most solutions discard packets for defensive approaches, which can cause legitimate packets to be dropped.
We propose MTDNS, a resilient MTD-based approach that employs Moving Target Defense techniques.
arXiv Detail & Related papers (2024-10-03T06:47:16Z) - DNSSEC+: An Enhanced DNS Scheme Motivated by Benefits and Pitfalls of DNSSEC [1.8379423176822356]
We introduce DNSSEC+, a novel DNS scheme designed to mitigate the security and privacy vulnerabilities of the DNS resolution process between resolvers and name servers.
We show that for server-side processing latency, resolution time, and CPU usage, DNSSEC+ is comparable to less-secure schemes but significantly outperforms DNS-over-TLS.
arXiv Detail & Related papers (2024-08-02T01:25:14Z) - The Harder You Try, The Harder You Fail: The KeyTrap Denial-of-Service Algorithmic Complexity Attacks on DNSSEC [19.568025360483702]
We develop a new class of DNSSEC-based algorithmic complexity attacks on DNS, we dub KeyTrap attacks.
With just a single DNS packet, the KeyTrap attacks lead to a 2.0x spike in CPU count in vulnerable DNS resolvers, stalling some for as long as 16 hours.
Exploiting KeyTrap, an attacker could effectively disable Internet access in any system utilizing a DNSSEC-validating resolver.
arXiv Detail & Related papers (2024-06-05T10:33:04Z) - TI-DNS: A Trusted and Incentive DNS Resolution Architecture based on Blockchain [8.38094558878305]
Domain Name System (DNS) is vulnerable to some malicious attacks, including DNS cache poisoning.
This paper presents TI-DNS, a blockchain-based DNS resolution architecture designed to detect and correct the forged DNS records.
TI-DNS is easy to be adopted as it only requires modifications to the resolver side of current DNS infrastructure.
arXiv Detail & Related papers (2023-12-07T08:03:10Z) - ResolverFuzz: Automated Discovery of DNS Resolver Vulnerabilities with
Query-Response Fuzzing [22.15711226930362]
Domain Name System (DNS) resolvers are the central piece of the DNS infrastructure.
Finding the resolver vulnerabilities is non-trivial, and this problem is not well addressed by the existing tools.
In this paper, we present a new fuzzing system termed ResolverFuzz to address the challenges related to DNS resolvers.
arXiv Detail & Related papers (2023-10-04T23:17:32Z) - DecoupleNet: Decoupled Network for Domain Adaptive Semantic Segmentation [78.30720731968135]
Unsupervised domain adaptation in semantic segmentation has been raised to alleviate the reliance on expensive pixel-wise annotations.
We propose DecoupleNet that alleviates source domain overfitting and enables the final model to focus more on the segmentation task.
We also put forward Self-Discrimination (SD) and introduce an auxiliary classifier to learn more discriminative target domain features with pseudo labels.
arXiv Detail & Related papers (2022-07-20T15:47:34Z) - Unsupervised Out-of-Domain Detection via Pre-trained Transformers [56.689635664358256]
Out-of-domain inputs can lead to unpredictable outputs and sometimes catastrophic safety issues.
Our work tackles the problem of detecting out-of-domain samples with only unsupervised in-domain data.
Two domain-specific fine-tuning approaches are further proposed to boost detection accuracy.
arXiv Detail & Related papers (2021-06-02T05:21:25Z) - OPANAS: One-Shot Path Aggregation Network Architecture Search for Object
Detection [82.04372532783931]
Recently, neural architecture search (NAS) has been exploited to design feature pyramid networks (FPNs)
We propose a novel One-Shot Path Aggregation Network Architecture Search (OPANAS) algorithm, which significantly improves both searching efficiency and detection accuracy.
arXiv Detail & Related papers (2021-03-08T01:48:53Z) - CMT in TREC-COVID Round 2: Mitigating the Generalization Gaps from Web
to Special Domain Search [89.48123965553098]
This paper presents a search system to alleviate the special domain adaption problem.
The system utilizes the domain-adaptive pretraining and few-shot learning technologies to help neural rankers mitigate the domain discrepancy.
Our system performs the best among the non-manual runs in Round 2 of the TREC-COVID task.
arXiv Detail & Related papers (2020-11-03T09:10:48Z) - Global Optimization of Objective Functions Represented by ReLU Networks [77.55969359556032]
Neural networks can learn complex, non- adversarial functions, and it is challenging to guarantee their correct behavior in safety-critical contexts.
Many approaches exist to find failures in networks (e.g., adversarial examples), but these cannot guarantee the absence of failures.
We propose an approach that integrates the optimization process into the verification procedure, achieving better performance than the naive approach.
arXiv Detail & Related papers (2020-10-07T08:19:48Z) - Boosting Deep Neural Networks with Geometrical Prior Knowledge: A Survey [77.99182201815763]
Deep Neural Networks (DNNs) achieve state-of-the-art results in many different problem settings.
DNNs are often treated as black box systems, which complicates their evaluation and validation.
One promising field, inspired by the success of convolutional neural networks (CNNs) in computer vision tasks, is to incorporate knowledge about symmetric geometrical transformations.
arXiv Detail & Related papers (2020-06-30T14:56:05Z) - DNS Tunneling: A Deep Learning based Lexicographical Detection Approach [1.3701366534590496]
DNS Tunneling is attractive to hackers who exploit it to establish bidirectional communication with machines infected with malware.
The present work proposes a detection approach based on a Convolutional Neural Network (CNN) with a minimal architecture complexity.
Despite its simple architecture, the resulting CNN model correctly detected more than 92% of total Tunneling domains with a false positive rate close to 0.8%.
arXiv Detail & Related papers (2020-06-11T00:10:13Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.