DNSSEC+: An Enhanced DNS Scheme Motivated by Benefits and Pitfalls of DNSSEC

• URL: http://arxiv.org/abs/2408.00968v1
• Date: Fri, 2 Aug 2024 01:25:14 GMT
• Title: DNSSEC+: An Enhanced DNS Scheme Motivated by Benefits and Pitfalls of DNSSEC
• Authors: Ali Sadeghi Jahromi, AbdelRahman Abdou, Paul C. van Oorschot,
• Abstract summary: We present DNSSEC+, which addresses security and deployability downsides of DNSSEC. We show how DNSSEC+ fulfills nine security, privacy, and deployability properties for name resolution.
• Score: 1.8379423176822356
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: The absence of security measures between DNS recursive resolvers and authoritative nameservers has been exploited by both inline and off-path attacks. While many security proposals have been made in practice and previous literature, they typically suffer from deployability barriers and/or inadequate security properties. The absence of a broadly adopted security solution between resolvers and nameservers motivates a new scheme that mitigates these issues in previous proposals. We present DNSSEC+, which addresses security and deployability downsides of DNSSEC, while retaining its benefits. DNSSEC+ takes advantage of the existent DNSSEC trust model and authorizes the nameservers within a zone for short intervals to serve the zone data securely, facilitating real-time security properties for DNS responses, without requiring long-term private keys to be duplicated (thus put at risk) on authoritative nameservers. Regarding name resolution latency, DNSSEC+ offers a performance comparable to less secure schemes. We define nine security, privacy, and deployability properties for name resolution, and show how DNSSEC+ fulfills these properties.

Related papers

• Transparent Attested DNS for Confidential Computing Services [2.6667047594113096]
  ADNS is a name service that binds attested implementation of confidential services to their domain names. ADNS builds on standards such as DNSSEC, DANE, ACME and Certificate Transparency. We implement aDNS as a confidential service using a fault-tolerant network of TEEs.
  arXiv  Detail & Related papers  (2025-03-18T18:07:09Z)
• Shh, don't say that! Domain Certification in LLMs [124.61851324874627]
  Large language models (LLMs) are often deployed to perform constrained tasks, with narrow domains. We introduce domain certification; a guarantee that accurately characterizes the out-of-domain behavior of language models. We then propose a simple yet effective approach, which we call VALID that provides adversarial bounds as a certificate.
  arXiv  Detail & Related papers  (2025-02-26T17:13:19Z)
• Analysis of Robust and Secure DNS Protocols for IoT Devices [8.574167373120648]
  We investigate different DNS security approaches using an edge DNS resolver implemented as a Virtual Network Function (VNF) We present our results for cache-based and non-cached responses and evaluate the corresponding security benefits.
  arXiv  Detail & Related papers  (2025-02-13T19:16:39Z)
• Federated Instruction Tuning of LLMs with Domain Coverage Augmentation [87.49293964617128]
  Federated Domain-specific Instruction Tuning (FedDIT) utilizes limited cross-client private data together with various strategies of instruction augmentation. We propose FedDCA, which optimize domain coverage through greedy client center selection and retrieval-based augmentation. For client-side computational efficiency and system scalability, FedDCA$*$, the variant of FedDCA, utilizes heterogeneous encoders with server-side feature alignment.
  arXiv  Detail & Related papers  (2024-09-30T09:34:31Z)
• Knowledge-to-Jailbreak: One Knowledge Point Worth One Attack [86.6931690001357]
  Knowledge-to-jailbreak aims to generate jailbreaks from domain knowledge to evaluate the safety of large language models on specialized domains. We collect a large-scale dataset with 12,974 knowledge-jailbreak pairs and fine-tune a large language model as jailbreak-generator.
  arXiv  Detail & Related papers  (2024-06-17T15:59:59Z)
• The Harder You Try, The Harder You Fail: The KeyTrap Denial-of-Service Algorithmic Complexity Attacks on DNSSEC [19.568025360483702]
  We develop a new class of DNSSEC-based algorithmic complexity attacks on DNS, we dub KeyTrap attacks. With just a single DNS packet, the KeyTrap attacks lead to a 2.0x spike in CPU count in vulnerable DNS resolvers, stalling some for as long as 16 hours. Exploiting KeyTrap, an attacker could effectively disable Internet access in any system utilizing a DNSSEC-validating resolver.
  arXiv  Detail & Related papers  (2024-06-05T10:33:04Z)
• Don't Get Hijacked: Prevalence, Mitigation, and Impact of Non-Secure DNS Dynamic Updates [1.135267457536642]
  DNS dynamic updates represent an inherently vulnerable mechanism. Non-secure DNS updates leave domains susceptible to a novel form of attack termed zone poisoning. We undertook a comprehensive campaign involving the notification of Computer Security Incident Response Teams.
  arXiv  Detail & Related papers  (2024-05-30T09:23:53Z)
• Guardians of DNS Integrity: A Remote Method for Identifying DNSSEC Validators Across the Internet [0.9319432628663636]
  We propose a novel technique for identifying DNSSEC-validating resolvers. We find that while most open resolvers are DNSSEC-enabled, less than 18% in IPv4 (38% in IPv6) validate received responses.
  arXiv  Detail & Related papers  (2024-05-30T08:58:18Z)
• Secure Aggregation is Not Private Against Membership Inference Attacks [66.59892736942953]
  We investigate the privacy implications of SecAgg in federated learning. We show that SecAgg offers weak privacy against membership inference attacks even in a single training round. Our findings underscore the imperative for additional privacy-enhancing mechanisms, such as noise injection.
  arXiv  Detail & Related papers  (2024-03-26T15:07:58Z)
• The Power of Bamboo: On the Post-Compromise Security for Searchable Symmetric Encryption [43.669192188610964]
  Dynamic searchable symmetric encryption (DSSE) enables users to delegate the keyword search over dynamically updated databases to an honest-but-curious server. This paper studies a new and practical security risk to DSSE, namely, secret key compromise. We introduce the notion of searchable encryption with key-update (SEKU) that provides users with the option of non-interactive key updates.
  arXiv  Detail & Related papers  (2024-03-22T09:21:47Z)
• TI-DNS: A Trusted and Incentive DNS Resolution Architecture based on Blockchain [8.38094558878305]
  Domain Name System (DNS) is vulnerable to some malicious attacks, including DNS cache poisoning. This paper presents TI-DNS, a blockchain-based DNS resolution architecture designed to detect and correct the forged DNS records. TI-DNS is easy to be adopted as it only requires modifications to the resolver side of current DNS infrastructure.
  arXiv  Detail & Related papers  (2023-12-07T08:03:10Z)
• The Evolution of DNS Security and Privacy [1.0603824305049263]
  DNS is one of the fundamental protocols of the TCP/IP stack to protect against threats and attacks. This study examines the risks associated with DNS and explores recent advancements that contribute towards making the DNS ecosystem resilient against various attacks while safeguarding user privacy.
  arXiv  Detail & Related papers  (2023-12-01T06:14:25Z)
• Model Barrier: A Compact Un-Transferable Isolation Domain for Model Intellectual Property Protection [52.08301776698373]
  We propose a novel approach called Compact Un-Transferable Isolation Domain (CUTI-domain) CUTI-domain acts as a barrier to block illegal transfers from authorized to unauthorized domains. We show that CUTI-domain can be easily implemented as a plug-and-play module with different backbones.
  arXiv  Detail & Related papers  (2023-03-20T13:07:11Z)
• Randomized Message-Interception Smoothing: Gray-box Certificates for Graph Neural Networks [95.89825298412016]
  We propose novel gray-box certificates for Graph Neural Networks (GNNs) We randomly intercept messages and analyze the probability that messages from adversarially controlled nodes reach their target nodes. Our certificates provide stronger guarantees for attacks at larger distances.
  arXiv  Detail & Related papers  (2023-01-05T12:21:48Z)
• Towards Bidirectional Protection in Federated Learning [70.36925233356335]
  F2ED-LEARNING offers bidirectional defense against malicious centralized server and Byzantine malicious clients. F2ED-LEARNING securely aggregates each shard's update and launches FilterL2 on updates from different shards. evaluation shows that F2ED-LEARNING consistently achieves optimal or close-to-optimal performance.
  arXiv  Detail & Related papers  (2020-10-02T19:37:02Z)
• CryptoSPN: Privacy-preserving Sum-Product Network Inference [84.88362774693914]
  We present a framework for privacy-preserving inference of sum-product networks (SPNs) CryptoSPN achieves highly efficient and accurate inference in the order of seconds for medium-sized SPNs.
  arXiv  Detail & Related papers  (2020-02-03T14:49:18Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.