Recursive DNS Architectures and Vulnerability Implications
نویسندگان
چکیده
DNS implementers face numerous choices in architecting DNS resolvers, each with profound implications for security. Absent the use of DNSSEC, there are numerous interim techniques to improve DNS forgery resistance. We explore how different resolver architectures can affect the risk of DNS poisoning. The contributions of this work include: (A) We create a comprehensive, accurate model of DNS poisoning. We show how this model is more sensitive than other previous explanations of DNS poisoning. (B) We further catalog the major architectural choices DNS implementers can make in query management. We note real-world instances where these choices have weakened the security of resolvers, and measure the impact on security using our model. Our study revealed numerous, previously unknown vulnerabilities in common DNS servers.
منابع مشابه
Extended Abstract: Understanding the Privacy Implications of ECS
The edns-client-subnet (ECS) is a new extension for the Domain Name System (DNS) that delivers a “faster Internet” with the help of client-specific DNS answers. Under ECS, recursive DNS servers (recursives) provide client network address information to upstream authorities, permitting topologically localized answers for content delivery networks (CDNs). This optimization, however, comes with a ...
متن کاملDoes Your DNS Recursion Really Time Out as Intended? A Timeout Vulnerability of DNS Recursive Servers
Parallelization is featured by DNS recursive servers to do time-consuming recursions on behalf on clients. As common DNS configurations, recursive servers should allow a reasonable timeout for each recursion which may take as long as several seconds. However, it is proposed in this paper that recursion parallelization may be exploited by attackers to compromise the recursion timeout mechanism f...
متن کاملImproved Recursive DNS Server Selection for Multi-Interfaced Nodes
A multi-interfaced node is connected to multiple networks, some of which might be utilizing private DNS namespaces. A node commonly receives recursive DNS server configuration information from all connected networks. Some of the recursive DNS servers might have information about namespaces other servers do not have. When a multi-interfaced node needs to utilize DNS, the node has to choose which...
متن کاملThe Availability and Security Implications of Glue in the Domain Name System
The Domain Name System (DNS) is one of the most fundamental components of the Internet. While glue is widely used and heavily relied on in DNS operations, there is little thinking about the necessity, complexity, and venerability of such prevalent configuration. This work is the first to provide extensive and systematic analysis of DNS glue. It discusses the availability implications of glue an...
متن کاملMining IP to Domain Name Interactions to Detect DNS Flood Attacks on Recursive DNS Servers
The Domain Name System (DNS) is a critical infrastructure of any network, and, not surprisingly a common target of cybercrime. There are numerous works that analyse higher level DNS traffic to detect anomalies in the DNS or any other network service. By contrast, few efforts have been made to study and protect the recursive DNS level. In this paper, we introduce a novel abstraction of the recur...
متن کامل