short-paper

Zone Poisoning: The How and Where of Non-Secure DNS Dynamic Updates

Authors:

Maciej Korczyński,

Michel van EetenAuthors Info & Claims

IMC '16: Proceedings of the 2016 Internet Measurement Conference

Pages 271 - 278

https://doi.org/10.1145/2987443.2987477

Published: 14 November 2016 Publication History

Abstract

This paper illuminates the problem of non-secure DNS dynamic updates, which allow a miscreant to manipulate DNS entries in the zone files of authoritative name servers. We refer to this type of attack as to zone poisoning. This paper presents the first measurement study of the vulnerability. We analyze a random sample of 2.9 million domains and the Alexa top 1 million domains and find that at least 1,877 (0.065%) and 587 (0.062%) of domains are vulnerable, respectively. Among the vulnerable domains are governments, health care providers and banks, demonstrating that the threat impacts important services. Via this study and subsequent notifications to affected parties, we aim to improve the security of the DNS ecosystem.

References

[1]

Alexa Top 1,000,000 Sites. http://s3.amazonaws.com/alexa-static/top-1m.csv.zip, Retrieved March 28, 2016.

[2]

Anti-Phishing Working Group (APWG): Cross-industry Global Group Supporting Tackling the Phishing Menace.

[3]

Farsight Security: DNS Database (DNS-DB). https://www.dnsdb.info.

[4]

Internet-Wide Scan Data Repository: DNS Records (ANY). https://scans.io/study/sonar.fdns.

[5]

StopBadware: A Nonprofit Anti-malware Organization. https://www.stopbadware.org.

[6]

FPDNS-DNS Fingerprinting Tool. https://www.dns-oarc.net/tools/fpdns, 2014.

[7]

Over a Quarter of Phishing Attacks in 2014 Targeted Users' Financial Data. http://www.kaspersky.com, February 2015.

[8]

Aaron, G., and Rasmussen, R. Anti-Phishing Working Group (APWG) Global Phishing Survey: Trends and Domain Name Use in 2H2014. http://internetidentity.com/wp-content/uploads/2015/05/APWG_Global_Phishing_Report_2H_2014.pdf, May 2015.

[9]

Albitz, P., and Liu, C. DNS and BIND, 4th Edition. O'Reilly Media, 2001.

Digital Library

[10]

Arthur, C. Twitter and New York Times Still Patchy as Registrar Admits SEA Hack. https://www.theguardian.com, 2013.

[11]

Asghari, H., van Eeten, M. J., and Bauer, J. M. Economics of Fighting Botnets: Lessons From a Decade of Mitigation. IEEE Security, Privacy, 5 (2015), 16--23.

[12]

Bernstein, D. J. DJBDNS. https://cr.yp.to/djbdns.html, Retrieved March 2016.

[13]

Biasini, N., and Esler, J. Threat Spotlight: Angler Lurking in the Domain Shadows. http://blogs.cisco.com, March 2015.

[14]

D. Eastlake 3rd. Secure Domain Name System Dynamic Update. Internet RFC 2137, April 1997.

Digital Library

[15]

D. Eastlake 3rd. Domain Name System Security Extensions. Internet RFC 2535, March 1999.

Digital Library

[16]

Dagon, D., Provos, N., Lee, C. P., and Lee, W. Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority. In Proc. of NDSS (2008).

[17]

Dittrich, D., and Kenneally, E. The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research. Tech. rep., U.S. Department of Homeland Security, August 2012.

[18]

Droms, R. Dynamic Host Configuration Protocol. Internet RFC 2131, March 1997.

[19]

Internet Systems Consortium, Inc. BIND -- The Most Widely Used Name Server Software. https://www.isc.org/downloads/bind, November 2015.

[20]

Internet Systems Consortium, Inc. History of BIND. https://www.isc.org/history-of-bind, January 2015.

[21]

Kaminsky, D. It's The End Of The Cache As We Know It. In: Black Hat Conference, http://www.slideshare.net/ dakami/dmk-bo2-k8, August 2008.

[22]

Kaplan, E. L., and Meier, P. Nonparametric Estimation from Incomplete Observations. Journal of the American Statistical Association 53, 282 (1958), 457--481.

[23]

Kührer, M., Hupperich, T., Bushart, J., Rossow, C., and Holz, T. Going Wild: Large-Scale Classification of Open DNS Resolvers. In Proc. of ACM IMC (2015), pp. 355--368.

Digital Library

[24]

Kwan, S., Garg, P., Gilroy, J., Esibov, L., Westhead, J., and Hall, R. Generic Security Service Algorithm for Secret Key Transaction Authentication for DNS (GSS-TSIG). Internet RFC 3645, October 2003.

Digital Library

[25]

Microsoft TechNet. https://technet.microsoft.com/en-us/library/cc784052(v=ws.10).aspx, January.

[26]

Microsoft TechNet. Active Directory-Integrated DNS Zones. https://technet.microsoft.com/en-us/library/cc731204(v=ws.10).aspx, April 2012.

[27]

Microsoft TechNet. What's New in DNS Server. https://technet.microsoft.com/en-us/library/dn305898.aspx, June 2015.

[28]

Microsoft TechNet. Dynamic Update and Secure Dynamic Update. https://technet.microsoft.com/en-us/library/cc959275.aspx, Retrieved March 2016.

[29]

Microsoft TechNet. Understanding Dynamic Update. https://technet.microsoft.com/en-us/library/cc771255.aspx, Retrieved March 2016.

[30]

Mockapetris, P. Domain Names - Concepts and Facilities. Internet RFC 1034, November 1987.

Digital Library

[31]

Mockapetris, P. Domain Names - Implementation and Specification. Internet RFC 1035, November 1987.

Digital Library

[32]

NLnet Labs. NSD: Name Server Daemon. http://www.nlnetlabs.nl/projects/nsd/, Retrieved March 2016.

[33]

Olofsson, R. Eagle DNS. http://www.unlogic.se/ projects/eagledns, Retrieved March 2016.

[34]

P. Vixie, O. Gudmundsson, D. Eastlake 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). Internet RFC 2845, May 2000.

Digital Library

[35]

PowerDNS. Dynamic DNS Update (RFC2136). https://doc.powerdns.com/md/authoritative/dnsupdate, Retrieved March 2016.

[36]

Tajalizadehkhoob, S., Korczyński, M., Noroozian, A., Gañán, C., and van Eeten, M. Apples, Oranges and Hosting Providers: Heterogeneity and Security in the Hosting Market. In Proc. of IEEE NOMS (2016), IEEE Press.

[37]

Univerität Tübingen. BIND Version 8 Online Documentation. http://astro.uni-tuebingen.de/software/bind, March 1998.

[38]

Vixie, P., Thomson, S., Rekhter, Y., and Bound, J. Dynamic Updates in the Domain Name System (DNS UPDATE). Internet RFC 2136, April 1997.

Digital Library

[39]

Wellington, B. Secure Domain Name System (DNS) Dynamic Update. Internet RFC 3007, November 2000.

Digital Library

[40]

Wessels, D. DNS Survey: Cache Poisoners. http://dns.measurement-factory.com/surveys/poisoners.html, 2007.

Cited By

Nosyk YKorczyński MGañán CKról MLone QDuda A(2023)Don’t Get Hijacked: Prevalence, Mitigation, and Impact of Non-Secure DNS Dynamic Updates2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom60117.2023.00202(1480-1489)Online publication date: 1-Nov-2023
https://doi.org/10.1109/TrustCom60117.2023.00202
Nosyk YKorczyński MLone QSkwarek MJonglez BDuda A(2023)The Closed Resolver Project: Measuring the Deployment of Inbound Source Address ValidationIEEE/ACM Transactions on Networking10.1109/TNET.2023.325741331:6(2589-2603)Online publication date: Dec-2023
https://doi.org/10.1109/TNET.2023.3257413
van der Toorn OMüller MDickinson SHesselman CSperotto Avan Rijswijk-Deij R(2022)Addressing the challenges of modern DNS a comprehensive tutorialComputer Science Review10.1016/j.cosrev.2022.10046945(100469)Online publication date: Aug-2022
https://doi.org/10.1016/j.cosrev.2022.100469
Show More Cited By

Index Terms

Zone Poisoning: The How and Where of Non-Secure DNS Dynamic Updates
1. Networks
  1. Network properties
    1. Network security
      1. Security protocols
  2. Network protocols
    1. Application layer protocols
    2. Protocol correctness
      1. Protocol testing and verification

Recommendations

DNS Cache Poisoning Attack Reloaded: Revolutions with Side Channels
CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

In this paper, we report a series of flaws in the software stack that leads to a strong revival of DNS cache poisoning --- a classic attack which is mitigated in practice with simple and effective randomization-based defenses such as randomized source ...
Practical Challenge-Response for DNS
ANRW '18: Proceedings of the 2018 Applied Networking Research Workshop

Authoritative DNS nameservers are vulnerable to being used in denial of service attacks whereby an attacker sends DNS queries while masquerading as a victim---hence coaxing the DNS server to send the responses to the victim. Reflecting off innocent DNS ...
Securing DNS: Extending DNS Servers with a DNSSEC Validator

DNS Security Extensions (DNSSEC) is a proposed standard for securely authenticating information in the Domain Name System. DNSSEC validators check the digital signatures on DNS data. However, designing a validator worth the operational costs is a ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '16: Proceedings of the 2016 Internet Measurement Conference

November 2016

570 pages

ISBN:9781450345262

DOI:10.1145/2987443

General Chairs:
Phillipa Gill
University of Massachusetts--Amherst
,
John Heidemann
USC/ISI
,
Program Chairs:
John W. Byers
Boston University
,
Ramesh Govindan
USC

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGMETRICS: ACM Special Interest Group on Measurement and Evaluation
SIGCOMM: ACM Special Interest Group on Data Communication
USENIX Assoc: USENIX Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 November 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper

Funding Sources

SIDN the .nl Registry

Conference

IMC 2016

Sponsor:

SIGMETRICS
SIGCOMM
USENIX Assoc

IMC 2016: Internet Measurement Conference

November 14 - 16, 2016

California, Santa Monica, USA

Acceptance Rates

IMC '16 Paper Acceptance Rate 48 of 184 submissions, 26%;

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Upcoming Conference

IMC '24

Sponsor:
sigcomm
sigcomm

ACM Internet Measurement Conference

November 4 - 6, 2024

Madrid , AA , Spain

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

15
Total Citations
View Citations
530
Total Downloads

Downloads (Last 12 months)22
Downloads (Last 6 weeks)2

Reflects downloads up to 10 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Nosyk YKorczyński MGañán CKról MLone QDuda A(2023)Don’t Get Hijacked: Prevalence, Mitigation, and Impact of Non-Secure DNS Dynamic Updates2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom60117.2023.00202(1480-1489)Online publication date: 1-Nov-2023
https://doi.org/10.1109/TrustCom60117.2023.00202
Nosyk YKorczyński MLone QSkwarek MJonglez BDuda A(2023)The Closed Resolver Project: Measuring the Deployment of Inbound Source Address ValidationIEEE/ACM Transactions on Networking10.1109/TNET.2023.325741331:6(2589-2603)Online publication date: Dec-2023
https://doi.org/10.1109/TNET.2023.3257413
van der Toorn OMüller MDickinson SHesselman CSperotto Avan Rijswijk-Deij R(2022)Addressing the challenges of modern DNS a comprehensive tutorialComputer Science Review10.1016/j.cosrev.2022.10046945(100469)Online publication date: Aug-2022
https://doi.org/10.1016/j.cosrev.2022.100469
Fernandez SAmoretti MRestori FKorczynski MDuda A(2021)Semantic Identifiers and DNS Names for IoT2021 International Conference on Computer Communications and Networks (ICCCN)10.1109/ICCCN52240.2021.9522285(1-9)Online publication date: Jul-2021
https://doi.org/10.1109/ICCCN52240.2021.9522285
Korczyński MNosyk Y(2021)Source Address ValidationEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-642-27739-9_1626-1(1-5)Online publication date: 19-Jan-2021
https://doi.org/10.1007/978-3-642-27739-9_1626-1
Deccio CHilton ABriggs MAvery TRichardson R(2020)Behind Closed DoorsProceedings of the ACM Internet Measurement Conference10.1145/3419394.3423649(65-77)Online publication date: 27-Oct-2020
https://dl.acm.org/doi/10.1145/3419394.3423649
Korczyński MNosyk YLone QSkwarek MJonglez BDuda A(2020)Inferring the Deployment of Inbound Source Address Validation Using DNS ResolversProceedings of the 2020 Applied Networking Research Workshop10.1145/3404868.3406668(9-11)Online publication date: 27-Jul-2020
https://dl.acm.org/doi/10.1145/3404868.3406668
Soussi WKorczynski MMaroofi SDuda A(2020)Feasibility of Large-Scale Vulnerability Notifications after GDPR2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW51379.2020.00078(532-537)Online publication date: Sep-2020
https://doi.org/10.1109/EuroSPW51379.2020.00078
Maroofi SKorczyński MHesselman CAmpeau BDuda A(2020)COMAR: Classification of Compromised versus Maliciously Registered Domains2020 IEEE European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP48549.2020.00045(607-623)Online publication date: Sep-2020
https://doi.org/10.1109/EuroSP48549.2020.00045
Korczyński MNosyk YLone QSkwarek MJonglez BDuda A(2020)Don’t Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound TrafficPassive and Active Measurement10.1007/978-3-030-44081-7_7(107-121)Online publication date: 18-Mar-2020
https://doi.org/10.1007/978-3-030-44081-7_7
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents