research-article

Increased DNS forgery resistance through 0x20-bit encoding: security via leet queries

Authors:

Manos Antonakakis,

Wenke LeeAuthors Info & Claims

CCS '08: Proceedings of the 15th ACM conference on Computer and communications security

Pages 211 - 222

https://doi.org/10.1145/1455770.1455798

Published: 27 October 2008 Publication History

Abstract

We describe a novel, practical and simple technique to make DNS queries more resistant to poisoning attacks: mix the upper and lower case spelling of the domain name in the query. Fortuitously, almost all DNS authority servers preserve the mixed case encoding of the query in answer messages. Attackers hoping to poison a DNS cache must therefore guess the mixed-case encoding of the query, in addition to all other fields required in a DNS poisoning attack. This increases the difficulty of the attack.

We describe and measure the additional protections realized by this technique. Our analysis includes a basic model of DNS poisoning, measurement of the benefits that come from case-sensitive query encoding, implementation of the system for recursive DNS servers, and large-scale real-world experimental evaluation. Since the benefits of our technique can be significant, we have simultaneously made this DNS encoding system a proposed IETF standard. Our approach is practical enough that, just weeks after its disclosure, it is being implemented by numerous DNS vendors.

References

[1]

D. E. E. 3d. Domain name system (dns) cookies. http://tools.ietf.org/html/draft-eastlake-dnsext-cookies-03, 2008.

[2]

D. E. 3rd. Dns request and transaction signatures (SIG(0)s). http://tools.ietf.org/html/rfc2931, September 2000.

Digital Library

[3]

D. E. 3rd. Secret key establishment for DNS (TKEY RR). http://tools.ietf.org/html/rfc2930, September 2000.

[4]

A. Hubert and R. van Mook. Measures for making dns more resilient against forged answers. http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience-06, July 2008.

[5]

M. Andrews. The dnssec lookaside validation (dlv) dns resource record, rfc 4431. http://tools.ietf.org/html/rfc4431, 2006.

[6]

D. Barr. Common dns operational and configuration errors. http://tools.ietf.org/html/rfc2845, 1996.

[7]

S. Biaz and N. H. Vaidya. Is the round-trip time correlated with the number of packets in flight? In Proceedings of the ACM SIGCOMM Internet Measurement Conference (IMC'03), 2003.

Digital Library

[8]

D. Dagon, N. Provos, C. P. Lee, and W. Lee. Corrupted dns resolution paths: The rise of a malicious resolution authority. In Proceedings of Network and Distributed Security Symposium (NDSS '08), 2008.

[9]

D.J. Bernstein. The dns_random library interface. http://cr.yp.to/djbdns/dns_random.html, 2008.

[10]

D.J. Bernstein. SYN cookies. http://cr.yp.to/syncookies.html, 2008.

[11]

K. P. Gummadi, S. Saroiu, and S. D. Gribble. King: estimating latency between arbitrary internet end hosts. In Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, pages 5-?18, 2002.

Digital Library

[12]

Internet Assigned Numbers Authority. Port numbers. http://www.iana.org/assignments/port-numbers, 2008.

[13]

D. Kaminsky. Its the end of the cache as we know it. http://www.doxpara.com/DMK_BO2K8.ppt, 2008.

[14]

J. Kang and D. Lee. Advanced white list approach for preventing access to phishing sites. In International Conference on Convergence Information Technology, 2007.

Digital Library

[15]

A. Klein. BIND 8 DNS cache poisoning. http://www.trusteer.com/docs/bind8dns.html, 2007.

[16]

A. Klein. BIND 9 DNS cache poisoning. http://www.trusteer.com/docs/bind9dns.html, 2007.

[17]

A. Klein. OpenBSD DNS cache poisoning and multiple OS predictable IP ID vulnerability. http://www.trusteer.com/docs/dnsopenbsd.html, 2007.

[18]

A. Klein. Windows DNS cache poisoning. http://www.trusteer.com/docs/microsoftdns.html, 2007.

[19]

A. Klein. PowerDNS recursor DNS cache poisoning. http://www.trusteer.com/docs/powerdnsrecursor.html, 2008.

[20]

J. Markoff. Leaks in patch for web security hole. http://www.nytimes.com/2008/08/09/technology/09flaw.html, August 2008.

[21]

P. Mockapetris. Domain names - concepts and facilities. http://www.faqs.org/rfcs/rfc1034, November 1987.

Digital Library

[22]

P. Mockapetris. Domain names - implementation and specification. www.faqs.org/rfcs/rfc1035, November 1987.

Digital Library

[23]

NIST. Announcing the advanced encryption standard (aes). http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf, 2001.

[24]

K. Park, V. S. Pai, L. Peterson, and Z. Wang. Codns: Improving dns performance and reliability via cooperative lookups. In In Proceedings of the Sixth Symposium on Operating Systems Design and Implementation(OSDI '04), 2004.

Digital Library

[25]

V. Ramasubramanian and E. Sirer. The design and implementation of a next generation name service for the internet. Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications, pages 331?-342, 2004.

Digital Library

[26]

V. Ramasubramanian and E. G. Sirer. Perils of transitiive trust in the domain system. In Proceedings of the ACM SIGCOMM Internet Measurement Conference (IMC'05), 2005.

Digital Library

[27]

S. Stamm, Z. Ramzan, and M. Jakobsson. Drive-by pharming. http://www.cs.indiana.edu/~sstamm/papers/driveby-pharming.pdf, 2006.

[28]

J. Stewart. DNS cache poisoning ? the next generation. http://www.secureworks.com/research/articles/dns-cache-poisoning/, 2003.

[29]

US Cert. Vulnerability note vu#457875. http://www.kb.cert.org/vuls/id/457875, 2002.

[30]

US-CERT.Multiple dns implementations vulnerable to cache poisoning. www.kb.cert.org/vuls/id/800113, 2008.

[31]

P. Vixie. DNS complexity. ACM Queue, 5(3), April 2007.

Digital Library

[32]

P. Vixie and D. Dagon. Use of bit 0x20 in DNS labels to improve transaction identity. http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00, 2008.

[33]

P. Vixie, O. Gudmundsson, D. E. 3rd, and B. Wellington. Secret key transaction authentication for DNS (TSIG). http://tools.ietf.org/html/rfc2845,May 2000.

Digital Library

[34]

S. Weiler. Dnssec lookaside validation (dlv), rfc 5074. http://tools.ietf.org/html/rfc5074, November 2007.

[35]

F. Weimer. Passive dns replication. http://www.enyo.de/fw/software/dnslogger/first2005-paper.pdf, April 2005.

[36]

D. Wessels. The measurement factory open recursive dns reports. http://dns.measurement-factory.com/surveys/openresolvers/ASN-reports/, 2007.

[37]

L. Yuan, K. Kant, P. Mohapatra, and C.-N. Chuah. DoX: A peer-to-peer antidote for DNS cache poisoning attacks. In Proceedings of the IEEE International Conference on Communications (ICC'06), volume 5, pages 8164-?9547, June 2006.

Cited By

Hilton ADeccio CDavis JCalandrino JTroncoso C(2023)Fourteen years in the lifeProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620415(3171-3186)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620415
Fu YWei JLi YPeng BLi X(2023)TI-DNS: A Trusted and Incentive DNS Resolution Architecture based on Blockchain2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom60117.2023.00055(265-274)Online publication date: 1-Nov-2023
https://doi.org/10.1109/TrustCom60117.2023.00055
Alharbi FZhou YQian FQian ZAbu-Ghazaleh N(2022)DNS Poisoning of Operating System Caches: Attacks and MitigationsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.314233119:4(2851-2863)Online publication date: 1-Jul-2022
https://doi.org/10.1109/TDSC.2022.3142331
Show More Cited By

Index Terms

Increased DNS forgery resistance through 0x20-bit encoding: security via leet queries
1. Computer systems organization
  1. Dependable and fault-tolerant systems and networks
2. General and reference
  1. Cross-computing tools and techniques
    1. Reliability

Recommendations

A centralized monitoring infrastructure for improving DNS security
RAID'10: Proceedings of the 13th international conference on Recent advances in intrusion detection

Researchers have recently noted (14; 27) the potential of fast poisoning attacks against DNS servers, which allows attackers to easily manipulate records in open recursive DNS resolvers. A vendor-wide upgrade mitigated but did not eliminate this attack. ...
Circumventing security toolbars and phishing filters via rogue wireless access points

One of the solutions that has been widely used by naive users to protect against phishing attacks is security toolbars or phishing filters in web browsers. The present study proposes a new attack to bypass security toolbars and phishing filters via ...
Poisoning the Well: Exploring the Great Firewall's Poisoned DNS Responses
WPES '16: Proceedings of the 2016 ACM on Workshop on Privacy in the Electronic Society

One of the primary filtering methods that the Great Firewall of China (GFW) relies on is poisoning DNS responses for certain domains. When a DNS request is poisoned by the GFW, multiple DNS responses are received - both legitimate and poisoned ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '08: Proceedings of the 15th ACM conference on Computer and communications security

October 2008

590 pages

ISBN:9781595938107

DOI:10.1145/1455770

General Chair:
Peng Ning
North Carolina State University, USA
,
Program Chairs:
Paul Syverson
Naval Research Laboratory, USA
,
Somesh Jha
University of Wisconsin, USA

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 October 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS08

Sponsor:

CCS08: 15th ACM Conference on Computer and Communications Security 2008

October 27 - 31, 2008

Virginia, Alexandria, USA

Acceptance Rates

CCS '08 Paper Acceptance Rate 51 of 280 submissions, 18%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

64
Total Citations
View Citations
1,361
Total Downloads

Downloads (Last 12 months)20
Downloads (Last 6 weeks)1

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Hilton ADeccio CDavis JCalandrino JTroncoso C(2023)Fourteen years in the lifeProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620415(3171-3186)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620415
Fu YWei JLi YPeng BLi X(2023)TI-DNS: A Trusted and Incentive DNS Resolution Architecture based on Blockchain2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom60117.2023.00055(265-274)Online publication date: 1-Nov-2023
https://doi.org/10.1109/TrustCom60117.2023.00055
Alharbi FZhou YQian FQian ZAbu-Ghazaleh N(2022)DNS Poisoning of Operating System Caches: Attacks and MitigationsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.314233119:4(2851-2863)Online publication date: 1-Jul-2022
https://doi.org/10.1109/TDSC.2022.3142331
Luo MYao YXin LJiang ZWang QShi W(2022)Measurement for encrypted open resolversComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2022.109081213:COnline publication date: 4-Aug-2022
https://dl.acm.org/doi/10.1016/j.comnet.2022.109081
Ma TXu CYang SHuang YKuang XTang HGrieco L(2022)An intelligent proactive defense against the client‐side DNS cache poisoning attack via self‐checking deep reinforcement learningInternational Journal of Intelligent Systems10.1002/int.2293437:10(8170-8197)Online publication date: 25-Aug-2022
https://dl.acm.org/doi/10.1002/int.22934
Dai TJeitner PShulman HWaidner MKuipers FCaesar M(2021)From IP to transport and beyondProceedings of the 2021 ACM SIGCOMM 2021 Conference10.1145/3452296.3472933(836-849)Online publication date: 9-Aug-2021
https://dl.acm.org/doi/10.1145/3452296.3472933
Li ZGao SPeng ZGuo SYang YXiao B(2021)B-DNS: A Secure and Efficient DNS Based on the Blockchain TechnologyIEEE Transactions on Network Science and Engineering10.1109/TNSE.2021.30687888:2(1674-1686)Online publication date: 1-Apr-2021
https://doi.org/10.1109/TNSE.2021.3068788
Klein A(2021)Cross Layer Attacks and How to Use Them (for DNS Cache Poisoning, Device Tracking and More)2021 IEEE Symposium on Security and Privacy (SP)10.1109/SP40001.2021.00054(1179-1196)Online publication date: May-2021
https://doi.org/10.1109/SP40001.2021.00054
Ghaznavi MJalalpour ESalahuddin MBoutaba RMigault DPreda S(2021)Content Delivery Network Security: A SurveyIEEE Communications Surveys & Tutorials10.1109/COMST.2021.309349223:4(2166-2190)Online publication date: Dec-2022
https://doi.org/10.1109/COMST.2021.3093492
Khormali APark JAlasmary HAnwar ASaad MMohaisen D(2021)Domain name system security and privacy: A contemporary surveyComputer Networks10.1016/j.comnet.2020.107699185(107699)Online publication date: Feb-2021
https://doi.org/10.1016/j.comnet.2020.107699
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents