Increased DNS forgery resistance through 0x20-bit encoding

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Increased DNS forgery resistance through 0x20-bit encoding: security via leet queries

Full text

Pdf (607 KB)

Source

Conference on Computer and Communications Security archive
Proceedings of the 15th ACM conference on Computer and communications security table of contents

Alexandria, Virginia, USA

SESSION: Network security table of contents

Pages 211-222

Year of Publication: 2008

ISBN:978-1-59593-810-7

Authors

David Dagon	Georgia Institute of Technology, Atlanta, GA, USA
Manos Antonakakis	Georgia Institute of Technology, Atlanta, GA, USA
Paul Vixie	Internet Systems Consortium, Redwood City, CA, USA
Tatuya Jinmei	Internet Systems Consortium, Redwood City, CA, USA
Wenke Lee	Georgia Institute of Technology, Atlanta, GA, USA

Sponsors

ACM: Association for Computing Machinery
SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 34, Downloads (12 Months): 312, Citation Count: 0

Additional Information:

abstract references index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1455770.1455798 What is a DOI?

ABSTRACT

We describe a novel, practical and simple technique to make DNS queries more resistant to poisoning attacks: mix the upper and lower case spelling of the domain name in the query. Fortuitously, almost all DNS authority servers preserve the mixed case encoding of the query in answer messages. Attackers hoping to poison a DNS cache must therefore guess the mixed-case encoding of the query, in addition to all other fields required in a DNS poisoning attack. This increases the difficulty of the attack.

We describe and measure the additional protections realized by this technique. Our analysis includes a basic model of DNS poisoning, measurement of the benefits that come from case-sensitive query encoding, implementation of the system for recursive DNS servers, and large-scale real-world experimental evaluation. Since the benefits of our technique can be significant, we have simultaneously made this DNS encoding system a proposed IETF standard. Our approach is practical enough that, just weeks after its disclosure, it is being implemented by numerous DNS vendors.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	D. E. E. 3d. Domain name system (dns) cookies. http://tools.ietf.org/html/draft-eastlake-dnsext-cookies-03, 2008.
	2	D. Eastlake, 3rd, DNS Request and Transaction Signatures ( SIG(0)s ), RFC Editor, 2000
	3	D. E. 3rd. Secret key establishment for DNS (TKEY RR). http://tools.ietf.org/html/rfc2930, September 2000.
	4	A. Hubert and R. van Mook. Measures for making dns more resilient against forged answers. http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience-06, July 2008.
	5	M. Andrews. The dnssec lookaside validation (dlv) dns resource record, rfc 4431. http://tools.ietf.org/html/rfc4431, 2006.
	6	D. Barr. Common dns operational and configuration errors. http://tools.ietf.org/html/rfc2845, 1996.
	7	Saad Biaz , Nitin H. Vaidya, Is the round-trip time correlated with the number of packets in flight?, Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement, October 27-29, 2003, Miami Beach, FL, USA [doi>10.1145/948205.948240]
	8	D. Dagon, N. Provos, C. P. Lee, and W. Lee. Corrupted dns resolution paths: The rise of a malicious resolution authority. In Proceedings of Network and Distributed Security Symposium (NDSS '08), 2008.
	9	D.J. Bernstein. The dns_random library interface. http://cr.yp.to/djbdns/dns_random.html, 2008.
	10	D.J. Bernstein. SYN cookies. http://cr.yp.to/syncookies.html, 2008.
	11	Krishna P. Gummadi , Stefan Saroiu , Steven D. Gribble, King: estimating latency between arbitrary internet end hosts, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, November 06-08, 2002, Marseille, France [doi>10.1145/637201.637203]
	12	Internet Assigned Numbers Authority. Port numbers. http://www.iana.org/assignments/port-numbers, 2008.
	13	D. Kaminsky. Its the end of the cache as we know it. http://www.doxpara.com/DMK_BO2K8.ppt, 2008.
	14	JungMin Kang , DoHoon Lee, Advanced White List Approach for Preventing Access to Phishing Sites, Proceedings of the 2007 International Conference on Convergence Information Technology, p.491-496, November 21-23, 2007 [doi>10.1109/ICCIT.2007.86]
	15	A. Klein. BIND 8 DNS cache poisoning. http://www.trusteer.com/docs/bind8dns.html, 2007.
	16	A. Klein. BIND 9 DNS cache poisoning. http://www.trusteer.com/docs/bind9dns.html, 2007.
	17	A. Klein. OpenBSD DNS cache poisoning and multiple OS predictable IP ID vulnerability. http://www.trusteer.com/docs/dnsopenbsd.html, 2007.
	18	A. Klein. Windows DNS cache poisoning. http://www.trusteer.com/docs/microsoftdns.html, 2007.
	19	A. Klein. PowerDNS recursor DNS cache poisoning. http://www.trusteer.com/docs/powerdnsrecursor.html, 2008.
	20	J. Markoff. Leaks in patch for web security hole. http://www.nytimes.com/2008/08/09/technology/09flaw.html, August 2008.
	21	P. V. Mockapetris, Domain names - concepts and facilities, RFC Editor, 1987
	22	P. V. Mockapetris, Domain names - implementation and specification, RFC Editor, 1987
	23	NIST. Announcing the advanced encryption standard (aes). http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf, 2001.
	24	KyoungSoo Park , Vivek S. Pai , Larry Peterson , Zhe Wang, CoDNS: improving DNS performance and reliability via cooperative lookups, Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation, p.14-14, December 06-08, 2004, San Francisco, CA
	25	Venugopalan Ramasubramanian , Emin Gün Sirer, The design and implementation of a next generation name service for the internet, Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications, August 30-September 03, 2004, Portland, Oregon, USA
	26	Venugopalan Ramasubramanian , Emin Gün Sirer, Perils of transitive trust in the domain name system, Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement, p.35-35, October 19-21, 2005, Berkeley, CA
	27	S. Stamm, Z. Ramzan, and M. Jakobsson. Drive-by pharming. http://www.cs.indiana.edu/~sstamm/papers/driveby-pharming.pdf, 2006.
	28	J. Stewart. DNS cache poisoning ? the next generation. http://www.secureworks.com/research/articles/dns-cache-poisoning/, 2003.
	29	US Cert. Vulnerability note vu#457875. http://www.kb.cert.org/vuls/id/457875, 2002.
	30	US-CERT.Multiple dns implementations vulnerable to cache poisoning. www.kb.cert.org/vuls/id/800113, 2008.
	31	Paul Vixie, DNS complexity, Queue, v.5 n.3, April 2007 [doi>10.1145/1242489.1242499]
	32	P. Vixie and D. Dagon. Use of bit 0x20 in DNS labels to improve transaction identity. http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00, 2008.
	33	P. Vixie , O. Gudmundsson, 3rd , B. Wellington, Secret Key Transaction Authentication for DNS (TSIG), RFC Editor, 2000
	34	S. Weiler. Dnssec lookaside validation (dlv), rfc 5074. http://tools.ietf.org/html/rfc5074, November 2007.
	35	F. Weimer. Passive dns replication. http://www.enyo.de/fw/software/dnslogger/first2005-paper.pdf, April 2005.
	36	D. Wessels. The measurement factory open recursive dns reports. http://dns.measurement-factory.com/surveys/openresolvers/ASN-reports/, 2007.
	37	L. Yuan, K. Kant, P. Mohapatra, and C.-N. Chuah. DoX: A peer-to-peer antidote for DNS cache poisoning attacks. In Proceedings of the IEEE International Conference on Communications (ICC'06), volume 5, pages 8164-?9547, June 2006.