Skip to main content
Springer Nature Link
Log in

Detecting DNS Root Manipulation

  • Conference paper
  • First Online:
Passive and Active Measurement (PAM 2016)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 9631))

Included in the following conference series:

Abstract

We present techniques for detecting unauthorized DNS root servers in the Internet using primarily endpoint-based measurements from RIPE Atlas, supplemented with BGP routing announcements from RouteViews and RIPE RIS. The first approach analyzes the latency to the root server and the second approach looks for route hijacks. We demonstrate the importance and validity of these techniques by measuring the only root server (“B”) not widely distributed using anycast. Our measurements establish the presence of several DNS proxies and a DNS root mirror.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    We L root selected solely for convenience.

  2. 2.

    The UDP query packets are not DNS requests, nor do they use the DNS service port.

References

  1. Anderson, C., Winter, P., Roya.: Global network interference detection over the RIPE atlas network. In: 4th USENIX Workshop on Free and Open Communications on the Internet (FOCI 2014). USENIX Association, San Diego, August 2014

    Google Scholar 

  2. Anonymous.: The Collateral Damage of Internet Censorship by DNS Injection. SIGCOMM Comput. Commun. Rev., 42(3), 21–27 (2012)

    Google Scholar 

  3. Anonymous.: Towards a comprehensive picture of the great firewall’s DNS censorship. In: 4th USENIX Workshop on Free and Open Communications on the Internet (FOCI 2014). USENIX Association, San Diego, August 2014

    Google Scholar 

  4. Austein, R.: DNS Name Server Identifier (NSID) Option, August 2007. https://tools.ietf.org/html/rfc5001

  5. Ballani, H., Francis, P.: Towards a global IP anycast service. In: Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, SIGCOMM 2005, pp. 301–312. ACM, New York (2005)

    Google Scholar 

  6. Ballani, H., Francis, P., Ratnasamy, S.: A measurement-based deployment proposal for IP anycast. In: Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, IMC 2006, pp. 231–244. ACM, New York (2006)

    Google Scholar 

  7. Ballani, H., Francis, P., Zhang, X.: A study of prefix hijacking and interception in the internet. In: Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, SIGCOMM 2007, pp. 265–276. ACM, New York (2007)

    Google Scholar 

  8. Brown, M.A., Madory, D., Popescu, A., Zmijewski, E.: November 2010. http://research.dyn.com/wp-content/uploads/2014/07/DNS-Tampering-and-Root-Servers.pdf

  9. Bush, R., Mankin, A., Massey, D., Pei, D., Wang, L., Wu, F., Zhang, L., Zhao, X.: Protecting the BGP routes to top level DNS servers, June 2002. https://www.nanog.org/meetings/nanog25/presentations/massey.ppt

  10. Dagon, D., Lee, C., Lee, W., Provos, N.: Corrupted DNS resolution paths: the rise of a malicious resolution authority. In: Proceedings of 15th Network and Distributed System Security Symposium (NDSS), San Diego, CA (2008)

    Google Scholar 

  11. DNS Root Servers. root-servers.org (2015). http://root-servers.org/

  12. Khattak, S., Javed, M., Khayam, S.A., Uzmi, Z.A., Paxson, V.: A look at the consequences of internet censorship through an ISP lens. In: Proceedings of the Conference on Internet Measurement Conference, IMC 2014, pp. 271–284. ACM, New York (2014)

    Google Scholar 

  13. Kreibich, C., Weaver, N., Nechaev, B., Paxson, V.: Netalyzr: illuminating the edge network. In: Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement, IMC 2010, pp. 246–259. ACM, New York (2010)

    Google Scholar 

  14. Liang, J., Jiang, J., Duan, H., Li, K., Wu, J.: Measuring query latency of top level DNS servers. In: Roughan, M., Chang, R. (eds.) PAM 2013. LNCS, vol. 7799, pp. 145–154. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  15. Liston, R., Srinivasan, S., Zegura, E.: Diversity in DNS performance measures. In: Proceedings of the 2nd ACM SIGCOMM Workshop on Internet Measurment, IMW 2002, pp. 19–31. ACM, New York (2002)

    Google Scholar 

  16. Liu, Z., Huffaker, B., Fomenkov, M., Brownlee, N., Claffy, K.C.: Two days in the life of the DNS anycast root servers. In: Uhlig, S., Papagiannaki, K., Bonaventure, O. (eds.) PAM 2007. LNCS, vol. 4427, pp. 125–134. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  17. MaxMind, Inc. GeoIP2 Country (2015). https://www.maxmind.com/en/geoip2-country-database

  18. Nabi, Z.: The anatomy of web censorship in Pakistan. In: Presented as part of the 3rd USENIX Workshop on Free and Open Communications on the Internet. USENIX, Berkeley (2013)

    Google Scholar 

  19. Nordström, O., Dovrolis, C.: Beware of BGP attacks. SIGCOMM Comput. Commun. Rev. 34(2), 1–8 (2004)

    Article  Google Scholar 

  20. RIPE. YouTube Hijacking: A RIPE NCC RIS case study (2008). https://www.ripe.net/publications/news/industry-developments/youtube-hijacking-a-ripe-ncc-ris-case-study

  21. RIPE. Built-In Measurements (2015). https://atlas.ripe.net/docs/built-in/

  22. RIPE. Routing Information Service (RIS) (2015). https://www.ripe.net/data-tools/stats/ris

  23. RIPE. What is RIPE Atlas? (2015). https://atlas.ripe.net/about/

  24. Sarat, S., Pappas, V., Terzis, A.: On the use of anycast in DNS. In: Proceedings of 15th International Conference on Computer Communications and Networks, 2006, ICCCN 2006, pp. 71–78, October 2006

    Google Scholar 

  25. Sekiya, Y., Cho, K., Kato, A., Somegawa, R., Jinmei, T., Murai, J.: Root and ccTLD DNS server observation from worldwide locations. In: Proceedings of Passive and Active Measurement 2003, April 2003

    Google Scholar 

  26. University of Oregon. RouteViews Project (2015). http://www.routeviews.org/

  27. Weaver, N., Kreibich, C., Nechaev, B., Paxson, V.: Implications of Netalyzrs DNS measurements. In: Proceedings of the First Workshop on Securing and Trusting Internet Names (SATIN), Teddington, United Kingdom (2011)

    Google Scholar 

  28. Weaver, N., Kreibich, C., Paxson, V.: Redirecting DNS for ads and profit. In: Presented as part of the 1st USENIX Workshop on Free and Open Communications on the Internet. USENIX (2011)

    Google Scholar 

Download references

Acknowledgments

This research was supported in part by NSF awards CNS-1540066, CNS-1602399, CNS-1223717, CNS-1237265, and CNS-1518918. Ben Jones is also partially supported by a senior research fellowship from the Open Technology Fund. Any opinions, findings, and conclusions or recommendations are those of the authors and do not necessarily reflect the views of the sponsors.

Author information

Authors and Affiliations

  1. Princeton University, Princeton, USA

    Ben Jones & Nick Feamster

  2. International Computer Science Institute, Berkeley, USA

    Vern Paxson, Nicholas Weaver & Mark Allman

  3. University of California, Berkeley, USA

    Vern Paxson

Authors
  1. Ben Jones
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nick Feamster
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Vern Paxson
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Nicholas Weaver
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Mark Allman
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ben Jones .

Editor information

Editors and Affiliations

  1. Microsoft Research, Cambridge, United Kingdom

    Thomas Karagiannis

  2. FORTH-ICS, Heraklion, Greece

    Xenofontas Dimitropoulos

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Jones, B., Feamster, N., Paxson, V., Weaver, N., Allman, M. (2016). Detecting DNS Root Manipulation. In: Karagiannis, T., Dimitropoulos, X. (eds) Passive and Active Measurement. PAM 2016. Lecture Notes in Computer Science(), vol 9631. Springer, Cham. https://doi.org/10.1007/978-3-319-30505-9_21

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-30505-9_21

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-30504-2

  • Online ISBN: 978-3-319-30505-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics