ABSTRACT
We propose a privacy-aware schema that enables Authoritative DNS Servers to distribute their zones to third parties, e.g. Recursive DNS Servers or scrubbing services, without disclosing sensitive information. Therefore, DNS attack mitigation may be effectively accomplished at external vantage points, presumably closer to the attack sources than the Authoritative DNS Server. Our schema leverages on the space, time and privacy-enhancing properties of Cuckoo Filters to map zone names in an efficient manner, while permitting rapid name updates for large zones. The feasibility of our approach is tested via experiments within our laboratory testbed for a variety of DNS zones. Our evaluation intends to assess the privacy-awareness of our schema and its responsiveness to zone name changes. We conclude that our approach enables mapping of large DNS zones, while preserving privacy.
- Scott Hilton. 2016. Dyn Analysis Summary Of Friday October 21 Attack. Dyn. Retrieved June 19, 2020 from https://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/.Google Scholar
- John Wagnon. 2018. Lightboard Lessons: The DNS Water Torture Attack. DevCentral. Retrieved June 19, 2020 from https://devcentral.f5.com/s/articles/lightboard-lessons-the-dns-water-torture-attack-32092.Google Scholar
- Takuro Yoshida, Kento Kawakami, Ryotaro Kobayashi, Masahiko Kato, Masayuki Okada, and Hiroyuki Kishimoto. 2017. Detection and Filtering System for DNS Water Torture Attacks Relying Only on Domain Name Information. In Journal of Information Processing (JIP), Volume 25, pp. 854--865, September 2017.Google ScholarCross Ref
- Saman T. Zargar, James Joshi, and David Tipper. 2013. A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks. In IEEE Communications Surveys and Tutorials, Volume 15, Issue 4, pp. 2046--2069, 4th Quarter 2013.Google ScholarCross Ref
- Marcin Skwarek, Maciej Korczynski, Wojciech Mazurczyk, and Andrzej Duda. 2019. Characterizing Vulnerability of DNS AXFR Transfers with Global-Scale Scanning. In Proceedings of the 2019 IEEE Security and Privacy Workshops (SPW), pp. 193--198, San Francisco, CA, USA, May 2019.Google ScholarCross Ref
- Valeriy Shevchenko. 2017. DNS Vulnerability for AXFR Queries. Medium. Retrieved June 19, 2020 from https://medium.com/@valeriyshevchenko/dns-vulnerability-for-axfr-queries-58a51972fc4d.Google Scholar
- Akamai. 2018. Mitigating DDoS Attacks in Zero Seconds with Proactive Mitigation Controls. Retrieved June 19, 2020 from https://www.akamai.com/us/en/multimedia/documents/whitepaper/proactive-ddos-mitigation-with-prolexic-mitigation-controls-whitepaper.pdf.Google Scholar
- Bin Fan, David G. Andersen, Michael Kaminsky, and Michael D. Mitzenmacher. 2014. Cuckoo Filter: Practically Better Than Bloom. In Proceedings of the 10th ACM International Conference on Emerging Networking Experiments and Technologies (CoNEXT), pp. 75--88. Sydney, Australia, December 2014.Google Scholar
- Burton H. Bloom. 1970. Space/Time Trade-Offs in Hash Coding with Allowable Errors. In Communications of the ACM, Volume 13, Issue 7, pp. 422--426, July 1970.Google ScholarDigital Library
- Nikos Kostopoulos, GitHub Account. Latest Commit 2020. Enabling Privacy-Aware Zone Exchanges Among Authoritative and Recursive DNS Servers. Retrieved June 19, 2020 from https://github.com/nkostopoulos/dnspriv.Google Scholar
- Sasu Tarkoma, Christian E. Rothenberg, and Eemil Lagerspetz. 2012. Theory and Practice of Bloom Filters for Distributed Systems. In IEEE Communications Surveys and Tutorials, Volume 14, Issue 1, pp. 131--155, 1st Quarter 2012.Google ScholarCross Ref
- Li Fan, Pei Cao, Jussara Almeida, and Andrei Z. Broder. 1998. Summary Cache: A Scalable Wide-Area Web Cache Sharing Protocol. In ACM SIGCOMM Computer Communication Review, Volume 28, Issue 4, pp. 254--265, October 1998.Google ScholarDigital Library
- Steven M. Bellovin. 2001. Using Bloom Filters for Authenticated Yes/No Answers in the DNS. Internet-Draft draft-bellovin-dnsext-bloomfilt-00, Internet Engineering Task Force (IETF), December 2001. Work in Progress.Google Scholar
- [email protected] Mailing List. 2001. Using Bloom Filters with DNSSEC. Retrieved June 19, 2020 from https://psg.com/~randy/lists/dns-dir/msg00434.html.Google Scholar
- Roland van Rijswijk-Deij, Gijs Rijnders, Matthijs Bomhoff, and Luca Allodi. 2019. Privacy-Conscious Threat Intelligence Using DNSBLoom. In Proceedings of the 16th IFIP/IEEE Symposium on Integrated Network and Service Management (IM), pp. 98--106. Washington DC, USA, April 2019.Google Scholar
- Intersoft Consulting. 2020. GDPR: General Data Protection Regulation. Retrieved June 19, 2020 from https://gdpr-info.eu/.Google Scholar
- Daniel Plohmann, Khaled Yakdan, Michael Klatt, Johannes Bader, and Elmar Gerhards-Padilla. 2016. A Comprehensive Measurement Study of Domain Generating Malware. In Proceedings of the 25th USENIX Security Symposium (USENIX Security), pp.263--278. Austin, TX, USA, August 2016.Google ScholarDigital Library
- Hachem Guerid, Karel Mittig, and Ahmed Serhrouchni. 2013. Privacy-Preserving Domain-Flux Botnet Detection in a Large Scale Network. In Proceedings of the 5th International Conference on Communication Systems and Networks (COMSNETS), pp. 1--9. Bangalore, India, January 2013.Google ScholarCross Ref
- PowerDNS Documentation. 2020. Newly Observed Domain Tracking. Retrieved June 19, 2020 from https://docs.powerdns.com/recursor/nod_udr.html.Google Scholar
- Daisuke Higashi, GitHub Account. Latest Commit 2016. Random Subdomain Attack Mitigation Using Bloom Filter for Unbound. Retrieved June 19, 2020 from https://github.com/hdais/unbound-bloomfilter.Google Scholar
- Yuya Takeuchi, Takuro Yoshida, Ryotaro Kobayashi, Masahiko Kato, and Hiroyuki Kishimoto. 2016. Detection of the DNS Water Torture Attack by Analyzing Features of the Subdomain Name. In Journal of Information Processing (JIP), Volume 24, Issue 5, pp. 793--801, September 2016.Google ScholarCross Ref
- Liguo Chen, Yuedong Zhang, Qi Zhao, Guanggang Geng, and ZhiWei Yan. 2018. Detection of DNS DDoS Attacks with Random Forest Algorithm on Spark. In Procedia Computer Science 134, pp. 310--315, 2018.Google ScholarCross Ref
- Shir Landau Feibish, Yehuda Afek, Anat Bremler-Barr, Edith Cohen, and Michal Shagam. 2017. Mitigating DNS Random Subdomain DDoS Attacks by Distinct Heavy Hitters Sketches. In 5th ACM/IEEE Workshop on Hot Topics in Web Systems and Technologies, pp. 1--6, San Jose, CA, USA, October 2017.Google ScholarDigital Library
- Nikos Kostopoulos, Adam Pavlidis, Marinos Dimolianis, Dimitris Kalogeras, and Vasilis Maglaris. 2019. A Privacy-Preserving Schema for the Detection and Collaborative Mitigation of DNS Water Torture Attacks in Cloud Infrastructures. In Proceedings of the 8th IEEE International Conference on Cloud Networking (CloudNet), pp. 1--6. Coimbra, Portugal, November 2019.Google ScholarCross Ref
- Edward P. Lewis and Alfred Hoenes. 2010. DNS Zone Transfer Protocol (AXFR), RFC 5936.Google Scholar
- Masataka Ohta. 1996. Incremental Zone Transfer in DNS. RFC 1995.Google ScholarDigital Library
- Paul A. Vixie, Susan Thomson, Yakov Rekhter, and Jim Bound. 1997. Dynamic Updates in the Domain Name System (DNS UPDATE). RFC 2136.Google Scholar
- Huy Do, GitHub Account. Latest Commit 2019. Scalable Cuckoo Filter. Retrieved June 19, 2020 from https://github.com/huydhn/cuckoo-filter.Google Scholar
- MurmurHash. Wikipedia. Retrieved June 19, 2020 from https://en.wikipedia.org/wiki/MurmurHash.Google Scholar
- Dynu Systems. 2020. TXT Record. Retrieved June 19, 2020 from https://www.dynu.com/Resources/DNS-Records/TXT-Record.Google Scholar
- Internet Systems Consortium. BIND 9 Administrator Reference Manual. Retrieved June 19, 2020 from https://www.bind9.net/bind-9.10.8-manual.pdf.Google Scholar
- The Swedish Internet Foundation. Internetstiftelsen Zone Data. Retrieved June 19, 2020 from https://zonedata.iis.se/.Google Scholar
- Matthew Bryant, GitHub Account. Latest Commit 2017. Summary and Archives of Leaked Russian TLD DNS Data. Retrieved June 19, 2020 from https://github.com/mandatoryprogrammer/RussiaDNSLeak.Google Scholar
- DomainTools, 2020, Domain Count Statistics for TLDs. Retrieved June 19, 2020 from http://research.domaintools.com/statistics/tld-counts/.Google Scholar
- Internationalized Domain Names. ICANN. Retrieved June 19, 2020 from https://www.icann.org/resources/pages/idn-2012-02-25-en.Google Scholar
- Alex D. Breslow and Nuwan S. Jayasena. 2018. Morton Filters: Faster, Space-Efficient Cuckoo Filters via Biasing, Compression, and Decoupled Logical Sparsity. In Proceedings of the VLDB Endowment, Volume 11, Issue 9, pp. 1041--1055, May 2018.Google Scholar
- Thomas Mueller Graf and Daniel Lemire. 2020. Xor Filters: Faster and Smaller Than Bloom and Cuckoo Filters. In ACM Journal of Experimental Algorithmics (JEA), Volume 25, Issue 1, pp. 1--16, March 2020.Google ScholarDigital Library
- Minmei Wang, Mingxun Zhou, Shouqian Shi, and Chen Qian. 2019. Vacuum Filters: More Space-Efficient and Faster Replacement for Bloom and Cuckoo Filters. In Proceedings of the VLDB Endowment, Volume 13, Issue 2, pp. 197--210, October 2019.Google Scholar
- Nikos Kostopoulos, Dimitris Kalogeras, and Vasilis Maglaris. 2020. Leveraging on the XDP Framework for the Efficient Mitigation of Water Torture Attacks within Authoritative DNS Servers. To appear in the Proceedings of the 6th IEEE International Conference on Network Softwarization (NetSoft), Virtual Conference, June 2020.Google Scholar
- Lior Shafir, Yehuda Afek, and Anat Bremler-Barr. 2020. NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities. In arXiv preprint arXiv:2005.09107.Google Scholar
- Petr Špaček. 2020. NXNSAttack: Upgrade Resolvers to Stop New Kind of Random Subdomain Attack. RIPE NCC. Retrieved June 19, 2020 from https://labs.ripe.net/Members/petr_spacek/nxnsattack-upgrade-resolvers-to-stop-new-kind-of-random-subdomain-attack.Google Scholar
- Jakub Konečný, H. Brendan McMahan, Felix X. Yu, Peter Richtárik, Ananda T. Suresh, and Dave Bacon. 2016. Federated Learning: Strategies for Improving Communication Efficiency. arXiv:1610.05492.Google Scholar
Index Terms
- Enabling Privacy-Aware Zone Exchanges Among Authoritative and Recursive DNS Servers
Recommendations
Silence is not Golden: Disrupting the Load Balancing of Authoritative DNS Servers
CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications SecurityAuthoritative nameservers are delegated to provide the final resource record. Since the security and robustness of DNS are critical to the general operation of the Internet, domain name owners are required to deploy multiple candidate nameservers for ...
Securing DNS: Extending DNS Servers with a DNSSEC Validator
DNS Security Extensions (DNSSEC) is a proposed standard for securely authenticating information in the Domain Name System. DNSSEC validators check the digital signatures on DNS data. However, designing a validator worth the operational costs is a ...
Authoritative DNS Server Discovery Method to Enhance DNS Privacy Preservation
CoNEXT-SW '23: Proceedings of the on CoNEXT Student Workshop 2023Plaintext-based DNS domain name resolution poses significant privacy risks. Therefore, encrypting DNS communication across all pathways is essential for privacy preservation. The IETF has standardized DoT, DoH, and DoQ to achieve encryption between end ...
Comments