DNSSEC for cyber forensics

Domain Name System (DNS) cache poisoning is a stepping stone towards advanced (cyber) attacks. DNS cache poisoning can be used to monitor users’ activities for censorship, to distribute malware and spam and to subvert correctness and availability of Internet clients and services. Currently, the DNS infrastructure relies on challenge-response defences against attacks by (the common) off-path adversaries. Such defences do not suffice against stronger, man-in-the-middle (MitM), adversaries. However, MitM is not believed to be common; hence, there seems to be little motivation to adopt systematic, cryptographic mechanisms. We show that challenge-response do not protect against cache poisoning. In particular, we review common situations where (1) attackers can frequently obtain MitM capabilities and (2) even weaker attackers can subvert DNS security. We also experimentally study dependencies in the DNS infrastructure, in particular, dependencies within domain registrars and within domains, and show that multiple dependencies result in more vulnerable DNS. We review domain name system security extensions (DNSSEC), the defence against DNS cache poisoning, and argue that not only it is the most suitable mechanism for preventing cache poisoning but it is also the only proposed defence that enables a posteriori forensic analysis of attacks.

[1]  Ieee Staff,et al.  2013 IEEE Conference on Communications and Network Security (CNS) , 2013 .

[2]  Hovav Shacham,et al.  Measuring the Practical Impact of DNSSEC Deployment , 2013, USENIX Security Symposium.

[3]  Amir Herzberg,et al.  DNSSEC: Security and availability challenges , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[4]  Paul Wouters Using DANE to Associate OpenPGP public keys with email addresses , 2014 .

[5]  Anja Feldmann,et al.  Proceedings of the 9th ACM SIGCOMM Conference on Internet Measurement 2009, Chicago, Illinois, USA, November 4-6, 2009 , 2009, IMC 2009.

[6]  Moti Yung,et al.  Computer Security – ESORICS 2012 , 2012, Lecture Notes in Computer Science.

[7]  Dmitri Loguinov,et al.  Demystifying service discovery: implementing an internet-wide scanner , 2010, IMC '10.

[8]  Haya Shulman,et al.  POSTER: On the Resilience of DNS Infrastructure , 2014, CCS.

[9]  Periklis Akritidis,et al.  Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure , 2008, TSEC.

[10]  Amir Herzberg,et al.  DNSSEC: Interoperability Challenges and Transition Mechanisms , 2013, 2013 International Conference on Availability, Reliability and Security.

[11]  Amir Herzberg,et al.  Security of Patched DNS , 2012, ESORICS.

[12]  Amir Herzberg,et al.  DNS-based email sender authentication mechanisms: A critical review , 2009, Comput. Secur..

[13]  Daniel Massey,et al.  ROVER: Route Origin Verification Using DNS , 2013, 2013 22nd International Conference on Computer Communication and Networks (ICCCN).

[14]  Amir Herzberg,et al.  Fragmentation Considered Poisonous, or: One-domain-to-rule-them-all.org , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[15]  Donald E. Eastlake,et al.  Domain Name System (DNS) Cookies , 2016, RFC.

[16]  Haya Shulman,et al.  Fragmentation Considered Leaking: Port Inference for DNS Poisoning , 2014, ACNS.