Increased DNS forgery resistance through 0x20-bit encoding: security via leet queries

We describe a novel, practical and simple technique to make DNS queries more resistant to poisoning attacks: mix the upper and lower case spelling of the domain name in the query. Fortuitously, almost all DNS authority servers preserve the mixed case encoding of the query in answer messages. Attackers hoping to poison a DNS cache must therefore guess the mixed-case encoding of the query, in addition to all other fields required in a DNS poisoning attack. This increases the difficulty of the attack. We describe and measure the additional protections realized by this technique. Our analysis includes a basic model of DNS poisoning, measurement of the benefits that come from case-sensitive query encoding, implementation of the system for recursive DNS servers, and large-scale real-world experimental evaluation. Since the benefits of our technique can be significant, we have simultaneously made this DNS encoding system a proposed IETF standard. Our approach is practical enough that, just weeks after its disclosure, it is being implemented by numerous DNS vendors.

[1]  Remco van Mook,et al.  Measures for Making DNS More Resilient against Forged Answers , 2009, RFC.

[2]  William Stallings,et al.  THE ADVANCED ENCRYPTION STANDARD , 2002, Cryptologia.

[3]  Paul V. Mockapetris,et al.  Domain names: Concepts and facilities , 1983, RFC.

[4]  Donald E. Eastlake,et al.  Secret Key Establishment for DNS (TKEY RR) , 2000, RFC.

[5]  Samuel Weiler DNSSEC Lookaside Validation (DLV) , 2007, RFC.

[6]  Edward Grossman ACM Queue , 2003, CIE.

[7]  Florian Weimer,et al.  Passive DNS Replication , 2005 .

[8]  Zhe Wang,et al.  CoDNS: Improving DNS Performance and Reliability via Cooperative Lookups , 2004, OSDI.

[9]  Emin Gün Sirer,et al.  The design and implementation of a next generation name service for the internet , 2004, SIGCOMM '04.

[10]  Niels Provos,et al.  Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority , 2008, NDSS.

[11]  David Dagon,et al.  Use of Bit 0x20 in DNS Labels to Improve Transaction Identity , 2008 .

[12]  Donald E. Eastlake,et al.  DNS Request and Transaction Signatures ( SIG(0)s ) , 2000, RFC.

[13]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[14]  JungMin Kang,et al.  Advanced White List Approach for Preventing Access to Phishing Sites , 2007, 2007 International Conference on Convergence Information Technology (ICCIT 2007).

[15]  Brian Wellington,et al.  Secret Key Transaction Authentication for DNS (TSIG) , 2000, RFC.

[16]  Nitin H. Vaidya,et al.  Is the round-trip time correlated with the number of packets in flight? , 2003, IMC '03.

[17]  Paul Vixie DNS Complexity , 2007, ACM Queue.

[18]  Markus Jakobsson,et al.  Drive-By Pharming , 2007, ICICS.

[19]  Amit Klein March,et al.  BIND 9 DNS Cache Poisoning , 2007 .

[20]  Chen-Nee Chuah,et al.  DoX: A Peer-to-Peer Antidote for DNS Cache Poisoning Attacks , 2006, 2006 IEEE International Conference on Communications.

[21]  Mark P. Andrews,et al.  The DNSSEC Lookaside Validation (DLV) DNS Resource Record , 2006, RFC.

[22]  Emin Gün Sirer,et al.  Perils of transitive trust in the domain name system , 2005, IMC '05.

[23]  G. W. Stewart Dns cache poisoning-the next generation , 2003 .

[24]  Krishna P. Gummadi,et al.  King: estimating latency between arbitrary internet end hosts , 2002, IMW '02.

[25]  David Barr,et al.  Common DNS Operational and Configuration Errors , 1996, RFC.