Quantifying DNS namespace influence

Name resolution using the Domain Name System (DNS) is integral to today's Internet. The resolution of a domain name is often dependent on namespace outside the control of the domain's owner. In this article we review the DNS protocol and several DNS server implementations. Based on our examination, we propose a formal model for analyzing the name dependencies inherent in DNS. Using our name dependency model we derive metrics to quantify the extent to which domain names affect other domain names. It is found that under certain conditions, more than half of the queries for a domain name are influenced by namespaces not expressly configured by administrators. This result serves to quantify the degree of vulnerability of DNS due to dependencies that administrators are unaware of. When we apply metrics from our model to production DNS data, we show that the set of domains whose resolution affects a given domain name is much smaller than previously thought. However, behaviors such as using cached addresses for querying authoritative servers and chaining domain name aliases increase the number and diversity of influential domains, thereby making the DNS infrastructure more vulnerable.

[1]  Randy Bush,et al.  Clarifications to the DNS Specification , 1997, RFC.

[2]  Paul V. Mockapetris,et al.  Development of the domain name system , 1988, SIGCOMM '88.

[3]  Paul V. Mockapetris,et al.  Domain names: Concepts and facilities , 1983, RFC.

[4]  Daniel Massey,et al.  Deploying and Monitoring DNS Security (DNSSEC) , 2009, 2009 Annual Computer Security Applications Conference.

[5]  Scott Rose,et al.  Resource Records for the DNS Security Extensions, RFC 4034 | NIST , 2005 .

[6]  Ramaswamy Chandramouli,et al.  Secure Domain Name System (DNS) Deployment Guide , 2014 .

[7]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[8]  Prasant Mohapatra,et al.  Quantifying and Improving DNSSEC Availability , 2011, 2011 Proceedings of 20th International Conference on Computer Communications and Networks (ICCCN).

[10]  Scott Rose,et al.  DNS Security Introduction and Requirements , 2005, RFC.

[11]  Wenke Lee,et al.  Increased DNS forgery resistance through 0x20-bit encoding: security via leet queries , 2008, CCS.

[12]  Daniel Massey,et al.  Impact of configuration errors on DNS robustness , 2004, IEEE Journal on Selected Areas in Communications.

[13]  Scott Rose,et al.  Protocol Modifications for the DNS Security Extensions , 2005, RFC.

[14]  Scott Rose,et al.  DNS Security Introduction and Requirements , 2005, RFC.

[15]  Scott Rose,et al.  Resource Records for the DNS Security Extensions , 2005, RFC.

[16]  Xiapu Luo,et al.  WSEC DNS: Protecting recursive DNS resolvers from poisoning attacks , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[17]  David Barr,et al.  Common DNS Operational and Configuration Errors , 1996, RFC.

[18]  Emin Gün Sirer,et al.  Perils of transitive trust in the domain name system , 2005, IMC '05.