Zone Poisoning: The How and Where of Non-Secure DNS Dynamic Updates

This paper illuminates the problem of non-secure DNS dynamic updates, which allow a miscreant to manipulate DNS entries in the zone files of authoritative name servers. We refer to this type of attack as to zone poisoning. This paper presents the first measurement study of the vulnerability. We analyze a random sample of 2.9 million domains and the Alexa top 1 million domains and find that at least 1,877 (0.065%) and 587 (0.062%) of domains are vulnerable, respectively. Among the vulnerable domains are governments, health care providers and banks, demonstrating that the threat impacts important services. Via this study and subsequent notifications to affected parties, we aim to improve the security of the DNS ecosystem.

[1]  Levon Esibov,et al.  Generic Security Service Algorithm for Secret Key Transaction Authentication for DNS (GSS-TSIG) , 2003, RFC.

[2]  Ralph E. Droms,et al.  Dynamic Host Configuration Protocol , 1993, RFC.

[3]  Paul V. Mockapetris,et al.  Domain names: Concepts and facilities , 1983, RFC.

[4]  Donald E. Eastlake Secure Domain Name System Dynamic Update , 1997, RFC.

[5]  Johannes M. Bauer,et al.  Economics of Fighting Botnets: Lessons from a Decade of Mitigation , 2015, IEEE Security & Privacy.

[6]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[7]  Donald E. Eastlake,et al.  Domain Name System Security Extensions , 1997, RFC.

[8]  Christian Rossow,et al.  Going Wild: Large-Scale Classification of Open DNS Resolvers , 2015, Internet Measurement Conference.

[9]  Brian Wellington,et al.  Secret Key Transaction Authentication for DNS (TSIG) , 2000, RFC.

[10]  D. Dittrich,et al.  The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research , 2012 .

[11]  Maciej Korczynski,et al.  Apples, oranges and hosting providers: Heterogeneity and security in the hosting market , 2016, NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium.

[12]  Yakov Rekhter,et al.  Dynamic Updates in the Domain Name System (DNS UPDATE) , 1997, RFC.

[13]  E. Kaplan,et al.  Nonparametric Estimation from Incomplete Observations , 1958 .

[14]  Niels Provos,et al.  Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority , 2008, NDSS.

[15]  Brian Wellington,et al.  Secure Domain Name System (DNS) Dynamic Update , 2000, RFC.