• PDF / 981,818 Bytes
• 20 Pages / 439.37 x 666.142 pts Page_size
• 81 Downloads / 260 Views

DOWNLOAD

REPORT

2

Fraunhofer Institute for Secure Information Technology (SIT), Technische Universit¨ at Darmstadt, Darmstadt, Germany Fachbereich Informatik, Technische Universit¨ at Darmstadt, Darmstadt, Germany {haya.shulman,michael.waidner}@sit.fraunhofer.de

Abstract. We study the operational characteristics of the server-side of the Internet’s naming infrastructure. Our findings discover common architectures whereby name servers are ‘hidden’ behind server-side caching DNS resolvers. We explore the extent and the scope of the name servers that use server-side caching resolvers, and find such configurations in at least 38 % of the domains in a forward DNS tree, and higher percents of the domains in a reverse DNS tree. We characterise the operators of the server-side caching resolvers and provide motivations, explaining their prevalence. Our experimental evaluation indicates that the caching infrastructures are typically run by third parties, and that the services, provided by the third parties, often do not deploy best practices, resulting in misconfigurations, vulnerabilities and degraded performance of the DNS servers in popular domains.

1

Introduction

Domain Name System (DNS), [RFC1034, RFC1035], is the Internet’s naming infrastructure; see background in Appendix, Sect. A. DNS plays a central role in the network operation, and its correctness and efficiency are critical to the stability and availability of the Internet. Initially designed to translate domain names to IP addresses, DNS infrastructure has evolved into a complex ecosystem and it is increasingly utilised to facilitate a wide range of applications. Due to the important function that DNS fulfills in the Internet, understanding and characterising it, is critical for security, efficiency and functionality of systems and networks. In this work we utilise Internet scale measurements to study the serverside of the DNS infrastructure. Within our study we find common configurations of DNS name servers, that utilise server-side caching DNS resolvers to handle requests from the client-side resolvers. In these configurations the DNS name servers are hidden behind recursive caching resolvers. In particular, the IP address of the server-side resolver is registered as the authoritative name server in the zone file of the target domain. As a result, client-side resolvers query that IP address (of the server-side resolver) and never communicate with the name c Springer International Publishing Switzerland 2015  G. Pernul et al. (Eds.): ESORICS 2015, Part I, LNCS 9326, pp. 3–22, 2015. DOI: 10.1007/978-3-319-24174-6 1

4

H. Shulman and M. Waidner

server directly (its IP address is not exposed to the client-side resolvers). In this work we identify and study the name servers supporting such configurations. Caching constitutes an important building block in the design of scalable network architectures, and offers advantages such as an improved availability, security and reduced latency for responses to clients. Caching proxies are common on the client-side of the DNS infrastructure, where

Recommend Documents

The CONVERGENCE Security Infrastructure

187 92 811KB

Network Fundamentals and Infrastructure Security

149 89 9MB

The Turn to Infrastructure in Internet Governance

159 5 2MB

Grid Computing Towards a Global Interconnected Infrastructure

169 87 9MB

Security Risks in the Internet of Things

184 101 56KB

Fog-Based Internet of Things Security Issues

170 68 19MB

Environmental Security of the European Cross-Border Energy Supply Infrastructure

145 63 12MB

Security Infrastructure Technology for Integrated Utilization of Big Data

152 80 7MB

Computer Communication, Networking and Internet Security Proceedings

193 95 18MB

Intelligent Monitoring, Control, and Security of Critical Infrastructure Systems

183 47 11MB

Blockchain: Enabling Future Internet with Intrinsic Security

158 64 49MB

Internet Optical Infrastructure Issues on Monitoring and Failure Res

148 84 5MB