On measuring the client-side DNS infrastructure

Abstract: The Domain Name System (DNS) is a critical component of the Internet infrastructure. It allows users to interact with Web sites using human-readable names and provides a foundation for transparent client request distribution among servers in Web platforms, such as content delivery networks. In this paper, we present methodologies for efficiently discovering the complex client-side DNS infrastructure. We further develop measurement techniques for isolating the behavior of the distinct actors in the infrastructu… Show more

“…The architecture of the client-side DNS resolution infrastructure varies across providers-which we discuss in depth in companion work [14]. Here we provide a short overview of our terminology.…”

“…Our basic methodology for studying the vulnerability of the client-side DNS infrastructure is to probe the Internet in search of ODNS resolvers, similar to previous efforts [5,14]. We register a domain and deploy an ADNS for this domain.…”

“…Finally, we note that the use of RDNS pools (e.g., [7,14]) serves to mitigate the Kaminsky attack as well. Regardless of the IP address the attacker uses as entry point into the pool, the IP address used to communicate with the ADNS is chosen according to an algorithm unknown to the attacker.…”

“…Open resolvers have long been a known security issue. However, the prevalence of such resolvers is increasing-from 15M in 2010 [11] to 30M in 2013 [14]. While not all open resolvers are vulnerable, their increasing numbers provide a larger attack surface that we must understand.…”

“…Our general finding is that DNS security soft spots are not rare-even for vulnerabilities that have been known for years. Finally, note that our datasets are available for community use [13].…”

Assessing DNS Vulnerability to Record Injection

“…The architecture of the client-side DNS resolution infrastructure varies across providers-which we discuss in depth in companion work [14]. Here we provide a short overview of our terminology.…”

“…Our basic methodology for studying the vulnerability of the client-side DNS infrastructure is to probe the Internet in search of ODNS resolvers, similar to previous efforts [5,14]. We register a domain and deploy an ADNS for this domain.…”

“…Finally, we note that the use of RDNS pools (e.g., [7,14]) serves to mitigate the Kaminsky attack as well. Regardless of the IP address the attacker uses as entry point into the pool, the IP address used to communicate with the ADNS is chosen according to an algorithm unknown to the attacker.…”

“…Open resolvers have long been a known security issue. However, the prevalence of such resolvers is increasing-from 15M in 2010 [11] to 30M in 2013 [14]. While not all open resolvers are vulnerable, their increasing numbers provide a larger attack surface that we must understand.…”

“…Our general finding is that DNS security soft spots are not rare-even for vulnerabilities that have been known for years. Finally, note that our datasets are available for community use [13].…”

Assessing DNS Vulnerability to Record Injection

Cache Me Outside: A New Look at DNS Cache Probing

Assessing Support for DNS-over-TCP in the Wild