Security of patched DNS

Amir Herzberg; Haya Shulman

doi:10.1007/978-3-642-33167-1_16

Security of patched DNS

Amir Herzberg, Haya Shulman

CS@BIU

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

47 Scopus citations

Abstract

Most caching DNS resolvers still rely for their security, against poisoning, on validating that the DNS responses contain some 'unpredictable' values, copied from the request. These values include the 16 bit identifier field, and other fields, randomised and validated by different 'patches' to DNS. We investigate the prominent patches, and show how attackers can circumvent all of them, namely: - We show how attackers can circumvent source port randomisation, in the (common) case where the resolver connects to the Internet via different NAT devices. - We show how attackers can circumvent IP address randomisation, using some (standard-conforming) resolvers. - We show how attackers can circumvent query randomisation, including both randomisation by prepending a random nonce and case randomisation (0x20 encoding). We present countermeasures preventing our attacks; however, we believe that our attacks provide additional motivation for adoption of DNSSEC (or other MitM-secure defenses).

Original language	English
Title of host publication	Computer Security, ESORICS 2012 - 17th European Symposium on Research in Computer Security, Proceedings
Pages	271-288
Number of pages	18
DOIs	https://doi.org/10.1007/978-3-642-33167-1_16
State	Published - 2012
Event	17th European Symposium on Research in Computer Security, ESORICS 2012 - Pisa, Italy Duration: 10 Sep 2012 → 12 Sep 2012

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	7459 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	17th European Symposium on Research in Computer Security, ESORICS 2012
Country/Territory	Italy
City	Pisa
Period	10/09/12 → 12/09/12

Keywords

DNS poisoning
DNS security
DNS server selection
Internet security
Kamisky attack
NAT
Network Address Translator

Access to Document

10.1007/978-3-642-33167-1_16

Cite this

Herzberg, A., & Shulman, H. (2012). Security of patched DNS. In Computer Security, ESORICS 2012 - 17th European Symposium on Research in Computer Security, Proceedings (pp. 271-288). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7459 LNCS). https://doi.org/10.1007/978-3-642-33167-1_16

@inproceedings{c57669559a744d76a30d62930ddc930c,

title = "Security of patched DNS",

abstract = "Most caching DNS resolvers still rely for their security, against poisoning, on validating that the DNS responses contain some 'unpredictable' values, copied from the request. These values include the 16 bit identifier field, and other fields, randomised and validated by different 'patches' to DNS. We investigate the prominent patches, and show how attackers can circumvent all of them, namely: - We show how attackers can circumvent source port randomisation, in the (common) case where the resolver connects to the Internet via different NAT devices. - We show how attackers can circumvent IP address randomisation, using some (standard-conforming) resolvers. - We show how attackers can circumvent query randomisation, including both randomisation by prepending a random nonce and case randomisation (0x20 encoding). We present countermeasures preventing our attacks; however, we believe that our attacks provide additional motivation for adoption of DNSSEC (or other MitM-secure defenses).",

keywords = "DNS poisoning, DNS security, DNS server selection, Internet security, Kamisky attack, NAT, Network Address Translator",

author = "Amir Herzberg and Haya Shulman",

year = "2012",

doi = "10.1007/978-3-642-33167-1_16",

language = "אנגלית",

isbn = "9783642331664",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

pages = "271--288",

booktitle = "Computer Security, ESORICS 2012 - 17th European Symposium on Research in Computer Security, Proceedings",

note = "17th European Symposium on Research in Computer Security, ESORICS 2012 ; Conference date: 10-09-2012 Through 12-09-2012",

}

Herzberg, A & Shulman, H 2012, Security of patched DNS. in Computer Security, ESORICS 2012 - 17th European Symposium on Research in Computer Security, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 7459 LNCS, pp. 271-288, 17th European Symposium on Research in Computer Security, ESORICS 2012, Pisa, Italy, 10/09/12. https://doi.org/10.1007/978-3-642-33167-1_16

Security of patched DNS. / Herzberg, Amir; Shulman, Haya.
Computer Security, ESORICS 2012 - 17th European Symposium on Research in Computer Security, Proceedings. 2012. p. 271-288 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7459 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Security of patched DNS

AU - Herzberg, Amir

AU - Shulman, Haya

PY - 2012

Y1 - 2012

N2 - Most caching DNS resolvers still rely for their security, against poisoning, on validating that the DNS responses contain some 'unpredictable' values, copied from the request. These values include the 16 bit identifier field, and other fields, randomised and validated by different 'patches' to DNS. We investigate the prominent patches, and show how attackers can circumvent all of them, namely: - We show how attackers can circumvent source port randomisation, in the (common) case where the resolver connects to the Internet via different NAT devices. - We show how attackers can circumvent IP address randomisation, using some (standard-conforming) resolvers. - We show how attackers can circumvent query randomisation, including both randomisation by prepending a random nonce and case randomisation (0x20 encoding). We present countermeasures preventing our attacks; however, we believe that our attacks provide additional motivation for adoption of DNSSEC (or other MitM-secure defenses).

AB - Most caching DNS resolvers still rely for their security, against poisoning, on validating that the DNS responses contain some 'unpredictable' values, copied from the request. These values include the 16 bit identifier field, and other fields, randomised and validated by different 'patches' to DNS. We investigate the prominent patches, and show how attackers can circumvent all of them, namely: - We show how attackers can circumvent source port randomisation, in the (common) case where the resolver connects to the Internet via different NAT devices. - We show how attackers can circumvent IP address randomisation, using some (standard-conforming) resolvers. - We show how attackers can circumvent query randomisation, including both randomisation by prepending a random nonce and case randomisation (0x20 encoding). We present countermeasures preventing our attacks; however, we believe that our attacks provide additional motivation for adoption of DNSSEC (or other MitM-secure defenses).

KW - DNS poisoning

KW - DNS security

KW - DNS server selection

KW - Internet security

KW - Kamisky attack

KW - NAT

KW - Network Address Translator

UR - http://www.scopus.com/inward/record.url?scp=84865607559&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-33167-1_16

DO - 10.1007/978-3-642-33167-1_16

M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???

AN - SCOPUS:84865607559

SN - 9783642331664

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 271

EP - 288

BT - Computer Security, ESORICS 2012 - 17th European Symposium on Research in Computer Security, Proceedings

T2 - 17th European Symposium on Research in Computer Security, ESORICS 2012

Y2 - 10 September 2012 through 12 September 2012

ER -

Security of patched DNS

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this