TY - GEN
T1 - Vulnerable delegation of DNS resolution
AU - Herzberg, Amir
AU - Shulman, Haya
PY - 2013
Y1 - 2013
N2 - A growing number of networks delegate their DNS resolution to trusted upstream resolvers. The communication to and from the upstream resolver is invisible to off-path attackers. Hence, such delegation is considered to improve the resilience of the resolvers to cache-poisoning and DoS attacks, and also to provide other security, performance, reliability and management advantages. We show that, merely relying on an upstream resolver for security may in fact result in vulnerability to DNS poisoning and DoS attacks. The attack proceeds in modular steps: detecting delegation of DNS resolution, discovering the IP address of the internal (proxy) resolver, discovering the source port used for the (victim) DNS request and then completing the attack. The steps of the attack can be of independent use, e.g., proxy resolver can be exposed to denial of service attacks once its IP address is discovered. We provide recommendations for securing the DNS service delegation, to avoid these vulnerabilities.
AB - A growing number of networks delegate their DNS resolution to trusted upstream resolvers. The communication to and from the upstream resolver is invisible to off-path attackers. Hence, such delegation is considered to improve the resilience of the resolvers to cache-poisoning and DoS attacks, and also to provide other security, performance, reliability and management advantages. We show that, merely relying on an upstream resolver for security may in fact result in vulnerability to DNS poisoning and DoS attacks. The attack proceeds in modular steps: detecting delegation of DNS resolution, discovering the IP address of the internal (proxy) resolver, discovering the source port used for the (victim) DNS request and then completing the attack. The steps of the attack can be of independent use, e.g., proxy resolver can be exposed to denial of service attacks once its IP address is discovered. We provide recommendations for securing the DNS service delegation, to avoid these vulnerabilities.
KW - DNS cache poisoning
KW - network security
KW - port randomization
UR - http://www.scopus.com/inward/record.url?scp=84884771929&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-40203-6_13
DO - 10.1007/978-3-642-40203-6_13
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:84884771929
SN - 9783642402029
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 219
EP - 236
BT - Computer Security, ESORICS 2013 - 18th European Symposium on Research in Computer Security, Proceedings
T2 - 18th European Symposium on Research in Computer Security, ESORICS 2013
Y2 - 9 September 2013 through 13 September 2013
ER -