Vulnerable delegation of DNS resolution

Amir Herzberg, Haya Shulman

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

34 Scopus citations

Abstract

A growing number of networks delegate their DNS resolution to trusted upstream resolvers. The communication to and from the upstream resolver is invisible to off-path attackers. Hence, such delegation is considered to improve the resilience of the resolvers to cache-poisoning and DoS attacks, and also to provide other security, performance, reliability and management advantages. We show that, merely relying on an upstream resolver for security may in fact result in vulnerability to DNS poisoning and DoS attacks. The attack proceeds in modular steps: detecting delegation of DNS resolution, discovering the IP address of the internal (proxy) resolver, discovering the source port used for the (victim) DNS request and then completing the attack. The steps of the attack can be of independent use, e.g., proxy resolver can be exposed to denial of service attacks once its IP address is discovered. We provide recommendations for securing the DNS service delegation, to avoid these vulnerabilities.

Original languageEnglish
Title of host publicationComputer Security, ESORICS 2013 - 18th European Symposium on Research in Computer Security, Proceedings
Pages219-236
Number of pages18
DOIs
StatePublished - 2013
Event18th European Symposium on Research in Computer Security, ESORICS 2013 - Egham, United Kingdom
Duration: 9 Sep 201313 Sep 2013

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume8134 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference18th European Symposium on Research in Computer Security, ESORICS 2013
Country/TerritoryUnited Kingdom
CityEgham
Period9/09/1313/09/13

Keywords

  • DNS cache poisoning
  • network security
  • port randomization

Fingerprint

Dive into the research topics of 'Vulnerable delegation of DNS resolution'. Together they form a unique fingerprint.

Cite this