DOCSLIB.ORG

DNS As a Multipurpose Attack Vector

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
DNS As a Multipurpose Attack Vector PANEPISTHMIO AIGAIOU DIDAKTORIKH DIATRIBH To Prwtόκοllo DNS wc Poluleitουργικός Forèac EpÐjeshc Suggrafèac: Μάριoc Anagnwstόπουλος Epiblèpwn: Αναπληρωτής Kaj. Ge¸rgioc Καμπουράκης Diatrιβή gia thn aπόκτηση Didaktorikoύ Dipl¸matoc tou ErgasthrÐou Ασφάλειας Plhroforiak¸n kai Epikoinwniak¸n Συστημάτwn Τμήματoc Mhqanik¸n Plhroforiak¸n kai Epikoinwniak¸n Συστημάτwn Septèmbrioc, 2016 University of the Aegean Doctoral Thesis DNS as a multipurpose attack vector Author: Marios Anagnostopoulos Supervisor: Associate Prof. Georgios Kambourakis A thesis submitted in fulfilment of the requirements for the degree of Doctor of Philosophy at the Laboratory of Information and Communication Systems Security Department of Information and Communication Systems Engineering September, 2016 Declaration of Authorship I, Marios Anagnostopoulos, declare that this thesis entitled, \DNS as a multipurpose attack vector" and the work presented in it are my own. I confirm that: This work was done wholly while in candidature for a research degree at this University. Where I have consulted the published work of others, this is always clearly at- tributed. Where I have quoted from the work of others, the source is always given. With the exception of such quotations, this thesis is entirely my own work. I have acknowledged all main sources of help. Where the thesis is based on work done by myself jointly with others, I have made clear exactly what was done by others and what I have contributed myself. Signed: Date: September 28, 2016 i Advising Committee of this Doctoral Thesis: Georgios Kambourakis, Supervisor Department of Information and Communication Systems Engineering Panagiotis Rizomiliotis, Advisor Department of Information and Communication Systems Engineering Elisavet Konstantinou, Advisor Department of Information and Communication Systems Engineering University of the Aegean, Greece 2016 ii Approved by the Examining Committee: Stefanos Gritzalis Professor, University of the Aegean, Greece Vasilios Katos Professor, Bournemouth University, UK Georgios Kambourakis Associate Professor, University of the Aegean, Greece Panagiotis Rizomiliotis Assistant Professor, University of the Aegean, Greece Elisavet Konstantinou Assistant Professor, University of the Aegean, Greece Konstantinos Kolias Assistant Professor, George Mason University, USA Dimitrios Geneitakis Researcher, Joint Research Centre - European Commission, Italy University of the Aegean, Greece 2016 iii \Οἱ kairoÈ oÎ menetοί.’’ (JoukudÐdhc 455-399 p.Q.) Abstract Few will argue that DNS security is a complex, multi-faceted, and of growing concern research topic. This is simply because virtually any protocol or service in the Internet depends its operation on the DNS service. Putting it another way, attacks on DNS can paralyze the network infrastructure of entire countries or even continents. Even worse, the original DNS design was concentrated on availability not security, and thus up to 1997 (and practically prior to 2008) the protocol did not afford any ilk of security protection, not even origin authentication of the offered DNS data. In this context, the primary aim of this PhD thesis is to alert the community by the investigation of novel ways of DNS exploitation, and thus our work can be mainly classified under the umbrella of offensive security. Specifically, we show that DNS can be exploited as a multipurpose attack vector that may severely threaten the integrity, authenticity, confidentiality, and availability of the offered resources in the cyberspace. Nowadays, DNS security inefficiencies have been addressed in practice by DNSSEC, and at least up to now, only on a limited scale by DNSCurve. Both these mechanisms utilize public key cryptography with the aim of extending the core DNS protocol. Therefore, one of the contribution of this thesis is to provide a comprehensive and constructive side- by-side comparison among the aforementioned security mechanisms. This is anticipated to greatly aid the defenders to decide which mechanism best suits to each particular deployment. Furthermore, there are overwhelming evidences that DNS is frequently abused by cyber crooks in Denial of Service (DoS) type of attacks. This is because that - even the typical - DNS records can greatly amplify the attack effect, meaning vastly augment the volume of network traffic reflected and destined toward victims. This amplification effect is foreseen to be far more devastating in the case of DNSSEC records, which normally are considerably bigger. In this mindset, an additional contribution of the thesis at hand is the investigation and assessment (in terms of attack amplification factor) of novel types of DNSSEC-powered DoS kind of attacks. The role of DNS forwarders as reflectors in such attack incidents is studied as well. Moreover, we examine some novel options about which publicly available resources (in terms of DNS servers) could be particular fruitful for the attacker to include them to their arsenal. In this direction, the potential of entangling the infrastructure of upper DNS hierarchy as both amplifiers and reflectors is thoroughly investigated. Regarding this point, the main advantage of our research compared with the standard type of DNS amplification attack is that we demonstrate that even a naive attacker is capable of executing a fruitful attack by simply exploiting the great amount of DNS machines existing out there. This thesis also deals with the exploitation of DNS protocol by bot herders with the purpose of building hidden Communication and Control (C&C) channels for their bot- nets. In this respect, we delve into the so called DNS- and IP-fluxing techniques, and propose and evaluate three novel botnet architectures which solely rely on DNS to de- liver the botnet's C&C infrastructure. Given the mushrooming of smart mobile devices, the proposed architectures utilize not only mixed structures consisting of both mobile and desktop bot agents, but more importantly, structures that are purely mobile. This aspect of our work also includes the evaluation of the robustness of the proposed botnet formations. Finally, besides the contributions devoted to legacy DNS attacks, we investigate the potential of DNS as an attack vector to evade user's privacy by means of harvesting private sensitive information from, say, smartphone owners. To this end, we design and implement a privacy-invasive mobile application (spyware) able to manipulate the DNS service running on devices based on the Apple's iOS platform. The spyware is capable of acting as a man-in-the-middle to the tethering and intelligent personal assistant (such as Siri and Goggle now) services present in virtually every modern mobile platform. In this case, the aim of the spyware coder is that of redirecting all users connected via the device to a malicious website in order to phish user's credentials, harvest sensitive personal information, and so forth. Greek Abstract Adiamfiσβήτητa, ta ζητήματa asfaleÐac gia thn uphresÐa onomatodosÐac q¸rou tou Dia- δικτύου (DNS) apoτελούν èna poλύπλοκο, poλυδιάσtato kai idiaÐterhc βαρύτητac pedÐo èreunac. Ousiasτικά, κάθε prwtόκοllo ή uphresÐa pou parèqetai mèsw tou Διαδικτύου basÐzei thn απρόσκοπτη leitourgÐa tou sthn uphresÐa DNS. Sunep¸c, κάθε τύπος epÐje- shc pou stoχεύει to DNS endèqetai na epifèrei sobarèc epipt¸seic sth δικτυακή υποδομή organism¸n ή ακόμα kai oλόκληρων krat¸n. Dustuq¸c, oi arqikèc εκδόσειc tou sugke- krimènou prwtοκόllou estÐazan sth διαθεσιμόthta thc uphresÐac παρά sthn prostasÐa thc από pijanèc apeilèc. 'Etsi, σχεδόn mèqri to 1997, αλλά πρακτικά όqi nwrÐtera από to 2008, to prwtόκοllo DNS den uposτήριζε κάποιo mhqaniσμό prostasÐac, ούτε kan autόn thc διασφάλιshc thc αυθεντικόthtac proèleushc twn παρεχόμενων dedomènwn. Se autό to plaÐsio, h παρούσα didaktορική διατριβή èqei wc βασικό stόqo na enhmer¸sei kai na jèsei se epifυλακή thn episthmoνική koiνόthta mèsw thc διερεύνησης kai epiσήμανσης nèwn μεθόδων κακόboulhc ekmetάλλευσης tou DNS. 'Etsi, μπορούμε na πούμε όti h en λόgw διατριβή epikentr¸netai sthn epiθετική ασφάλεια, dhl., esτιάζει ston epitijèmeno πάρα ston αμυνόμενο. Me άλλα λόgia, h διατριβή filodoxeÐ na katadeÐxei όti to prwtόκοllo DNS δύνατai na qrhsimopoihjeÐ wc ènac poλύπλευρος forèac epÐjeshc (attack vector) me σκοπό thn parabÐash thc ακεραιόthtac, αυθεντικόthtac, empisτευτικόthtac kai διαθεσιμόthtac twn προσφερόμενων πόρων ston kubernoq¸ro. Σήμερα, oi ανεπάρκειες tou DNS θεραπεύοntai από δύο kruptoγραφικούς mhqaniσμούς· sthn πράξη me thn epèktash asfaleÐac tou DNSSEC kai (mèqri stiγμής se μικρή klÐmaka) to DNSCurve. Αμφόteroi oi mhqanismoÐ autoÐ qrhsimopoiούν kruptografÐa dhmosÐou kleidiού me σκοπό thn prostasÐa twn μηνυμάτwn tou βασικού prwtοκόllou DNS. Wc ek tούτou, mÐa από tic suneisforèc thc παρούσας διατριβής eÐnai h διεξαγωγή miac sugkriτικής kai εποικοδομητικής παράθεσης twn δύο proanaferjèntwn mhqanism¸n asfaleÐac. Mia tètoia antiparaboλή eÐnai bèbaio όti βοηθάει σημαντικά touc amunόμεnouc sto na epilèxoun poioc mhqaniσμός eÐnai katαλληλόteroc gia κάθε perÐptwsh. Epiplèon, υπάρχουν shmantikèc apodeÐxeic όti to prwtόκοllo DNS qrhsimopoieÐtai ka- κόβουλα από touc kuberno-egklhmatÐec prokeimènou na διεξάγουν epijèseic άρνησης u- phresÐac (DoS). Sugkekrimèna, ta peristατικά autά ανήκουν se mia ειδική kathgorÐa e- pijèsewn pou oνομάζοntai epijèseic enÐsqushc mèsw DNS (DNS amplification attack). Κάτι tètoio eÐnai efiktό, διόti ακόμα kai mia τυπική DNS απόκριsh (response) endèqetai na eniσχύσει σημαντικά thn δικτυακή kÐnhsh pou kataftάνει sthn πλευρά tou θύματoc. Ousiasτικά, to
Load more

Recommended publications
  • Adopting Encrypted DNS in Enterprise Environments
    National Security Agency | Cybersecurity Information Adopting Encrypted DNS in Enterprise Environments Executive summary Use of the Internet relies on translating domain names (like “nsa.gov”) to Internet Protocol addresses. This is the job of the Domain Name System (DNS). In the past, DNS lookups were generally unencrypted, since they have to be handled by the network to direct traffic to the right locations. DNS over Hypertext Transfer Protocol over Transport Layer Security (HTTPS), often referred to as DNS over HTTPS (DoH), encrypts DNS requests by using HTTPS to provide privacy, integrity, and “last mile” source authentication with a client’s DNS resolver. It is useful to prevent eavesdropping and manipulation of DNS traffic. While DoH can help protect the privacy of DNS requests and the integrity of responses, enterprises that use DoH will lose some of the control needed to govern DNS usage within their networks unless they allow only their chosen DoH resolver to be used. Enterprise DNS controls can prevent numerous threat techniques used by cyber threat actors for initial access, command and control, and exfiltration. Using DoH with external resolvers can be good for home or mobile users and networks that do not use DNS security controls. For enterprise networks, however, NSA recommends using only designated enterprise DNS resolvers in order to properly leverage essential enterprise cybersecurity defenses, facilitate access to local network resources, and protect internal network information. The enterprise DNS resolver may be either an enterprise-operated DNS server or an externally hosted service. Either way, the enterprise resolver should support encrypted DNS requests, such as DoH, for local privacy and integrity protections, but all other encrypted DNS resolvers should be disabled and blocked.
    [Show full text]
  • The ISP Column Diving Into The
    The ISP Column A column on various things Internet October 2018 Geoff Huston Diving into the DNS DNS OARC organizes two meetings a year. They are two-day meetings with a concentrated dose of DNS esoterica. Here’s what I took away from the recent 29th meeting of OARC, held in Amsterdam in mid-October 2018. Cloudflare's 1.1.1.1 service Cloudflare have been running an open public DNS resolver service on 1.1.1.1 for more than six months now. The service, based on the Knot resolver engine, is certainly fast (http://bit.ly/2PBfoSh), and Cloudflare's attention to scale and speed is probably appreciated by users of this service. However, in a broader Internet environment that is now very aware of personal privacy it’s not enough to be fast and accurate. You have to be clear that as an operator of a public DNS resolution service you may be privy to clients’ activities and interests, and you need to clearly demonstrate that you are paying attention to privacy. Not only does this include appropriate undertakings regarding the way you handle and dispose of the logs of the resolvers' query streams, but also in being mindful of the way that users can pass queries to the service. The 1.1.1.1 service supports DNS over TLS 1.3 and 1.2 using the GnuTLS system. This supports long-lived connection with client systems and also supports session resumption. There are a number of DNS tools that can use the DNS over a TLS connection including kdig (http://bit.ly/2A9f9rX, http://bit.ly/2OoLu7a), GetDNS (https://getdnsapi.net/), Unbound (http://bit.ly/2CIKEf0), Android P and the Tenta browser (https://tenta.com/).
    [Show full text]
  • Ikev2 Configuration for Encrypted DNS
    IKEv2 Configuration for Encrypted DNS draft-btw-add-ipsecme-ike Mohamed Boucadair (Orange) Tirumaleswar Reddy (McAfee, Inc.) Dan Wing (Citrix Systems, Inc.) Valery Smyslov (ELVIS-PLUS) July 2020, IETF#108 Agenda • Context • A Sample Use Case • IKE Configuration Attribute for Encrypted DNS • Next Steps 2 Problem Description • Several schemes to encrypt DNS have been specified – DNS over TLS (RFC 7858) – DNS over DTLS (RFC 8094) – DNS over HTTPS (RFC 8484) • …And others are being specified: – DNS over QUIC (draft-ietf-dprive-dnsoquic) • How to securely provision clients to use Encrypted DNS? This use can be within or outside the IPsec tunnel 3 A Sample Use Case: DNS Offload • VPN service providers can offer publicly accessible Encrypted DNS – the split-tunnel VPN configuration allows the client to access the DoH/DoT servers hosted by the VPN provider without traversing the tunnel 4 A Sample Use Case: Protecting Internal DNS Traffic • DoH/DoT ensures DNS traffic is not susceptible to internal attacks – see draft-arkko-farrell-arch-model-t-03#section-3.2.1 • encrypted DNS can benefit to Roaming Enterprise users to enhance privacy – With DoH/DoT the visibility of DNS traffic is limited to only the parties authorized to act on the traffic (“Zero Trust Architecture”) 5 Using IKE to Configure Encrypted DNS on Clients • New configuration attribute INTERNAL_ENC_DNS is defined to convey encrypted DNS information to clients: – Encrypted DNS type (e.g., DoH/DoT) – Scope of encrypted DNS use – One or more encrypted DNS server IPv6 addresses • For IPv4
    [Show full text]
  • A Cybersecurity Terminarch: Use It Before We Lose It
    SYSTEMS ATTACKS AND DEFENSES Editors: Davide Balzarotti, [email protected] | William Enck, [email protected] | Samuel King, [email protected] | Angelos Stavrou, [email protected] A Cybersecurity Terminarch: Use It Before We Lose It Eric Osterweil | George Mason University term · in · arch e /’ t re m , närk/ noun an individual that is the last of its species or subspecies. Once the terminarch dies, the species becomes extinct. hy can’t we send encrypt- in the Internet have a long history W ed email (secure, private of failure. correspondence that even our mail To date, there has only been one providers can’t read)? Why do our success story, and, fortunately, it is health-care providers require us to still operating. Today, almost ev- use secure portals to correspond erything we do online begins with a with us instead of directly emailing query to a single-rooted hierarchical us? Why are messaging apps the global database, whose namespace only way to send encrypted messag- is collision-free, and which we have es directly to friends, and why can’t relied on for more than 30 years: we send private messages without the Domain Name System (DNS). user-facing) layer(s). This has left the agreeing to using a single platform Moreover, although the DNS pro- potential to extend DNSSEC’s verifi- (WhatsApp, Signal, and so on)? Our tocol did not initially have verifica- cation protections largely untapped. cybersecurity tools have not evolved tion protections, it does now: the Moreover, the model we are using to offer these services, but why? DNS Security Extensions (DNS- exposes systemic vulnerabilities.
    [Show full text]
  • Detecting Malware in TLS Traffic
    IMPERIAL COLLEGE LONDON DEPARTMENT OF COMPUTING Detecting Malware in TLS Traffic Project Report Supervisor: Author: Sergio Maffeis Olivier Roques Co-Supervisor: Marco Cova Submitted in partial fulfillment of the requirements for the MSc degree in Computing Science / Security and Reliability of Imperial College London September 2019 Abstract The use of encryption on the Internet has spread rapidly these last years, a trend encouraged by the growing concerns about online privacy. TLS (Transport Layer Security), the standard protocol for packet encryption, is now implemented by every major websites to protect users’ messages, transactions and credentials. However cybercriminals have started to incorporate TLS into their activities. An increasing number of malware leverage TLS encryption to hide their communications and to exfiltrate data to their command server, effectively bypassing traditional detection platforms. The goal of this project is to design and implement an effective alternative to the unpractical method of decrypting TLS packets’ payload before looking for signs of malware activity. This work presents a highly accurate supervised classifier that can detect malicious TLS flows in a company’s network traffic based on a set of features related to TLS, certificates and flow metadata. The classifier was trained on curated datasets of benign and malware observations, which were extracted from capture files thanks to a set of tools specially developed for this purpose. We detail in this report the complete development process, from data collection and feature extraction to model selection and performance analysis. ii Acknowledgments I would like to particularly thank Marco Cova and Sergio Maffeis, my project su- pervisors, for their valuable and continuous suggestions and for their constructive feedbacks on this project.
    [Show full text]
  • The ISP Column Ipv6 and The
    The ISP Column On Things Internet July 2020 Geoff Huston IPv6 and the DNS These days it seems that whenever we start talking about the DNS the conversation immediately swings around to the subject of DNS over HTTPS (DoH) and the various implications of this technology in terms of changes in the way the DNS is used. It’s true that DoH is a rich topic space and while much has been said and written already, there is still more to say (and write). But that's not my intention here. I’d like to look at a different, but still very familiar and somewhat related, topic relating to the DNS, namely how IPv6 is being used as a transport protocol for DNS queries. Before I set out the questions that I want to consider here, it’s useful to remember why we are deploying IPv6 in the first place. IPv6 is not intended to sit alongside IPv4 in a dual-stack situation as the end objective of this transition process. A fully deployed dual-stack world is not the goal here. We need to push this transition process one step further, and the objective is to get to the point where IPv4 is not only no longer necessary but no longer used at all. In other words, we are attempting to get to the point where IPv6-only services are not only a viable way of using the Internet but are the only way of using the Internet. One of the key elements in the overall transition is the way in which we manage a dual-stack networked environment.
    [Show full text]
  • Network Security Knowledge Area
    Network Security Knowledge Area Prof. Christian Rossow CISPA Helmholtz Center for Information Security Prof. Sanjay Jha University of New South Wales © Crown Copyright, The National Cyber Security Centre 2021. This information is licensed under the Open Government Licence v3.0. To view this licence, visit http://www.nationalarchives.gov.uk/doc/open- government-licence/. When you use this information under the Open Government Licence, you should include the following attribution: CyBOK Network Security Knowledge Area Version 2.0 © Crown Copyright, The National Cyber Security Centre 2021, licensed under the Open Government Licence http://www.nationalarchives.gov.uk/doc/open- government-licence/. The CyBOK project would like to understand how the CyBOK is being used and its uptake. The project would like organisations using, or intending to use, CyBOK for the purposes of education, training, course development, professional development etc. to contact it at [email protected] to let the project know how they are using CyBOK. Security Goals What does it mean to be secure? • Most common security goals: “CIA triad” – Confidentiality: untrusted parties cannot infer sensitive information – Integrity: untrusted parties cannot alter information – Availability: service is accessible by designated users all the time • Additional security goals – Authenticity: recipient can verify that sender is origin of message – Non-Repudiation: anyone can verify that sender is origin of message – Sender/Recipient Anonymity: communication cannot be traced back to
    [Show full text]
  • Common Ports
    Common Ports 7 Echo 540 UUCP 2483-2484 Oracle DB 6881-6999 BitTorrent 19 CHARGEN 546-547 DHCPv6 2809 CORBA Locator 6970 Quicktime 20-21 FTP 554 RTSP 2967 Symantec AV 7000-7009 AFS 22 SSH/SCP 560 rmonitor 3050 Interbase DB 7212 GhostSurf 23 Telnet 563 NNTP over TLS/SSL 3074 Xbox 7351 Cisco Meraki 25 SMTP 587 MSA (SMTP) 3124 Beacon Port 8000 Internet Radio 42 Nameserver 591 FileMaker 3128 Active API Server 8008 HTTP Alternate 43 WHOIS 593 RPC over HTTP 3222 GLBP 8080 HTTP Proxy 49 TACACS 631 Internet Printing 3260 iSCSI Target 8081 Transparent Proxy 53 DNS 636 LDAP over TLS/SSL 3306 MySQL 8086-8087 Kaspersky AV 67-68 DHCP/BOOTP 639 MSDP (PIM) 3389 RDP 8118 Privoxy 69 TFTP 646 LDP (MPLS) 3478-3481 Skype 8200 VMware Server 70 Gopher 691 MS Exchange 3689 iTunes 8500 Adobe ColdFusion 79 Finger 847 DHCP Failover 3690 Subversion 8767 TeamSpeak 80 HTTP 853 DNS over TLS 3784-3785 Ventrilo 9100 HP JetDirect 88 Kerberos (Auth) 902-903 VMware Server 4070 Spotify 9101-9103 Bacula 109 POP2 989-990 FTP over SSL 4333 mSQL 9119 Mxit 110 POP3 993 IMAP over TLS/SSL 4444 Blaster 9800 WebDAV 113 Auth 995 POP3 over TLS/SSL 4664 Google Desktop 9988 Spybot 119 NNTP (Usenet) 1025 Windows RPC 4672 eMule 9999 Urchin 123 NTP 1080 SOCKS Proxy 4899 Radmin 11371 PGP/GPG 135 Windows RPC 1109 Kerberos POP 5000 UPnP 11967 SysInfo (SSP) 137-139 NetBIOS 1194 OpenVPN 5001 Slingbox 12345 NetBus 143 IMAP 1241 Nessus 5001 iperf 13720-13721 NetBackup 161-162 SNMP 1311 Dell OpenManage 5002 RFE 17771 Hamachi 177 XDMCP 1337 WASTE 5004-5005 RTP 18475 Malwarebytes 179 BGP 1433-1434
    [Show full text]
  • Annual Report 2017
    Annual Report 2017 For an Internet For Open Copyright 2018. NLnet Labs. http://creativecommons.org/licenses/by-nc-nd/4.0/ Annual Report 2017 1 Highlights Welcome to the Annual Report of the NLnet Labs Foundation for the year 2017. This is where we report on our activities over the last year. It aims to provide transparency on our efforts to help make the Internet more stable and secure for everyone. NLnet Labs has a long heritage in research and development, Internet architecture and governance, as well as stability and security in the area of DNS and inter-domain routing. This was acknowledged by Jaap Akkerhuis being admitted into the Internet Hall of Fame, as recognition for the tireless work in the development of the Internet in the Netherlands and Europe since the early 1980s. The focus on Internet security and stability is also reflected in the work that the foundation does as member of the Dutch Platform for Internet Standards. As an extension of these efforts, we are also responsible for the development of internet.nl, which is widely recognised for the quality of the tests and informative information that help organisations adopt modern standards. This culminated in NLnet Labs presenting at the yearly congress of ECP, where we demonstrated how to impersonate emailing in the name of a minister and explain how to effectively protect against such spoofing. 2017 was also the year that saw a major focus on DNS privacy. Internet users became much more aware of the fact that private information can be leaked through the DNS, and looked for ways to minimise this.
    [Show full text]
  • Addressing DNS Resolution on Federal Networks Memo
    U.S. Department of Homeland Security Cybersecurity & Infrastructure Security Agency Office of the Director Washington, DC 20528 April 21, 2020 INFORMATION MEMORANDUM FOR AGENCY CHIEF INFORMATION OFFICERS FROM: Christopher C. Krebs Director SUBJECT: Addressing Domain Name System Resolution on Federal Networks ______________________________________________________________________________ The purpose of this memorandum, issued pursuant to authorities under section 3553(b) of Title 44, U.S. Code, and Title XXII of the Homeland Security Act of 2002, as amended, is to remind agencies1 of their legal requirement to use EINSTEIN 3 Accelerated (E3A)’s Domain Name System (DNS) sinkholing capability for DNS resolution and provide awareness about recent security and privacy enhancements to DNS resolution protocols – in particular, DNS over HTTPS (DoH) and DNS over TLS (DoT). Background Title XXII of the Homeland Security Act of 2002, as amended, requires the Secretary of Homeland Security to deploy, operate, and maintain capabilities to detect and prevent cybersecurity risks in network traffic.2 In turn, the head of each agency is required to apply and continue to utilize these capabilities to all information traveling between an agency information system and any information system other than an agency information system.3 One of these capabilities is E3A’s DNS sinkholing service, which blocks access to malicious infrastructure by, in effect, overriding public DNS records that have been identified as harmful. Compliance with the above requirement protects federal agencies and provides the Cybersecurity and Infrastructure Security Agency (CISA) insight into DNS requests made from agency networks. This insight is further enhanced when agencies share details about their infrastructure 1 This memorandum does not apply to national security systems or to systems operated by the Department of Defense or the Intelligence Community.
    [Show full text]
  • Recipes for Encrypting DNS Stub Resolver-To-Recursive Resolver Traffic
    Messaging, Malware and Mobile Anti-Abuse Working Group M3AAWG Companion Document: Recipes for Encrypting DNS Stub Resolver-to-Recursive Resolver Traffic Version 1.0 September 2019 The direct URL to this paper is: www.m3aawg.org/dns-crypto-recipes This document is intended to accompany and complement the companion document, “M3AAWG Tutorial on Third Party Recursive Resolvers and Encrypting DNS Stub Resolver-to-Recursive Resolver Traffic” (www.m3aawg.org/dns-crypto-tutorial). This document was produced by the M3AAWG Data and Identity Protection Committee. Table of Contents Introduction ................................................................................................................................................................... 2 Section 1. Configuring a Mac OS X System to Encrypt Stub-to-Recursive-Resolver Traffic ..................................... 3 Example A: Implementing DNS over HTTPS Using the Cloudflared-proxy to Cloudflare's 1.1.1.1 ........................ 3 Example B: Implementing DNSCrypt Using DNSCrypt-proxy 2 with Quad9's DNSSEC-enabled and Filtered Service ............................................................................................................................................................................ 6 Example C: Implementing DNS over TLS Using Stubby with the Stubby Author's DNS over TLS Test Servers ............................................................................................................................................................................... 8
    [Show full text]
  • An End-To-End, Large-Scale Measurement of DNS-Over-Encryption: How Far Have We Come?
    An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come? Chaoyi Lu1;2, Baojun Liu3, Zhou Li4, Shuang Hao5, Haixin Duan1;2;6, Mingming Zhang1, Chunying Leng1, Ying Liu1, Zaifeng Zhang7 and Jianping Wu1 1Institute for Network Sciences and Cyberspace, Tsinghua University 2Beijing National Research Center for Information Science and Technology (BNRist), Tsinghua University 3Department of Computer Science and Technology, Tsinghua University 4University of California, Irvine 5University of Texas at Dallas 6Qi An Xin Technology Research Institute 7360 Netlab ABSTRACT KEYWORDS DNS packets are designed to travel in unencrypted form through Domane Name System, DNS Privacy, DNS-over-TLS, DNS-over- the Internet based on its initial standard. Recent discoveries show HTTPS, DNS Measurement that real-world adversaries are actively exploiting this design vul- nerability to compromise Internet users’ security and privacy. To ACM Reference Format: Chaoyi Lu1;2, Baojun Liu3, Zhou Li4, Shuang Hao5, Haixin Duan1;2;6, mitigate such threats, several protocols have been proposed to en- Mingming Zhang1, Chunying Leng1, Ying Liu1, Zaifeng Zhang7 and Jian- crypt DNS queries between DNS clients and servers, which we ping Wu1. 2019. An End-to-End, Large-Scale Measurement of DNS-over- jointly term as DNS-over-Encryption. While some proposals have Encryption: How Far Have We Come?. In Internet Measurement Conference been standardized and are gaining strong support from the industry, (IMC ’19), October 21–23, 2019, Amsterdam, Netherlands. ACM, New York, little has been done to understand their status from the view of NY, USA, 14 pages. https://doi.org/10.1145/3355369.3355580 global users.
    [Show full text]