Evaluation of Anonymized ONS Queries

Electronic Product Code (EPC) is the basis of a pervasive infrastructure for the automatic identification of objects on supply chain applications (e.g., pharmaceutical or military applications). This infrastructure relies on the use of the (1) Radio Frequency Identification (RFID) technology to tag objects in motion and (2) distributed services providing information about objects via the Internet. A lookup service, called the Object Name Service (ONS) and based on the use of the Domain Name System (DNS), can be publicly accessed by EPC applications looking for information associated with tagged objects. Privacy issues may affect corporate infrastructures based on EPC technologies if their lookup service is not properly protected. A possible solution to mitigate these issues is the use of online anonymity. We present an evaluation experiment that compares the of use of Tor (The second generation Onion Router) on a global ONS/DNS setup, with respect to benefits, limitations, and latency.Comment: 14 page

Can NSEC5 be practical for DNSSEC deployments?

NSEC5 is proposed modification to DNSSEC that simultaneously guarantees two security properties: (1) privacy against offline zone enumeration, and (2) integrity of zone contents, even if an adversary compromises the authoritative nameserver responsible for responding to DNS queries for the zone. This paper redesigns NSEC5 to make it both practical and performant. Our NSEC5 redesign features a new fast verifiable random function (VRF) based on elliptic curve cryptography (ECC), along with a cryptographic proof of its security. This VRF is also of independent interest, as it is being standardized by the IETF and being used by several other projects. We show how to integrate NSEC5 using our ECC-based VRF into the DNSSEC protocol, leveraging precomputation to improve performance and DNS protocol-level optimizations to shorten responses. Next, we present the first full-fledged implementation of NSEC5—extending widely-used DNS software to present a nameserver and recursive resolver that support NSEC5—and evaluate their performance under aggressive DNS query loads. Our performance results indicate that our redesigned NSEC5 can be viable even for high-throughput scenarioshttps://eprint.iacr.org/2017/099.pdfFirst author draf

Short Paper: On Deployment of DNS-based Security Enhancements

Although the Domain Name System (DNS) was designed as a naming system, its features have made it appealing to repurpose it for the deployment of novel systems. One important class of such systems are security enhancements, and this work sheds light on their deployment. We show the characteristics of these solutions and measure reliability of DNS in these applications. We investigate the compatibility of these solutions with the Tor network, signal necessary changes, and report on surprising drawbacks in Tor's DNS resolution.Comment: Financial Cryptography and Data Security (FC) 201

Realistic, Extensible DNS and mDNS Models for INET/OMNeT++

The domain name system (DNS) is one of the core services in today's network structures. In local and ad-hoc networks DNS is often enhanced or replaced by mDNS. As of yet, no simulation models for DNS and mDNS have been developed for INET/OMNeT++. We introduce DNS and mDNS simulation models for OMNeT++, which allow researchers to easily prototype and evaluate extensions for these protocols. In addition, we present models for our own experimental extensions, namely Stateless DNS and Privacy-Enhanced mDNS, that are based on the aforementioned models. Using our models we were able to further improve the efficiency of our protocol extensions.Comment: Published in: A. F\"orster, C. Minkenberg, G. R. Herrera, M. Kirsche (Eds.), Proc. of the 2nd OMNeT++ Community Summit, IBM Research - Zurich, Switzerland, September 3-4, 201

DNSSEC : aspectos gerais de segurança, eficiência e estatísticas de uso no contexto brasileiro

Monografia (graduação)—Universidade de Brasília, Faculdade de Tecnologia, Departamento de Engenharia Elétrica, 2015.Este trabalho estuda o funcionamento dos sistemas DNS e DNSSEC, além de analisar alguns aspectos desses mecanismos, tais como desempenho, eficiência, estatísticas de uso e fraudes, incluindo técnicas de segurança em redes locais. O DNS é um dos principais pilares da Internet. Ataques bem-sucedidos a servidores responsáveis por este serviço podem gerar grandes prejuízos para empresas e até mesmo para usuários finais comuns. O estudo dos mecanismos DNS e DNSSEC é de fundamental importância para garantir as imunidades a esses sistemas e assegurar o bom funcionamento da Internet. Além disso, abordaremos conceitos gerais relacionados a segurança de redes, mencionando o funcionamento dos principais ataques e como evitá-los. Experimentos serão realizados a fim de evidenciar vunerabilidades do DNS que podem ser corrigidas pelo DNSSEC, além de uma metodologia de detecção de malware através do DNS.This work studies the working of DNS and DNSSEC systems, besides analyze some aspects of those mechanisms, such as performance, efficiency analysis, use statistics and frauds, including local networks security techniques. The DNS is one of the pillars of the Internet. Successful attacks to servers responsible for this service may cause heavy losses to companies and even for regular final users. The study of DNS and DNSSEC mechanisms are of fundamental importance to guarantee immunities to these systems and to assure Internet’s good functioning. Besides, we will approach general concepts related to network security, mentioning the workings of the main attacks and how to avoid them. Experiments will be performed to substantiate DNS vulnerabilities that can be corrected by using DNSSEC, furthermore a methodology to malware detection through DNSSEC