5 research outputs found

    Editorial for Vol. 25 No. 2

    Get PDF
    In this issue of CIT. Journal of Computing and Information Technology we bring five papers from diverse fields of computing. Three of them deal with various aspects of networks, while the other two address issues in optimization and semantic text processing

    Methodology for DNS Cache Poisoning Vulnerability Analysis of DNS64 Implementations

    Get PDF
    The trustworthy operation of the DNS service is a very important precondition for a secure Internet. As we point it out, DNS cache poisoning could be even more dangerous if it is performed against DNS64 servers. Based on RCF 5452, we give an introduction to the three main components of DNS cache poisoning vulnerability, namely Transaction ID prediction, source port number prediction, and birthday paradox based attack, which is possible if a DNS or DNS64 server sends out multiple equivalent queries (with identical QNAME, QTYPE, and QCLASS fields) concurrently. We design and implement a methodology and a testbed, which can be used for the systematic testing of DNS or DNS64 implementations, whether they are susceptible to these three vulnerabilities. We perform the tests with the following DNS64 implementations: BIND, PowerDNS, Unbound, TOTD (two versions) and mtd64-ng. As for the testbed, we use three virtual Linux machines executed by a Windows 7 host. As for tools, we use VMware Workstation 12 Player for virtualization, Wireshark and tshark for monitoring, dns64perf for Transaction ID and source port predictability tests, and our currently developed "birthday-test" program for concurrently sent multiple equivalent queries testing. Our methodology can be used for DNS cache poisoning vulnerablility analysis of further DNS or DNS64 implementations. A testbed with the same structure may be used for security vulnerablility analysis of DNS or DNS64 servers and also NAT64 gateways concerning further threats

    Editorial for Vol. 25 No. 2

    Full text link

    Author Index

    Get PDF

    Design, Implementation and Performance Estimation of mtd64-ng, a New Tiny DNS64 Proxy

    Get PDF
    In the current phase of the IPv6 transition, it is a typical situation that IPv6 only clients should be enabled to communicate with IPv4 only servers. The DNS64+NAT64 tool suite is an excellent solution to this problem. Although several free software DNS64 implementations exist, we point out that there is room for further high performance and computation efficient multithreaded DNS64 implementations. MTD64 was designed to be able to utilize several CPU cores. Whereas MTD64 outperformed BIND more than five times, two critical issues (memory leaking and potential vulnerability to DoS attacks) were identified. Therefore MTD64 was redesigned under a new name: mtd64-ng (not capitalized). This paper is about the design, implementation and initial performance estimation of mtd64-ng. The usage of object oriented decomposition and the RAII (Resource Acquisition Is Initialization) idiom ensures that raw, sensitive resources (e.g. memory, sockets) are always released and it greatly simplifies exception handling. Using the new features of the C++11 standard enabled us to write more efficient and better readable code. The performance of mtd64-ng is compared to that of BIND and MTD64 and it is found that mtd64-ng outperforms even its predecessor, MTD64
    corecore