The future of Internet governance: should the U.S. relinquish Its authority over ICANN?

How ICANN and the Internet domain name system are ultimately governed may set an important precedent in future policy debates over how the Internet should be governed, and what role governments and intergovernmental organizations should play. Overview Currently, the U.S. government retains limited authority over the Internet’s domain name system, primarily through the Internet Assigned Numbers Authority (IANA) functions contract between the National Telecommunications and Information Administration (NTIA) and the Internet Corporation for Assigned Names and Numbers (ICANN). By virtue of the IANA functions contract, the NTIA exerts a legacy authority and stewardship over ICANN, and arguably has more influence over ICANN and the domain name system (DNS) than other national governments. On March 14, 2014, NTIA announced the intention to transition its stewardship role and procedural authority over key Internet domain name functions to the global Internet multistakeholder community. To accomplish this transition, NTIA has asked ICANN to convene interested global Internet stakeholders to develop a transition proposal. NTIA has stated that it will not accept any transition proposal that would replace the NTIA role with a government-led or an intergovernmental organization solution. Currently, Internet stakeholders are engaged in a series of working groups to develop a transition proposal. Their goal is to submit a final proposal to NTIA by summer 2015. NTIA must approve the proposal in order for it to relinquish its authority over the IANA functions contract. While the IANA functions contract expires on September 30, 2015, NTIA has the flexibility to extend the contract for any period through September 2019. Concerns have risen in Congress over the proposed transition. Critics worry that relinquishing U.S. authority over Internet domain names may offer opportunities for either hostile foreign governments or intergovernmental organizations, such as the United Nations, to gain undue influence over the Internet. On the other hand, supporters argue that this transition completes the necessary evolution of Internet domain name governance towards the private sector, and will ultimately support and strengthen the multistakeholder model of Internet governance. Legislation has been introduced in the 113th and 114th Congresses which would prevent, delay, or impose conditions or additional scrutiny on the transition. In the 113th Congress, a provision in the Consolidated and Further Continuing Appropriations Act, 2015 (P.L. 113-235) provides that during FY2015, NTIA may not use any appropriated funds to relinquish its responsibility with respect to Internet domain name system functions. In the 114th Congress, H.R. 805 (the DOTCOM Act of 2015) would prohibit NTIA from relinquishing its authority over the Internet domain name system until the Government Accountability Office (GAO) submits a report to Congress examining the implications of the proposed transfer. The proposed transition could have a significant impact on the future of Internet governance. National governments are recognizing an increasing stake in ICANN and DNS policy decisions, especially in cases where Internet DNS policy intersects with national laws and interests related to issues such as intellectual property, cybersecurity, privacy, and Internet freedom. How ICANN and the Internet domain name system are ultimately governed may set an important precedent in future policy debates—both domestically and internationally—over how the Internet should be governed, and what role governments and intergovernmental organizations should play

On The Impact of Internet Naming Evolution: Deployment, Performance, and Security Implications

As one of the most critical components of the Internet, the Domain Name System (DNS) provides naming services for Internet users, who rely on DNS to perform the translation between the domain names and network entities before establishing an In- ternet connection. In this dissertation, we present our studies on different aspects of the naming infrastructure in today’s Internet, including DNS itself and the network services based on the naming infrastructure such as Content Delivery Networks (CDNs). We first characterize the evolution and features of the DNS resolution in web ser- vices under the emergence of third-party hosting services and cloud platforms. at the bottom level of the DNS hierarchy, the authoritative DNS servers (ADNSes) maintain the actual mapping records and answer the DNS queries. The increasing use of upstream ADNS services (i.e., third-party ADNS-hosting services) and Infrastructure-as-a-Service (IaaS) clouds facilitates the deployment of web services, and has been fostering the evo- lution of the deployment of ADNS servers. to shed light on this trend, we conduct a large-scale measurement to investigate the ADNS deployment patterns of modern web services and examine the characteristics of different deployment styles, such as perfor- mance, life-cycle of servers, and availability. Furthermore, we specifically focus on the DNS deployment for subdomains hosted in IaaS clouds. Then, we examine a pervasive misuse of DNS names and explore a straightforward solution to mitigate the performance penalty in DNS cache. DNS cache plays a critical role in domain name resolution, providing (1) high scalability at Root and Top-level- domain nameservers with reduced workloads and (2) low response latency to clients when the resource records of the queried domains are cached. However, the pervasive misuses of domain names, e.g., the domain names of “one-time-use” pattern, have negative impact on the effectiveness of DNS caching as the cache has been filled with those entries that are highly unlikely to be retrieved. By leveraging the domain name based features that are explicitly available from a domain name itself, we propose simple policies for improving DNS cache performance and validate their efficacy using real traces. Finally, we investigate the security implications of a fundamental vulnerability in DNS- based CDNs. The success of CDNs relies on the mapping system that leverages the dynamically generated DNS records to distribute a client’s request to a proximal server for achieving optimal content delivery. However, the mapping system is vulnerable to malicious hijacks, as it is very difficult to provide pre-computed DNSSEC signatures for dynamically generated records in CDNs. We illustrate that an adversary can deliberately tamper with the resolvers to hijack CDN’s redirection by injecting crafted but legitimate mappings between end-users and edge servers, while remaining undetectable by exist- ing security practices, which can cause serious threats that nullify the benefits offered by CDNs, such as proximal access, load balancing, and DoS protection. We further demonstrate that DNSSEC is ineffective to address this problem, even with the newly adopted ECDSA that is capable of achieving live signing for dynamically generated DNS records. We then discuss countermeasures against this redirection hijacking

MALICIOUS TRAFFIC DETECTION IN DNS INFRASTRUCTURE USING DECISION TREE ALGORITHM

Domain Name System (DNS) is an essential component in internet infrastructure to direct domains to IP addresses or conversely. Despite its important role in delivering internet services, attackers often use DNS as a bridge to breach a system. A DNS traffic analysis system is needed for early detection of attacks. However, the available security tools still have many shortcomings, for example broken authentication, sensitive data exposure, injection, etc. This research uses DNS analysis to develop anomaly-based techniques to detect malicious traffic on the DNS infrastructure. To do this, We look for network features that characterize DNS traffic. Features obtained will then be processed using the Decision Tree algorithm to classifyincoming DNS traffic. We experimented with 2.291.024 data traffic data matches the characteristics of BotNet and normal traffic. By dividing the data into 80% training and 20% testing data, our experimental results showed high detection aacuracy (96.36%) indicating the robustness of our method

Real time detection of malicious DoH traffic using statistical analysis

The DNS protocol plays a fundamental role in the operation of ubiquitous networks. All devices connected to these networks need DNS to work, both for traditional domain name to IP address translation, and for more advanced services such as resource discovery. DNS over HTTPS (DoH) solves certain security problems present in the DNS protocol. However, malicious DNS tunnels, a covert way of encapsulating malicious traffic in a DNS connection, are difficult to detect because the encrypted data prevents performing an analysis of the content of the DNS traffic. In this study, we introduce a real-time system for detecting malicious DoH tunnels, which is based on analyzing DoH traffic using statistical methods. Our research demonstrates that it is feasible to identify in real-time malicious traffic by analyzing specific parameters extracted from DoH traffic. In addition, we conducted statistical analysis to identify the most significant features that distinguish malicious traffic from benign traffic. Using the selected features, we achieved satisfactory results in classifying DoH traffic as either benign or malicious

Internet Domain Names in China

This article aims at documenting the implementation of the Domain Name System in China, in coordination and in tension with the global Domain Name System since the end of the 1980s with the Chinese country-code top-level domain “.cn,” and more recently with the creation of Chinese-language domain names such as “.中国” and “.中文网.” It puts into perspective the notion of “digital sovereignty” by analysing the role of the DNS in the “localisation” of online content as part of the censorship system. It further shows that although Chinese representatives have always been very critical of the existing architecture and management of the DNS on the global stage, their attitude has evolved from de facto, bottom-up participation and protection of their interests to a more confident and assertive behaviour, as the growth of the Chinese Internet has put them in a more dominant position

Addressing the challenges of modern DNS:a comprehensive tutorial

The Domain Name System (DNS) plays a crucial role in connecting services and users on the Internet. Since its first specification, DNS has been extended in numerous documents to keep it fit for today’s challenges and demands. And these challenges are many. Revelations of snooping on DNS traffic led to changes to guarantee confidentiality of DNS queries. Attacks to forge DNS traffic led to changes to shore up the integrity of the DNS. Finally, denial-of-service attack on DNS operations have led to new DNS operations architectures. All of these developments make DNS a highly interesting, but also highly challenging research topic. This tutorial – aimed at graduate students and early-career researchers – provides a overview of the modern DNS, its ongoing development and its open challenges. This tutorial has four major contributions. We first provide a comprehensive overview of the DNS protocol. Then, we explain how DNS is deployed in practice. This lays the foundation for the third contribution: a review of the biggest challenges the modern DNS faces today and how they can be addressed. These challenges are (i) protecting the confidentiality and (ii) guaranteeing the integrity of the information provided in the DNS, (iii) ensuring the availability of the DNS infrastructure, and (iv) detecting and preventing attacks that make use of the DNS. Last, we discuss which challenges remain open, pointing the reader towards new research areas

Current Issues of Malicious Domains Blocking

Cyberattackers often use the Domain Name System (DNS) in their activities. Botnet C&C servers and phishing websites both use DNS to facilitate connection to or from its victims, while the protocol does not contain any security countermeasures to thwart such behavior. In this paper, we examine capabilities of a DNS firewall that would be able to filter access from the protected network to known malicious domains on the outside network. Considering the needs of Computer Security Incident Response Teams (CSIRTs), we formulated functional requirements that a DNS firewall should fulfill to fit the role of a cybersecurity tool. Starting from these requirements, we developed a DNS firewall based on the DNS Response Policy Zones technology, the only suitable open source technology available yet. However, we encountered several essential limitations in the DNS RPZ technology during the testing period. Still, our testing results show that simple DNS firewall can prevent attacks not detected by other cybersecurity tools. We discuss the limitations and propose possible solutions so that the DNS firewall might be used as a more complex cybersecurity tool in the future. Lessons learned from the deployment show that while the DNS firewall can indeed be used to block access to malicious domains, it cannot yet satisfy all the requirements of cybersecurity teams