387,834 research outputs found
Detecting and Refactoring Operational Smells within the Domain Name System
The Domain Name System (DNS) is one of the most important components of the
Internet infrastructure. DNS relies on a delegation-based architecture, where
resolution of names to their IP addresses requires resolving the names of the
servers responsible for those names. The recursive structures of the inter
dependencies that exist between name servers associated with each zone are
called dependency graphs. System administrators' operational decisions have far
reaching effects on the DNSs qualities. They need to be soundly made to create
a balance between the availability, security and resilience of the system. We
utilize dependency graphs to identify, detect and catalogue operational bad
smells. Our method deals with smells on a high-level of abstraction using a
consistent taxonomy and reusable vocabulary, defined by a DNS Operational
Model. The method will be used to build a diagnostic advisory tool that will
detect configuration changes that might decrease the robustness or security
posture of domain names before they become into production.Comment: In Proceedings GaM 2015, arXiv:1504.0244
Short Paper: On Deployment of DNS-based Security Enhancements
Although the Domain Name System (DNS) was designed as a naming system, its
features have made it appealing to repurpose it for the deployment of novel
systems. One important class of such systems are security enhancements, and
this work sheds light on their deployment. We show the characteristics of these
solutions and measure reliability of DNS in these applications. We investigate
the compatibility of these solutions with the Tor network, signal necessary
changes, and report on surprising drawbacks in Tor's DNS resolution.Comment: Financial Cryptography and Data Security (FC) 201
Infrastructure of DNS/DNSSEC
DNS Security Extension is introduced as a solution after the in-depth study of all expected issues regarding security of Domain Name System. Accordingly, DNS is domain name service provider via name server but it fails to facilitate the support for authenticity of data origin and integrity. In addition, DNS satirizing give stage to digital assaults, and can be used to watch client's exercises, for control, for conveyance of pernicious programming and to offend client's PC and even to subvert rightness and accessibility of internet systems and administrations. Therefore, it is fundamental to attract DNS framework to defeat security concerns, and to make cautious arrangement that should adapt to assaults through off way foes. So, we have broken down security of area enlistment centers and name server completely and we deal with vulnerabilities, which should open DNS foundation to store harming. In this paper, we gave the DNSSEC structure and showed how it is secure using DNSSEC
Hijacking DNS Subdomains via Subzone Registration: A Case for Signed Zones
We investigate how the widespread absence of signatures in DNS (Domain Name System) delegations, in combination with a common misunderstanding with regards to the DNS specification, has led to insecure deployments of authoritative DNS servers which allow for hijacking of subdomains without the domain owner's consent. This, in turn, enables the attacker to perform effective man-in-the-middle attacks on the victim's online services, including TLS (Transport Layer Security) secured connections, without having to touch the victim's DNS zone or leaving a trace on the machine providing the compromised service, such as the web or mail server. Following the practice of responsible disclosure, we present examples of such insecure deployments and suggest remedies for the problem. Most prominently, DNSSEC (Domain Name System Security Extensions) can be used to turn the problem from an integrity breach into a denial-of-service issue, while more thorough user management resolves the issue completely
NSEC5, DNSSEC authenticated denial of existence
The Domain Name System Security Extensions (DNSSEC) introduced two
resource records (RR) for authenticated denial of existence: the NSEC
RR and the NSEC3 RR. This document introduces NSEC5 as an
alternative mechanism for DNSSEC authenticated denial of existence.
NSEC5 uses verifiable random functions (VRFs) to prevent offline
enumeration of zone contents. NSEC5 also protects the integrity of
the zone contents even if an adversary compromises one of the
authoritative servers for the zone. Integrity is preserved because
NSEC5 does not require private zone-signing keys to be present on all
authoritative servers for the zone, in contrast to DNSSEC online
signing schemes like NSEC3 White Lies.https://datatracker.ietf.org/doc/draft-vcelak-nsec5/First author draf
Evaluation of Dnssec in Microsoft Windows and Microsoft Windows Server 2008 R2
The Domain Name System (DNS) provides important name resolution services on the Internet. The DNS has been found to have security flaws which have the potential to undermine the reliability of many Internet-based systems. DNS Security Extensions (DNSSEC) offers a long-term solution these DNS security flaws. However, DNSSEC adoption has been slow because it is challenging to deploy and administer. DNSSEC has also been criticized for not being an end-toend solution. Microsoft included support for DNSSEC in its latest operating systems, Windows Server 2008 R2 and Windows 7. This thesis concluded that DNSSEC features in Windows Server 2008 R2 and Windows 7 are not fully developed and are unlikely to impact DNSSEC adoption rates
- …