This Is a Local Domain: On Amassing Country-Code Top-Level Domains from Public Data

Domain lists are a key ingredient for representative censuses of the Web. Unfortunately, such censuses typically lack a view on domains under country-code top-level domains (ccTLDs). This introduces unwanted bias: many countries have a rich local Web that remains hidden if their ccTLDs are not considered. The reason ccTLDs are rarely considered is that gaining access -- if possible at all -- is often laborious. To tackle this, we ask: what can we learn about ccTLDs from public sources? We extract domain names under ccTLDs from 6 years of public data from Certificate Transparency logs and Common Crawl. We compare this against ground truth for 19 ccTLDs for which we have the full DNS zone. We find that public data covers 43%-80% of these ccTLDs, and that coverage grows over time. By also comparing port scan data we then show that these public sources reveal a significant part of the Web presence under a ccTLD. We conclude that in the absence of full access to ccTLDs, domain names learned from public sources can be a good proxy when performing Web censuses.Comment: 6 pages double-column, 4 figures; submitted to ACM SIGCOMM CC

Large-scale DNS and DNSSEC data sets for network security research

The Domain Name System protocol is often abused to perform denial-of-service attacks. These attacks, called DNS amplification, rely on two properties of the DNS. Firstly, DNS is vulnerable to source address spoofing because it relies on the asynchronous connectionless UDP protocol. Secondly, DNS queries are usually small whereas DNS responses may be much larger than the query. In recent years, the DNS has been extended to include security features based on public key cryptography. This extension, called DNSSEC, adds integrity and authenticity to the DNS and solves a serious vulnerability in the original protocol. A downside of DNSSEC is that it may further increase the potential DNS has for amplification attacks. This disadvantage is often cited by opponents of DNSSEC as a major reason not to deploy the protocol. Until recently, however, ground truth about how serious an issue this can be was never established. This technical report describes the data sets obtained during a study we carried out to establish this ground truth. We make these data sets available as open data under a permissive Creative Commons license. We believe these data sets have a lot of value beyond our research. They, for example, allow characterisations of EDNS0 implementations, provide information on IPv6 deployment (presence or absence of AAAA records) for a large number of domains in separate TLDs, etc

A matter of degree:characterizing the amplification power of open DNS resolvers

Open DNS resolvers are widely misused to bring about reflection and amplification DDoS attacks. Indiscriminate efforts to address the issue and take down all resolvers have not fully resolved the problem, and millions of open resolvers still remain available to date, providing attackers with enough options. This brings forward the question if we should not instead focus on eradicating the most problematic resolvers, rather than all open resolvers indiscriminately. Contrary to existing studies, which focus on quantifying the existence of open resolvers, this paper focuses on infrastructure diversity and aims at characterizing open resolvers in terms of their ability to bring about varying attack strengths. Such a characterization brings nuances to the problem of open resolvers and their role in amplification attacks, as it allows for more problematic resolvers to be identified. Our findings show that the population of open resolvers lies above 2.6M range over our one-year measurement period. On the positive side, we observe that the majority of identified open resolvers cut out when dealing with bulky and DNSSEC-related queries, thereby limiting their potential as amplifiers. We show, for example, that 59% of open resolvers lack DNSSEC support. On the downside, we see that a non-negligible number of open resolvers facilitate large responses to ANY and TXT queries (8.1% and 3.4% on average, respectively), which stands to benefit attackers. Finally we show that by removing around 20% of potent resolvers the global DNS amplification potential can be reduced by up to 80%

Making the Case for Elliptic Curves in DNSSEC

ABSTRACT The Domain Name System Security Extensions (DNSSEC) add authenticity and integrity to the DNS, improving its security. Unfortunately, DNSSEC is not without problems. DNSSEC adds digital signatures to the DNS, significantly increasing the size of DNS responses. This means DNS-SEC is more susceptible to packet fragmentation and makes DNSSEC an attractive vector to abuse in amplificationbased denial-of-service attacks. Additionally, key management policies are often complex. This makes DNSSEC fragile and leads to operational failures. In this paper, we argue that the choice for RSA as default cryptosystem in DNS-SEC is a major factor in these three problems. Alternative cryptosystems, based on elliptic curve cryptography (EC-DSA and EdDSA), exist but are rarely used in DNSSEC. We show that these are highly attractive for use in DNS-SEC, although they also have disadvantages. To address these, we have initiated research that aims to investigate the viability of deploying ECC at a large scale in DNSSEC

Retrofitting Post-Quantum Cryptography in Internet Protocols:A Case Study of DNSSEC

Quantum computing is threatening current cryptography, especially the asymmetric algorithms used in many Internet protocols. More secure algorithms, colloquially referred to as Post-Quantum Cryptography (PQC), are under active development. These new algorithms differ significantly from current ones. They can have larger signatures or keys, and often require more computational power. This means we cannot just replace existing algorithms by PQC alternatives, but need to evaluate if they meet the requirements of the Internet protocols that rely on them. In this paper we provide a case study, analyzing the impact of PQC on the Domain Name System (DNS) and its Security Extensions (DNSSEC). In its main role, DNS translates human-readable domain names to IP addresses and DNSSEC guarantees message integrity and authenticity. DNSSEC is particularly challenging to transition to PQC, since DNSSEC and its underlying transport protocols require small signatures and keys and efficient validation. We evaluate current candidate PQC signature algorithms in the third round of the NIST competition on their suitability for use in DNSSEC. We show that three algorithms, partially, meet DNSSEC’s requirements but also show where and how we would still need to adapt DNSSEC. Thus, our research lays the foundation for making DNSSEC, and protocols with similar constraints ready for PQC

Saving Brian's Privacy: the Perils of Privacy Exposure through Reverse DNS

Given the importance of privacy, many Internet protocols are nowadays designed with privacy in mind (e.g., using TLS for confidentiality). Foreseeing all privacy issues at the time of protocol design is, however, challenging and may become near impossible when interaction out of protocol bounds occurs. One demonstrably not well understood interaction occurs when DHCP exchanges are accompanied by automated changes to the global DNS (e.g., to dynamically add hostnames for allocated IP addresses). As we will substantiate, this is a privacy risk: one may be able to infer device presence and network dynamics from virtually anywhere on the Internet -- and even identify and track individuals -- even if other mechanisms to limit tracking by outsiders (e.g., blocking pings) are in place. We present a first of its kind study into this risk. We identify networks that expose client identifiers in reverse DNS records and study the relation between the presence of clients and said records. Our results show a strong link: in 9 out of 10 cases, records linger for at most an hour, for a selection of academic, enterprise and ISP networks alike. We also demonstrate how client patterns and network dynamics can be learned, by tracking devices owned by persons named Brian over time, revealing shifts in work patterns caused by COVID-19 related work-from-home measures, and by determining a good time to stage a heist