Drakkar

Thesis defense — Yevheniya Nosyk — November 26th

Friday 29 November 2024

The Domain Name System: a Tool and a Target for Internet-Wide Measurements

Will take place on Tuesday, 26 November 2024 at 14:00 at the main Auditorium in the IMAG building.

Abstract

The Domain Name System (DNS) is one of the oldest Internet protocols to date, with its history dating back to 1987 when it was standardized in its current form. As the Internet was growing at a rapid pace, there was a need for an extensible, interoperable, and distributed naming scheme to replace the plain text file with the address to human-readable name mappings. Despite DNS not considering security aspects at first, it was subsequently amended to provide origin authentication, data integrity, and transaction privacy. It also remains highly flexible to accommodate future protocol extensions. DNS has largely outgrown in original purpose and size, and it is now an extremely complex system with over 460 Requests for Comments (RFCs), 362.4 million registered domain names, and millions of authoritative nameservers and recursive resolvers. It is also one of the most critical components of the Internet, as more and more operations are preceded by a domain name lookup. Such an increasing reliance on DNS makes it an attractive attack target, an efficient attack tool, and a victim of collateral damage. Given its scale, DNS is becoming highly opaque and, therefore, difficult to comprehend and characterize. As a result, one cannot prevent outages, misuse, and misconfigurations if the inner workings of the system are not well understood. This issue raises significant barriers to researchers and operators alike whose aim is to ensure that the Internet remains resilient in the face of numerous threats. On the other hand, one can think of DNS infrastructure as a set of distributed measurement vantage points with a unique view of the underlying networks, in which case, the scale becomes an advantage. With the lack of wide-coverage measurement platforms, DNS servers can be used as measurement nodes themselves. This thesis addresses the following research questions: 1) Can the scope of vulnerabilities in the global DNS be effectively quantified and assessed? and 2) Can DNS be leveraged as a reliable tool for measuring other aspects of the Internet? Four contributions discussed in the remainder of the thesis address the two questions with the help of passive and active measurement techniques. The first contribution analyzes the mechanism of Extended DNS Errors (EDE) and discusses some of the most common misconfigurations of registered domain names observed in the wild. The second contribution investigates the extent to which DNS root server queries suffer from manipulation and proposes several countermeasures to avoid the negative impact on end users. The third contribution uncovers powerful DNS-based mega amplifiers and hypothesizes that the combination of routing loops and middleboxes is behind the phenomenon. The final contribution uses DNS resolvers to infer the absence and the presence of inbound Source Address Validation (SAV) in remote networks.


1996-2024 Drakkar | | SPIP