Written By: David Dagon Manos Antonakakis Paul Vixie Georgia Institute of Georgia Institute ofInternet Systems. Technology Technology Consortium Wenke Lee Tatuya Jinmei Presented By: Georgia Institute of Internet Systems Consortium Jarrod Williams Technology
Overview Domain Name System(DNS) 0x20 Bit Encoding Conclusion
DNS labels, matching, and the resolution process are all case insensitive DNS query strings can have the alphabetical characters switched between lower case and upper by adding 0x20 or subtracting 0x20 Using different capitalization schemes DNS queries can be made unique and more resistant to DNS poisoning attacks
Domain Name Field Value ◦ Uppercase = 0, Lowercase = 1
No radical changes Protocol Stability Backward Compatible To protect the recursive resolver in its transaction with the authority servers
Overview Domain Name System(DNS) 0x20 Bit Encoding Conclusion
is a hierarchical naming system for computers, services, and any other resource participating on the internet to associate various information with domain names DNS initiators on host machines are called stub resolvers
Each domain is a node Each zone consist of many nodes Each node can have a subzone DNS authority servers are sometimes called the SOA or Start of Authority.
First, the stub resolver sends the query to the recursive server Next, the recursive resolver consults with the root servers Then the recursive server will consult with the “.com” zone authority servers Finally, the answer is returned to the stub resolver, and cached by the recursive resolver to assist in future resolutions.
Is a maliciously created or unintended situation that provides data to a Domain Name Server that did not originate from authoritative DNS sources Attackers exploit DNS software by making it accept incorrect information and if the DNS response to the server is not accurately validated, it will end up caching the incorrect entries locally and serve them to users that make the same request
Overview Domain Name System(DNS) 0x20 Bit Encoding Conclusion
A DNS query is not copied into memory, it is rewritten just as it arrives over the wire Almost all authority DNS servers preserve the case encoding of DNS queries, bit-for-bit, as they are presented by the recursive server A pattern of mixed case encoding of domain names, make unique transactions between DNS initiators and responders and provides an additional means to track messages between servers
A domain name input arrives as an answer from a server, or a query from a stub resolver Transform the query field into a canonical format Use a chosen encryption scheme to encrypt the canonical query Bits are read in sequential fashion one byte at a time and all “0x20 capable” characters are encoded
if the jth bit is 0, make the i query character upper case (i.e., buff[i] |= 0x20) if the jth bit is 1, make the i query character lower case(i.e., buff[i] &= 0x20) This produces a 0x20-encoded domain name that can be sent to an authority server, it can also be used to verify the query field returned by an authority server.
0x20 capable character is a letter character on the ASCII table in hexadecimal format American Standard Code for Information Interchange (ASCII) The range is: ◦ A…Z 0x41 – 0x5A ◦ a…z 0x61 – 0x7A
- 6, 0x20 capable characters ◦ 6 bit key length ◦ 2 6 = 64 unique combinations - 5, 0x20 capable character ◦ 5 bit key length ◦ 2 5 = 32 – 18, 0x20 capable characters ◦ 18 bit key length ◦ 2 18 = 262,144
Authority servers were checked for proper preservation and support of 0x20 encoding For 3 weeks authority servers listed in the.com and.net zones were targeted Yielding 75 million server names on average and 7 million probed queries, spread across every DNS server listed in these zones
99.7% of all DNS servers studied could support DNS 0x20 encoding scheme without changing their code base 0.3% of the servers tended to display a failure to preserve DNS 0x20 encodings under very high query volumes There is a high confidence in DNS bit encoding under high query volume
Overview Domain Name System(DNS) 0x20 Bit Encoding Conclusion
DNS poisoning attacks present a persistent, and ongoing threat to the Internet’s critical infrastructure 0x20 bit encoding makes an attackers job more difficult and makes the DNS server more resistant to attack, not impenetrable This solution provides little over-head on the recursive server so performance is not sacrificed
It is a light weight and practical improvement to DNS security It does not require a radical restructure of the DNS infrastructure, and can be adopted unilaterally by recursive servers Immediate improvement of DNS security and it does not require a community effort
Focuses only on recursive DNS servers The encoding does not provide strong guarantees for transaction integrity. Encoding length is restricted to domain name capable characters only
Explain in more detail how the keys would be managed Investigate a way to expand DNS key length so keys are not limited to domain name capable characters only