Skip to main content
SpringerLink
Log in

Security in Plain TXT

Observing the Use of DNS TXT Records in the Wild

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11543))

Abstract

The Domain Name System is a critical piece of infrastructure that has expanded into use cases beyond its original intent. DNS TXT records are intentionally very permissive in what information can be stored there, and as a result are often used in broad and undocumented ways to support Internet security and networked applications. In this paper, we identified and categorized the patterns in TXT record use from a representative collection of resource record sets. We obtained the records from a data set containing 1.4 billion TXT records collected over a 2 year period and used pattern matching to identify record use cases present across multiple domains. We found that 92% of these records generally fall into 3 categories; protocol enhancement, domain verification, and resource location. While some of these records are required to remain public, we discovered many examples that unnecessarily reveal domain information or present other security threats (e.g., amplification attacks) in conflict with best practices in security.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Agar, R.J.M.: The domain name system (DNS): security challenges and improvements. Royal Holloway, University of London, Technical report (2010)

    Google Scholar 

  2. Agten, P., Joosen, W., Piessens, F., Nikiforakis, N.: Seven months’ worth of mistakes: a longitudinal study of typosquatting abuse. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2015)

    Google Scholar 

  3. Akamai: Security bulletin: Crafted DNS text attack (2014). https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/dns-txt-amplification-attacks-cybersecurity-threat-advisory.pdf

  4. Allman, E., Callas, J., Delany, M., Libbey, M., Fenton, J., Thomas, M.: Domainkeys identified mail (DKIM) signatures. RFC 4871, RFC Editor (2007). http://www.rfc-editor.org/rfc/rfc4871.txt

  5. Alrwais, S.A., Yuan, K., Alowaisheq, E., Li, Z., Wang, X.: Understanding the dark side of domain parking. In: USENIX Security Symposium (2014)

    Google Scholar 

  6. Amann, J., Gasser, O., Brent, L., Carle, G., Holz, R.: Mission accomplished? HTTPS security after DigiNotar. In: Proceedings of the ACM Internet Measurement Conference (IMC) (2017)

    Google Scholar 

  7. Barnes, R., Hoffman-Andrews, J., McCarney, D., Kasten, J.: Draft: automatic certificate management environment (ACME) (2019). https://www.ietf.org/id/draft-ietf-acme-acme-18.txt

  8. Bellis, R.: DNS transport over TCP - implementation requirements. RFC 5966, RFC Editor (2010). http://www.rfc-editor.org/rfc/rfc5966.txt

  9. Borgolte, K., Fiebig, T., Hao, S., Kruegel, C., Vigna, G.: Cloud strife: mitigating the security risks of domain-validated certificates. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2018)

    Google Scholar 

  10. Brandt, M., Dai, T., Klein, A., Shulman, H., Waidner, M.: Domain validation++ for MitM-resilient PKI. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2018)

    Google Scholar 

  11. Bushart, J., Rossow, C.: DNS unchained: amplified application-layer DoS attacks against DNS authoritatives. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) RAID 2018. LNCS, vol. 11050, pp. 139–160. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00470-5_7

    Chapter  Google Scholar 

  12. Chung, T., et al.: A longitudinal, end-to-end view of the DNSSEC ecosystem. In: USENIX Security Symposium (2017)

    Google Scholar 

  13. Chung, T., van Rijswijk-Deij, R., Choffnes, D., Levin, D., Maggs, B.M., Mislove, A., Wilson, C.: Understanding the role of registrars in DNSSEC deployment. In: Proceedings of the ACM Internet Measurement Conference (IMC) (2017)

    Google Scholar 

  14. Cisco: Cisco umbrella populatiry list, 26 September 2017. http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m-TLD-2017-09-26.csv.zip

  15. Dagon, D., Provos, N., Lee, C.P., Lee, W.: Corrupted DNS resolution paths: the rise of a malicious resolution authority. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2008)

    Google Scholar 

  16. Dietrich, C., Krombholz, K., Borgolte, K., Fiebig, T.: Investigating system operators’ perspective on security misconfigurations. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2018)

    Google Scholar 

  17. Dinaburg, A.: Bitsquatting: DNS hijacking without exploitation. In: Proceedings of BlackHat Security (2011)

    Google Scholar 

  18. DMARC.org: Dmarc overview. https://dmarc.org/overview/

  19. Durumeric, Z., Adrian, D., Mirian, A., Kasten, J.: Neither snow nor rain nor MITM... an empirical analysis of mail delivery security. In: Proceedings of the ACM Internet Measurement Conference (IMC) (2015)

    Google Scholar 

  20. Foster, I.D., Larson, J., Masich, M., Snoeren, A.C., Savage, S., Levchenko, K.: Security by any other name: on the effectiveness of provider based email security. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2015)

    Google Scholar 

  21. Görling, S.: An overview of the sender policy framework (SPF) as an anti-phishing mechanism. Internet Res. 17(2), 169–179 (2007)

    Article  Google Scholar 

  22. Herzberg, A., Shulman, H.: DNSSEC: security and availability challenges. In: IEEE Conference on Communications and Network Security (CNS), pp. 365–366. IEEE (2013)

    Google Scholar 

  23. Hu, H., Wang, G.: End-to-end measurements of email spoofing attacks. In: USENIX Security Symposium (2018)

    Google Scholar 

  24. Kaminsky, D.: Black ops 2008: it’s the end of the cache as we know it. Black Hat USA (2008)

    Google Scholar 

  25. Kintis, P., et al.: Hiding in plain sight: a longitudinal study of combosquatting abuse. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2017)

    Google Scholar 

  26. Kountouras, A., et al.: Enabling network security through active DNS datasets. In: Proceedings of the International Symposium on Research in Attacks, Intrusions, and Defenses (RAID) (2016)

    Chapter  Google Scholar 

  27. Le, T., Van Rijswijk-Deij, R., Allodi, L., Zannone, N.: Economic incentives on DNSSEC deployment: time to move from quantity to quality. In: IEEE/IFIP Network Operations and Management Symposium (NOMS) (2018)

    Google Scholar 

  28. Lever, C., Walls, R., Nadji, Y., Dagon, D., McDaniel, P., Antonakakis, M.: Domain-z: 28 registrations later measuring the exploitation of residual trust in domains. In: IEEE Symposium on Security and Privacy (SP) (2016)

    Google Scholar 

  29. Lyon, J., Wong, M.: Sender id: authenticating e-mail. internet engineering task force (IETF). RFC 4406, RFC Editor (2006). http://www.rfc-editor.org/rfc/rfc4406.txt

  30. M. Kucherawy, E., E. Zwicky, E.: Domain-based message authentication, reporting, and conformance (DMARC). RFC 7489, RFC Editor (2015). http://www.rfc-editor.org/rfc/rfc7489.txt

  31. MacFarland, D.C., Shue, C.A., Kalafut, A.J.: Characterizing optimal DNS amplification attacks and effective mitigation. In: Mirkovic, J., Liu, Y. (eds.) PAM 2015. LNCS, vol. 8995, pp. 15–27. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-15509-8_2

    Chapter  Google Scholar 

  32. Mockapetris, P.: Domain names - implementation and specification. RFC 1035, RFC Editor (1987). http://www.rfc-editor.org/rfc/rfc1035.txt

  33. Neij, F., Norberg, A., Brown, C.: Bep 34: DNS tracker preferences. http://www.bittorrent.org/beps/bep_0034.html

  34. Nikiforakis, N., Balduzzi, M., Desmet, L., Piessens, F., Joosen, W.: Soundsquatting: uncovering the use of homophones in domain squatting. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 291–308. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13257-0_17

    Chapter  Google Scholar 

  35. Nikiforakis, N., Van Acker, S., Meert, W., Desmet, L., Piessens, F., Joosen, W.: Bitsquatting: exploiting bit-flips for fun, or profit? In: Proceedings of the International Conference on World Wide Web (WWW) (2013)

    Google Scholar 

  36. Osterweil, E., Ryan, M., Massey, D., Zhang, L.: Quantifying the operational status of the DNSSEC deployment. In: Proceedings of the ACM Internet Measurement Conference (IMC) (2008)

    Google Scholar 

  37. Pearce, P., et al.: Global measurement of DNS manipulation. In: USENIX Security Symposium (2017)

    Google Scholar 

  38. van Rijswijk-Deij, R., Sperotto, A., Pras, A.: DNSSEC and its potential for DDoS attacks. In: Proceedings of the ACM Internet Measurement Conference (IMC) (2014)

    Google Scholar 

  39. Scheitle, Q., et al.: A long way to the top: significance, structure, and stability of internet top lists. In: Proceedings of the ACM Internet Measurement Conference (IMC) (2018)

    Google Scholar 

  40. Scheitle, Q., et al.: A first look at certification authority authorization (CAA). ACM SIGCOMM Comput. Commun. Rev. 48(2), 10–23 (2018)

    Article  Google Scholar 

  41. Schlitt, W., Wong, M.W.: Sender policy framework (SPF) for authorizing use of domains in e-mail, version 1. RFC 4408, RFC Editor (2006). http://www.rfc-editor.org/rfc/rfc4408.txt

  42. Statuspage: DNS configuration requirements. https://help.statuspage.io/knowledge_base/topics/domain-ownership

  43. Szalachowski, P., Perrig, A.: Short paper: on deployment of DNS-based security enhancements. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 424–433. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70972-7_24

    Chapter  Google Scholar 

  44. Telnames Limited:tel (2019). https://www.do.tel/

  45. Wander, M.: Measurement survey of server-side DNSSEC adoption. In: Proceedings of the Network Traffic Measurement and Analysis Conference (TMA) (2017)

    Google Scholar 

  46. Wang, Y.M., Beck, D., Wang, J., Verbowski, C., Daniels, B.: Strider typo-patrol: discovery and analysis of systematic typo-squatting. SRUTI 6, 31–36 (2006)

    Google Scholar 

  47. Weaver, N., Kreibich, C., Paxson, V.: Redirecting DNS for ads and profit. In: USENIX Workshop on Free and Open Communications on the Internet (FOCI) (2011)

    Google Scholar 

  48. Zdrnja, B., Brownlee, N., Wessels, D.: Passive monitoring of DNS anomalies. In: Hämmerli, B.M., Sommer, R. (eds.) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2007. Lecture Notes in Computer Science, vol. 4579, pp. 129–139. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73614-1_8

    Chapter  Google Scholar 

  49. Zmijewski, E.: Accidentally importing censorship, March 2010. https://dyn.com/blog/fouling-the-global-nest/

Download references

Author information

Authors and Affiliations

  1. Villanova University, Villanova, USA

    Adam Portier & Henry Carter

  2. Georgia Institute of Technology, Atlanta, USA

    Charles Lever

Authors
  1. Adam Portier
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Henry Carter
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Charles Lever
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Adam Portier .

Editor information

Editors and Affiliations

  1. University of Georgia, Athens, GA, USA

    Roberto Perdisci

  2. University of Rennes, CNRS, IRISA, Rennes, France

    Clémentine Maurice

  3. University of Cagliari, Cagliari, Italy

    Giorgio Giacinto

  4. Chalmers University of Technology, Gothenburg, Sweden

    Magnus Almgren

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Portier, A., Carter, H., Lever, C. (2019). Security in Plain TXT. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2019. Lecture Notes in Computer Science(), vol 11543. Springer, Cham. https://doi.org/10.1007/978-3-030-22038-9_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-22038-9_18

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-22037-2

  • Online ISBN: 978-3-030-22038-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation