Abstract
The Domain Name System (DNS) has been frequently abused for Distributed Denial of Service (DDoS) attacks and cache poisoning because it relies on the User Datagram Protocol (UDP). Since UDP is connection-less, it is trivial for an attacker to spoof the source of a DNS query or response. DNS Cookies, a protocol standardized in 2016, add pseudo-random values to DNS packets to provide identity management and prevent spoofing attacks. In this paper, we present the first study measuring the deployment of DNS Cookies in nearly all aspects of the DNS architecture. We also provide an analysis of the current benefits of DNS Cookies and the next steps for stricter deployment. Our findings show that cookie use is limited to less than 30% of servers and 10% of recursive clients. We also find several configuration issues that could lead to substantial problems if cookies were strictly required. Overall, DNS Cookies provide limited benefit in a majority of situations, and, given current deployment, do not prevent DDoS or cache poisoning attacks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The chance of a non-dynamic cookie being classified as dynamic is extremely small. Our window size accepts only 5,400 values out of the 4.3 billion possible values in the 32 bit field.
- 2.
It is possible that we misclassified a standard cookie with a nonce of 0x01000000 as being interoperable. 9,990 of these IPs sent at least two cookies that appeared interoperable in response to our 60 queries.
- 3.
We did not rerun the initial collection as the process is resource intensive and takes multiple days. We are also less interested in servers lost due to churn as they are unlikely to be true open resolvers as opposed to misconfigurations.
References
dnscurve.org. (2009) https://dnscurve.org/
Amazon: Alexa top sites (2020). https://aws.amazon.com/alexa-top-sites/
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: RFC 4033: DNS security introduction and requirements, March 2005
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: RFC 4034: Resource records for the DNS security extensions, March 2005
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: RFC 4035: protocol modifications for the DNS security extensions, March 2005
Bortzmeyer, S.: DNS query name minimisation to improve privacy, March 2016
Böttger, T., et al.: An empirical study of the cost of DNS-over-HTTPS. In: Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC pp. 15–21 (2019). https://doi.org/10.1145/3355369.3355575
Damas, J., Graff, M., Vixie, P.: Extension mechanisms for DNS (EDNS(0)), April 2013
Deccio, C., Davis, J.: DNS privacy in practice and preparation. In: CoNEXT 2019 - Proceedings of the 15th International Conference on Emerging Networking Experiments and Technologies (2019). https://doi.org/10.1145/3359989.3365435
Dickinson, J., Dickinson, S., Bellis, R., Mankin, A., Wessels, D.: Rfc 7766: DNS transport over TCP - implementation requirements, March 2016
Eastland, D., Andrews, M.: RFC 7873: Domain name system (DNS) cookies, May 2016
Hilton, S.: DYN analysis summary of Friday October 21 attack (2016). https://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/
Hoffman, P., McManus, P.: RFC 8484: DNS queries over https (DOH), October 2018
Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., Hoffman, P.: RFC 7858: specification for DNS over transport layer security (tls), May 2016
Hubert, B., Mook, R.: RFC 5452: Measures for making DNS more resilient against forged answers, January 2009
Internet Assigned Numbers Authority: Root Files (2020). https://www.iana.org/domains/root/files
Lu, C., et al.: An end-to-end, large-scale measurement of DNS-over-encryption: how far have we come? In: Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC pp. 22–35 (2019)
Mockapetris, P.: RFC 1034: domain names - concepts and facilities, November 1987
Mockapetris, P.: RFC 1035: Domain names - implementation and specification, November 1987
Prince, M.: The DDoS that knocked spamhaus offline (and how we mitigated it). https://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho/ (2013)
Sury, O., Toorop, W., Eastland, D., Andrews, M.: Interoperable domain name system (DNS) server cookies, May 2020
Acknowledgments
We gratefully acknowledge the Comcast Innovation Fund for their support of the work that produced this material. We also thank the PAM 2021 reviewers and our shepherd for their helpful comments.
Sandia National Laboratories is a multimission laboratory managed and operated by National Technology and Engineering Solutions of Sandia, LLC., a wholly owned subsidiary of Honeywell International, Inc., for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-NA-0003525.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Davis, J., Deccio, C. (2021). A Peek into the DNS Cookie Jar. In: Hohlfeld, O., Lutu, A., Levin, D. (eds) Passive and Active Measurement. PAM 2021. Lecture Notes in Computer Science(), vol 12671. Springer, Cham. https://doi.org/10.1007/978-3-030-72582-2_18
Download citation
DOI: https://doi.org/10.1007/978-3-030-72582-2_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-72581-5
Online ISBN: 978-3-030-72582-2
eBook Packages: Computer ScienceComputer Science (R0)