Abstract
The Domain Name System (DNS) is a critical component of the Internet infrastructure as it maps human-readable names to IP addresses. Injecting fraudulent mappings allows an attacker to divert users from intended destinations to those of an attacker’s choosing. In this paper, we measure the Internet’s vulnerability to DNS record injection attacks—including a new attack we uncover. We find that record injection vulnerabilities are fairly common—even years after some of them were first uncovered.
Work supported in part by NSF grants CNS-0831821, CNS-1213157 and CNS-1237265.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: DNS Security Introduction and Requirements. RFC 4033 (2005)
Bernstein, D.: http://cr.yp.to/djbdns/notes.html
Chun, B., Culler, D., Roscoe, T., Bavier, A., Peterson, L., Wawrzoniak, M., Bowman, M.: PlanetLab: An Overlay Testbed for Broad-Coverage Services. ACM CCR 33(3) (2003)
Dagon, D., Antonakakis, M., Vixie, P., Jinmei, T., Lee, W.: Increased DNS Forgery Resistance Through 0x20-bit Encoding: Security via Leet Queries. ACM CCS (2008)
Dagon, D., Provos, N., Lee, C., Lee, W.: Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority. In: NDSS (2008)
Fujiwara, K.: Number of Possible DNSSEC Validators Seen at jp. In: DNS-OARC Workshop (2012)
Google Public DNS. Performance Benefits, https://developers.google.com/speed/public-dns/docs/performance
Google Public DNS. Security Benefits, https://developers.google.com/speed/public-dns/docs/security
Gudmundsson, O., Crocker, S.: Observing DNSSEC Validation in the Wild. In: Workshop on Securing and Trusting Internet Names, SATIN (2011)
Kaminsky, D.: Black Ops 2008: It’s the End of the Cache As We Know It. In: Black Hat USA (2008)
Leonard, D., Loguinov, D.: Demystifying Service Discovery: Implementing an Internet-Wide Scanner. In: ACM Internet Measurement Conference (2010)
Mockapetris, P.: Domain Names Implementation and Specification. RFC 1035 (1987)
Schomp, K., Callahan, T., Rabinovich, M., Allman, M.: Client-Side DNS Infrastructure Datasets, http://dns-scans.eecs.cwru.edu/
Schomp, K., Callahan, T., Rabinovich, M., Allman, M.: On Measuring the Client-Side DNS Infrastructure. In: ACM Internet Measurement Conference (2013)
Weaver, N., Kreibich, C., Nechaev, B., Paxson, V.: Implications of Netalyzr’s DNS Measurements. In: Workshop on Securing and Trusting Internet Names (SATIN) (2011)
Weaver, N., Kreibich, C., Paxson, V.: Redirecting DNS for Ads and Profit. In: Workshop on Free and Open Comm. on the Internet (2011)
Zhang, C., Huang, C., Ross, K., Maltz, D., Li, J.: Inflight Modifications of Content: Who Are The Culprits? In: LEET (2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Schomp, K., Callahan, T., Rabinovich, M., Allman, M. (2014). Assessing DNS Vulnerability to Record Injection. In: Faloutsos, M., Kuzmanovic, A. (eds) Passive and Active Measurement. PAM 2014. Lecture Notes in Computer Science, vol 8362. Springer, Cham. https://doi.org/10.1007/978-3-319-04918-2_21
Download citation
DOI: https://doi.org/10.1007/978-3-319-04918-2_21
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-04917-5
Online ISBN: 978-3-319-04918-2
eBook Packages: Computer ScienceComputer Science (R0)