Skip to main content
SpringerLink
Log in

Large-Scale Analysis of Infrastructure-Leaking DNS Servers

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11543))

Abstract

The Domain Name System (DNS) is a fundamental backbone service of the Internet. In practice, this infrastructure often shows flaws, which indicate that measuring the DNS is important to understand potential (security) issues. Several works deal with the DNS and present such problems, mitigations, and attack vectors. A so far overlooked issue is the fact that DNS servers might answer with information about internal network information (e.g., hostnames) to external queries. This behavior results in a capability to perform an active network reconnaissance without the need for individual vulnerabilities or exploits. Analyzing how public DNS services might involuntarily disclose sensitive information ties in with the trust we have on Internet services.

To investigate this phenomenon, we conducted a systematic measurement study on this topic. We crawl all public reachable DNS servers in 15 scans over a period of almost six months and analyze up to 574,000 DNS servers per run that are configured in a way that might lead to this kind of information leakage. With this large-scale evaluation, we show that the amount of this possible infrastructure leaking DNS servers is on average almost 4% over all of our scans on every reachable DNS servers on the Internet. Based on our newest scan, the countries with most of these servers are Romania, China, and the US. In these countries, the share of such servers among of all reachable servers is about 15% in Romania, 9% in China, and 2.9% in the US. A detailed analysis of the responses reveals that not all answers provide useful information for an adversary. However, we found that up to 158,000 DNS servers provide potentially exploitable information in the wild. Hence, this measurement study demonstrates that the configuration of a DNS server should be executed carefully; otherwise, it may be possible to disclose too much information.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. GeoLite2 Free Downloadable Databases. https://dev.maxmind.com/geoip/geoip2/geolite2/. Accessed 22 Feb 2019

  2. How to prevent bind server resolving private ip addresess and leaking them to external network? https://access.redhat.com/solutions/46558. Accessed 22 Feb 2019

  3. Trust makes it simple. https://intl.alipay.com/. Accessed 22 Feb 2019

  4. University of Oregon Route Views Archive Project. http://archive.routeviews.org. Accessed 22 Feb 2019

  5. When your DNS leaks your infrastructure. https://www.codemetrix.net/when-your-dns-leaks-your-infrastructure/. Accessed 22 Feb 2019

  6. Al-Dalky, R., Schomp, K.: Characterization of collaborative resolution in recursive DNS resolvers. In: Beverly, R., Smaragdakis, G., Feldmann, A. (eds.) PAM 2018. LNCS, vol. 10771, pp. 146–157. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76481-8_11

    Chapter  Google Scholar 

  7. Chung, T., et al.: A longitudinal, end-to-end view of the DNSSEC ecosystem. In: USENIX Security Symposium (2017)

    Google Scholar 

  8. Dell’Amico, M., Bilge, L., Kayyoor, A., Efstathopoulos, P., Vervier, P.-A.: Lean on me: mining internet service dependencies from large-scale DNS data. In: Annual Computer Security Applications Conference (ACSAC) (2017)

    Google Scholar 

  9. Durumeric, Z., Adrian, D., Mirian, A., Bailey, M., Halderman, J.A.: A search engine backed by internet-wide scanning. In: 22nd ACM Conference on Computer and Communications Security (2015)

    Google Scholar 

  10. Fiebig, T., Borgolte, K., Hao, S., Kruegel, C., Vigna, G.: Something from nothing (There): collecting global IPv6 datasets from DNS. In: Kaafar, M.A., Uhlig, S., Amann, J. (eds.) PAM 2017. LNCS, vol. 10176, pp. 30–43. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-54328-4_3

    Chapter  Google Scholar 

  11. Fiebig, T., Borgolte, K., Hao, S., Kruegel, C., Vigna, G., Feldmann, A.: In rDNS we trust: revisiting a common data-source’s reliability. In: Beverly, R., Smaragdakis, G., Feldmann, A. (eds.) PAM 2018. LNCS, vol. 10771, pp. 131–145. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76481-8_10

    Chapter  Google Scholar 

  12. Frey, B.J., Dueck, D.: Clustering by passing messages between data points. Science 315, 972–976 (2007)

    Article  MathSciNet  Google Scholar 

  13. Fukuda, K., Heidemann, J.: Detecting malicious activity with DNS backscatter. In: ACM SIGCOMM Internet Measurement Conference (IMC) (2015)

    Google Scholar 

  14. Kambourakis, G., Moschos, T., Geneiatakis, D., Gritzalis, S.: Detecting DNS amplification attacks. In: Lopez, J., Hämmerli, B.M. (eds.) CRITIS 2007. LNCS, vol. 5141, pp. 185–196. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89173-4_16

    Chapter  Google Scholar 

  15. Kührer, M., Hupperich, T., Bushart, J., Rossow, C., Holz, T.: Going wild: large-scale classification of open DNS resolvers. In: ACM SIGCOMM Internet Measurement Conference (IMC). ACM (2015)

    Google Scholar 

  16. Liu, B., et al.: Who is answering my queries: understanding and characterizing interception of the DNS resolution path. In: USENIX Security Symposium (2018)

    Google Scholar 

  17. Liu, D., Hao, S., Wang, H.: All your DNS records point to us: understanding the security threats of dangling DNS records. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (2016)

    Google Scholar 

  18. Padmanabhan, R., Dhamdhere, A., Aben, E., Spring, N., et al.: Reasons dynamic addresses change. In: ACM SIGCOMM Internet Measurement Conference (IMC) (2016)

    Google Scholar 

  19. Pearce, P., et al.: Global measurement of DNS manipulation. In: USENIX Security Symposium (2017)

    Google Scholar 

  20. Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.: Address Allocation for Private Internets. RFC 1597, RFC Editor, March 1994

    Google Scholar 

  21. Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., Lear, E.: Address Allocation for Private Internets. RFC 1918, RFC Editor, February 1996

    Google Scholar 

  22. Shaikh, S.A., Chivers, H., Nobles, P., Clark, J.A., Chen, H.: Network reconnaissance. Network Security (2008)

    Google Scholar 

  23. Son, S., Shmatikov, V.: The Hitchhiker’s guide to DNS cache poisoning. In: Jajodia, S., Zhou, J. (eds.) SecureComm 2010. LNICST, vol. 50, pp. 466–483. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-16161-2_27

    Chapter  Google Scholar 

  24. van Rijswijk-Deij, R., Jonker, M., Sperotto, A., Pras, A.: A high-performance, scalable infrastructure for large-scale active DNS measurements. IEEE J. Sel. Areas Commun. 34, 1877–1888 (2016)

    Google Scholar 

  25. Woolf, S., Conrad, D.: Requirements for a Mechanism Identifying a Name Server Instance. RFC 4892, RFC Editor, June 2007

    Google Scholar 

Download references

Acknowledgment

This work was partially supported by the German Federal Ministry of Education and Research (BMBF grant 16KIS0395 “secUnity”). We would like to thank the anonymous reviewers for their valuable feedback.

Author information

Authors and Affiliations

  1. Ruhr University Bochum, Bochum, Germany

    Dennis Tatang, Carl Schneider & Thorsten Holz

Authors
  1. Dennis Tatang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Carl Schneider
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Thorsten Holz
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Dennis Tatang .

Editor information

Editors and Affiliations

  1. University of Georgia, Athens, GA, USA

    Roberto Perdisci

  2. University of Rennes, CNRS, IRISA, Rennes, France

    Clémentine Maurice

  3. University of Cagliari, Cagliari, Italy

    Giorgio Giacinto

  4. Chalmers University of Technology, Gothenburg, Sweden

    Magnus Almgren

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Tatang, D., Schneider, C., Holz, T. (2019). Large-Scale Analysis of Infrastructure-Leaking DNS Servers. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2019. Lecture Notes in Computer Science(), vol 11543. Springer, Cham. https://doi.org/10.1007/978-3-030-22038-9_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-22038-9_17

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-22037-2

  • Online ISBN: 978-3-030-22038-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation