Domain Name System (Dns ) Security: Health Measurement and Intrusion Detection

Abstract

DNS is an essential service for the smooth functioning of all Internet services includ- ing web applications, email services, messaging services, online social networks, etc. . . that works by resolving an alphabetic hostname to an IP address. Every network com- munication usually begins with a DNS mapping of the given domain name to the IP address specifically accessible by the program. Many programs stop working as soon as this mapping service is inaccessible. As a result, adversaries are keen to deny this service via bug exploits, exploiting the vulnerabilities, or by circumventing the proto- col standard function. In such instances, the attackers may use DNS server settings that lack sufficient security hardening and to do things like moving DNS zones, altering DNS resolvers to report fake IP addresses to divert customers, divert web and email traffic, or execute deadly DNS amplification attacks. DNS also plays a significant role in the overall user experience of Internet services. However, it is mostly forgotten, and is often discovered without adequate protection, or running older software versions, or is entirely insecure. Since most organizations are unaware that DNS is a key attack vector, DNS-based attacks and exploitations oc- cur. The system of DNS could appeal to an attacker for disruptive operations such as network footprinting, downloading malicious software, contact with command and con- trol servers, data exfiltration out of a network, and DNS-based reflective amplification DDoS attempts. In some cases, DNS applications face many security issues such as DoS/DDoS attacks on DNS servers, DNS cache poisoning, NXDomain (Non-existent domain), MITM (Man-in-the-Middle) attacks, and DNS ID spoofing. As a result, mon- itoring DNS traffic for threat security is very important. This research aims to provide two novel methods for securing DNS infrastructure, i.e., DNS health measurement and DNS intrusion detection. As part of the research goal, we compare the DNS query resolution latency in IPv4 versus IPv6 network stacks by setting up a three-level DNS hierarchy for the forward lookup tree and a four-level DNS hierarchy for the reverse lookup tree on a dual IP stack that includes ROOT on top-level, TLD on second, SLD on third, and subdomains on the fourth level. We also set up a dual-stack-based recursive resolver. i In this thesis, we offer a unique empirical technique for measuring the health of authoritative DNS servers — a key, essential, and significant component of the DNS in- frastructure. DNS software weaknesses, DNS latency comparison with ICMP latency, and DNSSEC validation are three new parameter classes that are proposed and evalu- ated for effective assessment of the health of authoritative DNS servers. The proposed methodology can be extensible across the components of the entire DNS infrastructure and could be used to analyze, identify, and prevent DNS abuse regularly. We present - DNS Intrusion Detection (DID), a system integrated into SNORT - a prominent open-source IDS, to detect major DNS-related attacks. We have developed novel IDS signatures for various tools used in the DNS tunneling, DNS amplification, and DNS DoS attacks. We identified the above DNS attacks carried out by different tools available on the Internet using our method. DID observed a high detection rate and a low false-positive rate during testing.