Kim et al. J Surveill Secur Saf 2020;1:34-60  I  http://dx.doi.org/10.20517/jsss.2020.14                                                               Page 35

               1. INTRODUCTION
               Over the past 30 years, we have experienced more convenient Internet services through the human-friendly
               Domain Name System (DNS) functionality, which maps domain names to internet protocol (IP) addresses
               using globally distributed hierarchical name servers. Internet users with domain addresses can utilize
               various Internet services, such as web surfing, e-mail, and even mobile services without entering machine-
               recognized IP addresses. However, DNS was first developed without consideration of cybersecurity and
                                   [1,2]
               caused many problems . There is no doubt that there are many cyber attacks on DNS in the wild. In a
               recent attack, for instance, attackers redirected DNS lookup for MyEtherWallet.com to a malicious website
                                                                                   [3]
               that looked like an authentic website, for hijacking victims’ account information .
               To overcome such various DNS security problems (i.e., directory lookup) and reinforce cybersecurity, the
               DNS security extensions (DNSSEC) protocol was developed. DNSSEC implanted the digital signature
               mechanism of public-key cryptography into the DNS system [4-7] . DNSSEC extends DNS based on the
               hierarchical public key infrastructure (PKI) to protect data published in DNS. Certificates for the public
               keys are issued by trusted certificate authorities (CAs), which certify the ownership of the public keys.
               Thus, clients and resolvers can verify that DNS responses have not been forged or altered, using DNSSEC.
                                                                                               [8]
               However, DNSSEC still suffers from deployment issues in the current Internet. Chung et al.  found that
               31% of domains supporting DNSSEC failed to publish all relevant records required for validation and
               39% of domains used an insufficiently strong key-signing key. They also found that 82% of the resolvers
               requested DNSSEC records, but only 12% of them attempted to validate the DNSSEC records. Additionally,
               several studies have been performed to scrutinize the CA model for lack of transparency and choice of
               trusted CA sets [9,10] . If one of the CAs acting as a trust anchor is compromised, all information certified by
               the CA may be falsified.


               The 2016 Dyn cyberattack was a significant event indicating serious DNS risk. Dyn, which is a popular
               DNS provider, was attacked by two large and complex distributed denial-of-service(DDoS) attacks
                                          [11]
               against the DNS infrastructure . Eventually, several major Internet services and banking systems were
                                [12]
               paralyzed. Figure 1  shows the map of the Internet disabling in North America by the Dyn cyberattack.
               An interesting issue with this attack is that a large part of the US was impacted by attacking Data Centers
               in only certain parts of the US. That is, the attack directly targeted only a locally distributed DNS with a
               local Botnet. Moreover, the Cyber Security Report , released in 2018, describes DNS as the largest (82%)
                                                          [13]
               Internet service target of application-layer attacks. Despite efforts to improve DNS’s security problems, DNS
               is still a popular target for cyberattacks because of its essential role on the Internet, and its vulnerability.

               This paper is a comprehensive survey of vulnerabilities of DNS (and DNSSEC), attacks exploiting those
               vulnerabilities, and mitigations proposed or deployed to address such attacks. There have been previous
                                                            [14]
                                                                                                       [15]
               surveys on more restricted aspects of DNS security , a broader security context that includes DNS ,
               or the use of DNS to combat specific types of attacks [16,17] . The contributions of this paper are: (1) first,
               the problems of DNS and DNSSEC security are described and classified as fundamental, structural, and
               systematic vulnerabilities. Also, the increasing seriousness of DNS attacks is discussed; second, various
               DNS attacks are discussed and classified by purpose, to understand and analyze them; finally, defenses
               against DNS attacks are described, and the effectiveness of current DNS attack mitigation is assessed.


               The paper is organized as follows. Section 2 provides background on DNS and DNSSEC. Section 3
               describes the security vulnerabilities of DNS and DNSSEC. Section 4 explains typical DNS attacks that
               currently threaten Internet users, assesses these attacks according to seriousness and classifies DNS attacks
               by purpose. Section 5 explores DNS attack mitigation methods and assesses their strengths and weaknesses.
               Section 6 concludes with the implications of this study and opportunities for research.