Page 50 - Read Online
P. 50

Kim et al. J Surveill Secur Saf 2020;1:34-60  I  http://dx.doi.org/10.20517/jsss.2020.14                                                               Page 43

               for attackers to craft responses that pass these tests, as follows:
                                              [25]
               (1) No secured packet through UDP : The basic query of DNS is delivered over the UDP protocol, which
               is unencrypted. An attacker could first capture a DNS query packet and forge a response from the name
               server in a malicious response before the resolver receives a valid response. This attack is made easier if
               routers are subverted as well.
                                         [26]
               (2) Transaction ID prediction : The transaction ID is unique among several parameters that match DNS
               responses to requests. However, if the transaction ID is predictable, it makes it easier to forge a DNS
               response. The transaction ID is a 16-bit field in the DNS header and issued by the DNS algorithm. The
               ID value has a range of 32,768 values, but it is easier to predict if DNS randomization is poorly done (e.g.,
               overload in cache). It is also predictable just by observing the request ID. Thus, attackers can easily guess
               the transaction ID and have their DNS response accepted as valid. For Berkeley Internet Name Domain
               (BIND) versions 4 and 8, a sequential transaction ID method is used, allowing the response ID simply to
               add 1 to the request ID. BIND version 9 and later adopts all randomized transaction ID and does not re-
               use the same ID for the same domain name. and predict the next transaction ID.
                                  [27]
               (3) Caching problems : Caching is used for DNS efficiency. By storing the IP for the domain for a period
               of time, unnecessary IP address requests and access time to that domain can be reduced. Cache Poisoning,
               a typical DNS attack using such vulnerability, is one of the major threats to DNS. In cache poisoning,
               an attacker injects a malicious IP address into the DNS cache, causing users to receive false translation
               information for an extended period.
               (4) Lack of protection against DDoS: About 93% of all cyberattacks on the Internet are reported as DDoS
                     [13]
               attacks . DNS is also vulnerable to this attack. If DNS request floods occur, the DNS name server that
               handles the requests cannot respond to all requests making DNS service unavailable. As a consequence,
               all users using the DNS name server are unable to use the Internet. Due to the absence of a mechanism to
               block and prevent such attack patterns, DNS is currently suffering from many DDoS attacks.


               3.2 DNSSEC vulnerabilities
               As shown in Section II, DNSSEC has enhanced security for authentication and integrity by adding digital
               signatures using public and private keys to existing DNS to overcome known DNS vulnerabilities. However,
               DNSSEC is still suffering from various attacks through vulnerabilities and limitations.

               3.2.1 Overhead
               DNSSEC adds four record types to the DNS: RRSIG, DNSKEY, Delegation Signer (DS), and Next Secure
               (NSEC). Because of these extended records, DNSSEC requires more overhead than traditional DNS and
               increases processing time and packet size. The size of the DSSEC packet is up to 2000 bytes, while the UDP
               size specified by the RFC is 512 bytes. Therefore, the packets in DSSEC are fragmented, which may result in
               DNS fallback. For example, if the fragmented DNSSEC packets are not delivered properly and a public key
               that was previously verified during a key rollover is still stored in the local cache and a DNS data packet
               signed with a new key is received, verification of the new packet will eventually fail and be ignored. As a
                                                                               [28]
               result, the user is provided neither with the DNS service nor authentication .
               3.3.2 Complexity
               The implementation of DNSSEC has been found to have problems in deployment. Misconfiguration may
                                                                                                       [29]
               be increased because DNSSEC significantly increases the complexity of the existing DNS infrastructure .
               The misconfiguration may result in incorrect DNSSEC RRs and authentication problems such that the data
                                                                                [30]
               is regarded as fake, even though it is correct, causing name translation to fail .
               3.2.3 Untrustworthy resolver
               Assuming a reliable DNSSEC system is built on DNS, most of the DNS responses are trustworthy.
               However, if there are unreliable resolvers to deliver the final DNS response provided by the secure DNS
   45   46   47   48   49   50   51   52   53   54   55