Page 51 - Read Online
P. 51
Page 44 Kim et al. J Surveill Secur Saf 2020;1:34-60 I http://dx.doi.org/10.20517/jsss.2020.14
[31]
server, Internet users are exposed to DNS threats despite the robust DNSSEC . Usually, most people do
not consider how much they trust the local DNS resolver that is set up for them but simply use the default
local DNS resolver provided by the network. For example, if a typical user connects to the Internet over
public Wi-Fi, the DNS resolver is automatically configured as the default. Exploiting such a problem, an
attacker may intercept the request and configure a malicious DNS resolver that delivers false DNS data to
the victim. To counteract this, the chain of trust should be extended from the DNS resolver to the users.
Dynamic Host Configuration Protocol (DHCP) with authorization tickets is one way to identify DNS
[32]
resolvers that are trustworthy . However, if the DHCP server is disabled, or untrustworthy itself, all users
in the network could be affected.
3.2.4 Zone list exposure
The DNS database is broken into zones of records. Each zone contains not only a domain’s records but may
also contain its subdomains and related records. DNSSEC has a security function that can digitally prove
a domain or resource record that does not exist, using the NSEC (Next Secure) record type. This, however,
makes it possible for an outsider to find the names in an entire zone, a process known as zone enumeration.
To address this issue, the standardization of the NSEC3 RR has been completed, but can still be seriously
[33]
impacted by malicious NSEC3 and DNS servers that do not implement the standard .
Also, zone transfer is used to synchronize zone files between primary and secondary DNS servers. To
synchronize zone files between DNS servers, it is often accomplished using NFS, or a specialized zone-
transfer function. Although zone file transfers are necessary, misconfiguration of the transfer may pose a
serious threat of leaking information.
3.2.5 Low deployment of DNSSEC
DNSSEC provides much stronger security for DNS, but it is currently plagued by the slow deployment
of DNSSEC. According to an Internet Society Report in 2016 , TLDs zones signed with DNSSEC were
[34]
about 90%, while SLDs were only 65% of DNSSEC-enabled zones. In addition, considering that the usage
of DNSSEC-validating resolvers is approximately 26%, the percentage of deployment might be lower. The
report also points out that DANE’s deployment, which enhances the DNSSEC’s vulnerability, is also low.
3.2.6 Amplification and reflection DDoS threat
[35]
DNSSEC is still a possible vehicle for amplification and reflection attacks . Due to the additional
information caused by complex digital signatures, DNSSEC’s record is significantly larger than a normal
DNS response. On average, the size of an “ANY” response from DNSSEC is 28 times larger than a normal
[36]
DNS “ANY” response , making amplification and reflection attacks even more damaging.
4 ATTACKS
This section presents the state-of-the-art for DNS attacks, classifies, and assesses them. Generally, the
DNS attack is an attack that targets multiple DNS servers on the Internet, using the DNS and DNSSEC
vulnerabilities described in the previous section. The goal of the DNS attack is to deplete the targeted
system resource or to corrupt the data, make the DNS system unavailable, or exploit the system to achieve
the final attack. As of now, the attacks are received considerable attention from researchers, governments
and also industry, but they still cause a significant risk for Internet users.
DNS attacks may be separated into four categories: DNS data tampering, DNS data flooding, abuse of DNS,
and DNS server structure. Figure 7 shows the list of 11 DNS attacks that are categorized.
4.1 DNS data tampering
DNS Data Tampering occurs when an attacker hijacks and/or compromises unencrypted DNS data in the
middle between users and DNS servers, and then users receive false address translation information. The
