English
Related papers

Related papers: NXNSAttack: Recursive DNS Inefficiencies and Vulne…

200 papers

We present practical poisoning and name-server block- ing attacks on standard DNS resolvers, by off-path, spoofing adversaries. Our attacks exploit large DNS responses that cause IP fragmentation; such long re- sponses are increasingly…

Cryptography and Security · Computer Science 2015-03-20 Amir Herzberg , Haya Shulman

NSEC3 is a proof of non-existence in DNSSEC, which provides an authenticated assertion that a queried resource does not exist in the target domain. NSEC3 consists of alphabetically sorted hashed names before and after the queried hostname.…

Cryptography and Security · Computer Science 2024-06-19 Olivia Gruza , Elias Heftrig , Oliver Jacobsen , Haya Schulmann , Niklas Vogel , Michael Waidner

The domain name resolution into IP addresses can significantly delay connection establishments on the web. Moreover, the common use of recursive DNS resolvers presents a privacy risk as they can closely monitor the user's browsing…

Networking and Internet Architecture · Computer Science 2019-08-14 Erik Sy

Availability is a major concern in the design of DNSSEC. To ensure availability, DNSSEC follows Postel's Law [RFC1123]: "Be liberal in what you accept, and conservative in what you send." Hence, nameservers should send not just one matching…

Cryptography and Security · Computer Science 2024-06-06 Elias Heftrig , Haya Schulmann , Niklas Vogel , Michael Waidner

Domain Name System (DNS) is a critical component of the Internet. DNS resolvers, which act as the cache between DNS clients and DNS nameservers, are the central piece of the DNS infrastructure, essential to the scalability of DNS. However,…

Cryptography and Security · Computer Science 2023-10-06 Qifan Zhang , Xuesong Bai , Xiang Li , Haixin Duan , Qi Li , Zhou Li

We investigate defenses against DNS cache poisoning focusing on mechanisms that can be readily deployed unilaterally by the resolving organisation, preferably in a single gateway or a proxy. DNS poisoning is (still) a major threat to…

Cryptography and Security · Computer Science 2015-03-20 Amir Herzberg , Haya Shulman

Parallelization is featured by DNS recursive servers to do time-consuming recursions on behalf on clients. As common DNS configurations, recursive servers should allow a reasonable timeout for each recursion which may take as long as…

Cryptography and Security · Computer Science 2017-02-15 Zheng Wang

In spite of the availability of DNSSEC, which protects against cache poisoning even by MitM attackers, many caching DNS resolvers still rely for their security against poisoning on merely validating that DNS responses contain some…

Cryptography and Security · Computer Science 2015-03-20 Amir Herzberg , Haya Shulman

The Domain Name System Security Extensions (DNSSEC) are critical for preventing DNS spoofing, yet its specifications contain ambiguities and vulnerabilities that elude traditional "break-and-fix" approaches. A holistic, foundational…

Cryptography and Security · Computer Science 2025-12-15 Qifan Zhang , Zilin Shen , Imtiaz Karim , Elisa Bertino , Zhou Li

The Domain Name System (DNS) provides a translation between readable domain names and IP addresses. The DNS is a key infrastructure component of the Internet and a prime target for a variety of attacks. One of the most significant threat to…

Cryptography and Security · Computer Science 2019-06-27 Harel Berger , Amit Z. Dvir , Moti Geva

Cryptographic algorithm agility is an important property for DNSSEC: it allows easy deployment of new algorithms if the existing ones are no longer secure. In this work we show that the cryptographic agility in DNSSEC, although critical for…

Cryptography and Security · Computer Science 2023-02-15 Elias Heftrig , Haya Shulman , Michael Waidner

The high complexity of DNS poses unique challenges for ensuring its security and reliability. Despite continuous advances in DNS testing, monitoring, and verification, protocol-level defects still give rise to numerous bugs and attacks. In…

Cryptography and Security · Computer Science 2024-11-21 Dhruv Nevatia , Si Liu , David Basin

DNS Security Extensions (DNSSEC) provide the most effective way to fight DNS cache poisoning attacks. Yet, very few DNS resolvers perform DNSSEC validation. Identifying such systems is non-trivial and the existing methods are not suitable…

Cryptography and Security · Computer Science 2024-06-06 Yevheniya Nosyk , Maciej Korczyński , Andrzej Duda

In this paper, we shed new light on the DNS amplification ecosystem, by studying complementary data sources, bolstered by orthogonal methodologies. First, we introduce a passive attack detection method for the Internet core, i.e., at…

Cryptography and Security · Computer Science 2021-10-07 Marcin Nawrocki , Mattijs Jonker , Thomas C. Schmidt , Matthias Wählisch

One of the most critical components of the Internet that an attacker could exploit is the DNS (Domain Name System) protocol and infrastructure. Researchers have been constantly developing methods to detect and defend against the attacks…

Networking and Internet Architecture · Computer Science 2024-10-04 Abdullah Aydeger , Pei Zhou , Sanzida Hoque , Marco Carvalho , Engin Zeydan

The DNS infrastructure is infamous for facilitating reflective amplification attacks. Various countermeasures such as server shielding, access control, rate limiting, and protocol restrictions have been implemented. Still, the threat…

Cryptography and Security · Computer Science 2025-10-23 Maynard Koch , Florian Dolzmann , Thomas C. Schmidt , Matthias Wählisch

The threats of caching poisoning attacks largely stimulate the deployment of DNSSEC. Being a strong but demanding cryptographical defense, DNSSEC has its universal adoption predicted to go through a lengthy transition. Thus the DNSSEC…

Cryptography and Security · Computer Science 2016-02-29 Zheng Wang

We perform the first analysis of methodologies for launching DNS cache poisoning: manipulation at the IP layer, hijack of the inter-domain routing and probing open ports via side channels. We evaluate these methodologies against DNS…

Cryptography and Security · Computer Science 2022-05-13 Tianxiang Dai , Philipp Jeitner , Haya Shulman , Michael Waidner

The Domain Name System (DNS) comprises name servers translating domain names into, commonly, IP addresses. Authoritative name servers hosts the resource records (RR) for certain zones, and resolver name servers are responsible for querying…

Cryptography and Security · Computer Science 2024-01-09 Jonathan Magnusson

The absence of security and privacy measures between DNS recursive resolvers and authoritative nameservers has been exploited by both on-path and off-path attackers. Although numerous security proposals have been introduced in practice and…

Cryptography and Security · Computer Science 2025-06-27 Ali Sadeghi Jahromi , AbdelRahman Abdou , Paul C. van Oorschot
‹ Prev 1 2 3 10 Next ›