Top

International Journal of Information Security

Published in:

24-10-2017 | Regular Contribution

OnionDNS: a seizure-resistant top-level domain

Authors: Nolen Scaife, Henry Carter, Lyrissa Lidsky, Rachael L. Jones, Patrick Traynor

Published in: International Journal of Information Security | Issue 6/2018

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

The Domain Name System (DNS) provides the critical service of mapping canonical names to IP addresses. Recognizing this, a number of parties have increasingly attempted to perform “domain seizures” on targets by having them delisted from DNS. Such operations often occur without providing due process to the owners of these domains, a practice made potentially worse by recent legislative proposals. We address this problem by creating OnionDNS, an anonymous top-level domain and resolution service for the Internet. Our solution relies on the establishment of a hidden service running DNS within Tor and uses a variety of mechanisms to ensure a high-performance architecture with strong integrity guarantees for resolved records. We then present our anonymous domain registrar and detail the protocol for securely transferring the service to another party. Finally, we also conduct both performance and legal analyses to further demonstrate the robustness of this approach. In so doing, we show that the delisting of domains from DNS can be mitigated in an efficient and secure manner.

previous article Optimization algorithm for k-anonymization of datasets with low information loss

next article DomainProfiler: toward accurate and early discovery of domain names abused in future

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Our solution neither requires nor requests endorsement or support from ICANN.

OS support for end-to-end DNSSEC validation is growing and many public resolvers, such as Google and Comcast, currently perform DNSSEC validation.

This type of privacy service is common among domain registrars, where a customer may be charged a service fee to obscure the domain’s WHOIS information.

112th Congress of the United States of America. H.R. 3261—Stop Online Piracy (SOPA) Act. http://thomas.loc.gov/cgi-bin/query/z?c112:H.R.3261: (2011)

112th Congress of the United States of America. Senate Bill 986—Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act (PIPA). http://thomas.loc.gov/cgi-bin/query/z?c112:S.968: (2011)

Alexa. Top 1,000,000 Sites. http://s3.amazonaws.com/alexa-static/top-1m.csv.zip

Anderson, R., et al.: The eternity service. In: Pragocrypt96, pp. 242–252 (1996)

Androulaki, E., Karame, G., Roeschlin, M., Scherer, T., Capkun, S.: Evaluating user privacy in bitcoin. IACR Cryptol. ePrint Arch. 2012, 596 (2012)

Anonymous: The collateral damage of internet censorship by DNS injection. ACM SIGCOMM Comput. Commun. Rev. 42(3), 21–27 (2012)CrossRef

Asia Pacific Network Information Centre Labs. Measuring DNSSEC performance. http://labs.apnic.net/?p=341 (2013)

Awerbuch, B., Scheideler, C.: Group spreading: a protocol for provably secure distributed name service. Autom. Lang. Program. 3142, 187–210 (2004)

Babaioff, M., Dobzinski, S., Oren, S., Zohar, A.: On bitcoin and red balloons. In: Proceedings of the 13th ACM Conference on Electronic Commerce, pp. 56–73. ACM (2012)

10.

Bambauer, D.E.: Orwell’s armchair. Univ. Chic. Law Rev. 79(3), 863–944 (2012)

11.

Biryukov, A., Pustogarov, I., Weinmann, R.-P.: Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization, IEEE (2013)

12.

Bogetoft, P., Christensen, D.L., Damgård, I., Geisler, M., Jakobsen, T., Krøigaard, M., Nielsen, J.D.,Nielsen, J.B., Nielsen, K., Pagter, J., et al.: Secure multiparty computation goes live. In: Financial Cryptography and Data Security, pp. 325–343. Springer, Berlin (2009)CrossRef

13.

Boyle, J.: Foucault in cyberspace: surveillance, sovereignty, and hardwired censors. Univ. Cincinnati Law Rev. 66, 177 (1997)

14.

Carter, H., Mood, B., Traynor, P., Butler, K.: Secure outsourced garbled circuit evaluation for mobile devices. In: Proceedings of the USENIX Security Symposium (2013)

15.

Chaitovitz, A., Hampton, C., Rosenbaum, K., Salem, A., Stoll, T., Tramposch, A.: Responding to online piracy: mapping the legal and policy boundaries. Comm. Law Conspec. 20(1), 1–40 (2012)

16.

Cheriton, D.R., Mann, T.P.: Decentralizing a global naming service for improved performance and fault tolerance. ACM Trans. Comput. Syst. 7(2), 147–183 (1989)CrossRef

17.

Clarke, I., Sandberg, O., Wiley, B., Hong, T.: Freenet: a distributed anonymous information storage and retrieval system. In: Designing Privacy Enhancing Technologies, pp. 46–66. Springer, Berlin (2001)CrossRef

18.

Cox, R., Muthitacharoen, A., Morris, R.: Serving DNS using a peer-to-peer lookup service. Peer-to-Peer Syst. 2429,155–165 (2002)

19.

Cranor, L.F., LaMacchia, B.A.: Spam!. Commun. ACM 41(8), 74–83 (1998)CrossRef

20.

D. E. 3rd.Transport Layer Security (TLS) Extensions: Extension Definitions. RFC 6066 (Proposed Standard) (2011)

21.

Dingledine, R.: Obfsproxy: the next step in the censorship arms race. Tor Project official blog (2012)

22.

Dingledine, R., Freedman, M., Molnar, D.: The free haven project: distributed anonymous storage service. In: Designing Privacy Enhancing Technologies, pp. 67–95. Springer, Berlin (2001)CrossRef

23.

Dingledine, R., Mathewson, N., Syverson, P.: Tor: The Second-Generation Onion Router. Technical report, DTIC Document (2004)

24.

Dwork, C., Naor, M.: Pricing via processing or combatting junk mail. In: Advances in Cryptology, pp. 139–147. Springer, Berlin (1993)

25.

Eastlake, D.E., et al.: Domain Name System Security Extensions, IETF (1999)

26.

Electronic Frontier Foundation. Anti-Counterfeiting Trade Agreement (ACTA). http://www.eff.org/issues/acta (2012)

27.

Feamster, N., Balazinska, M., Harfst, G., Balakrishnan, H., Karger, D.: Infranet: circumventing web censorship and surveillance. In: Proceedings of the 11th USENIX Security Symposium, pp. 247–262. San Francisco, CA (2002)

28.

Fischer, B.R.: OnionCat: a Tor-based anonymous VPN. In: Proceedings of the 25th Chaos Communication Congress (2008)

29.

Froomkin, A.M.: Wrong turn in cyberspace: using ICANN to route around the APA and the constitution. Duke Law J. 50(1), 17–186 (2000)CrossRef

30.

Henkin, L.: Restatement of the Law, Third: The Foreign Relations Law of the United States. American Law Institute-American Bar Association (ALI-ABA) (1987)

31.

Internet Systems Consortium. http://www.isc.org/downloads/bind/

32.

Johnson, A., Wacek, C., Jansen, R., Sherr, M., Syverson, P.: Users get routed: traffic correlation on Tor by realistic adversaries. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2013)

33.

Juels, A., Brainard, J.G.: Client puzzles: a cryptographic countermeasure against connection depletion attacks. NDSS 99, 151–165 (1999)

34.

Kamara, S., Mohassel, P., Riva, B.: Salus: a system for server-aided secure function evaluation. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2012)

35.

Karame, G., Androulaki, E., Capkun, S.: Two bitcoins at the price of one? Double-spending attacks on fast payments in bitcoin. IACR Cryptol. ePrint Arch. 2012, 248 (2012)

36.

Kolkman, O., Gieben, M.: RFC 4161 DNSSEC Operational Practices (2006)

37.

Kopel, K.: Operation seizing our sites: how the federal government is taking domain names without prior notice. Berkeley Technol. Law J. 28, 859–900 (2013)

38.

Laurie, B., Clayton, R.: “Proof-of-Work” proves not to work; version 0.2. In: Workshop on Economics and Information, Security (2004)

39.

Lee, T.B.: ICE Admits Year-long Seizure of Music Blog was a Mistake. http://arstechnica.com/tech-policy/2011/12/ice-admits-months-long-seizure-of-music-blog-was-a-mistake/ (2011)

40.

Mann, F.A.: The Doctrine of International Jurisdiction Revisited After Twenty Years (1984)

41.

Mestdagh, C.D.V., Rijgersberg, R.W.: Rethinking accountability in cyberspace: a new perspective on ICANN. Int. Rev. Law Comput. Technol. 21(1), 27–38 (2007)CrossRef

42.

Microsoft.Dnssec performance considerations.http://technet.microsoft.com/en-us/library/dn593667(v=ws.11).aspx (2014)

43.

Microsoft Corporation. Microsoft Corporation v. Dominique Alexander Piatti; Jone Does1-22.2011. Virginia Eastern District Court

44.

Microsoft Corporation. Microsoft Corporation v. Peng Yong et. al. 2012. Virginia Eastern District Court

45.

Microsoft Corporation.Microsoft v. John Does 1-39. 2012. New York Eastern District Court

46.

Miers, I., Garman, C., Green, M., Rubin, A.D: Zerocoin: anonymous distributed E-cash from bitcoin. In: IEEE Symposium on Security and Privacy (2013)

47.

Mittal, P., Khurshid, A., Juen, J., Caesar, M., Borisov, N.: Stealthy traffic analysis of low-latency anonymous communication using throughput fingerprinting. In: Proceedings of the 18th ACM Conference on Computer and Communications Security. ACM, pp. 215–226 (2011)

48.

Mody, S.S.: National cyberspace regulation: unbundling the concept of jurisdiction. Stan. J. Int. 37, 365 (2001)

49.

Namecoin was stillborn, I had to switch off life-support. http://bitcointalk.org/index.php?topic=310954 (archived at http://www.webcitation.org/6KXauX8uC)

50.

Namecoin, http://namecoin.info/ (2015)

51.

Nadji, Y., Antonakakis, M., Perdisci, R., Dagon, D., Lee, W.: Beheading hydras: performing effective botnet takedowns. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2013)

52.

Nakamoto, S.: Bitcoin: A peer-to-peer electronic cash system. Consulted 1, 2012 (2008)

53.

Naraine, R.: Massive DDoS attack hit DNS root servers. http://www.internetnews.com/dev-news/article.php/1486981 (2002)

54.

Order, puerto 80 projects, s.l.u. v united states. http://www.eff.org/files/rojadirectaorder.pdf (2011)

55.

Overlier, L., Syverson, P.: Locating hidden servers. In: 2006 IEEE Symposium on Security and Privacy, p. 15. IEEE (2006)

56.

Panzarino, M.: Syrian Electronic Army Apparently Hacks DNS Records Of Twitter, NYT Through Registrar Melbourne IT. http://techcrunch.com/2013/08/27/syrian-electronic-army-apparently-hacks-dns-records-of-twitter-new-york-times-through-registrar-melboune-it/ (2013)

57.

Pappas, V., Massey, D., Terzis, A., Zhang, L.: A comparative study of the dns design with DHT-based alternatives. In: Proceedings of the IEEE INFOCOM 2006, 25th IEEE International Conference on Computer Communications, pp. 1–13 (2006)

58.

Park, K., Pai, V., Peterson, L., Wang, Z.: CoDNS: Improving DNS Performance and Reliability via Cooperative Lookups. In: OSDI, pp. 199–214 (2004)

59.

Piscitello, D.: Anatomy of a DNS DDoS Amplification Attack. http://www.watchguard.com/infocenter/editorial/41649.asp (2011)

60.

Poole, L., Pai, V.: ConfiDNS: leveraging scale and history to improve DNS security. In: Proceedings of the WORLDS (2006)

61.

Ramasubramanian, V., Sirer, E.: The design and implementation of a next generation name service for the internet. ACM SIGCOMM Comput. Commun. Rev. 331, 331–342 (2004)CrossRef

62.

Scaife, N., Carter, H., Traynor, P.: OnionDNS: a seizure-resistant top-level domain. In: Proceedings of the IEEE Conference on Communications and Network Security (CNS) (2015)

63.

Song, Y., Koyanagi, K.: Study on a hybrid P2P based DNS. In: 2011 IEEE International Conference on Computer Science and Automation Engineering, pp. 152–155 (2011)

64.

The List Of Sites Challenging Domain Seizures. http://www.techdirt.com/articles/20110612/21573514664/list-sites-challenging-domain-seizures.shtml

65.

Testimony of John Morton, Director, U.S. Immigration and Customs Enforcement, Before the U.S. House of Representatives Committee on the Judiciary, Subcommittee on Intellectual Property, Competition and the Internet on “Promoting Investment and Protecting Commerce Online: Legitimate Sites v. Parasites, Part II”. http://www.dhs.gov/news/2011/04/05/testimony-john-morton-director-us-immigration-and-customs-enforcement-promoting (2011)

66.

TorrentFreak.U.S. Government Shuts Down 84,000 Websites, ‘By Mistake’. http://torrentfreak.com/u-s-government-shuts-down-84000-websites-by-mistake-110216/

67.

U.S. Copyright Office. Circumvention of copyright protection systems. http://copyright.gov/title17/92chap12.html (2015)

68.

van Rijswijk-Deij, R., Sperotto, A., Pras, A.: Making the case for elliptic curves in DNSSEC. SIGCOMM Comput. Commun. Rev. 45(5), 13–19 (2015)CrossRef

69.

Waldman, M., Mazieres, D.: Tangler: a censorship-resistant publishing system based on document entanglements. In: Proceedings of the 8th ACM conference on computer and communications security, pp. 126–135. ACM (2001)

70.

Waldman, M., Rubin, A.D., Cranor, L.F.: Publius: a robust, tamper-evident, censorship-resistant, web publishing system. In: 9th USENIX Security Symposium, pp. 59–72 (2000)

71.

Wang, Q., Gong, X., Nguyen, G.T., Houmansadr, A., Borisov, N.: CensorSpoofer: asymmetric communication using IP spoofing for censorship-resistant web browsing. In: Proceedings of the 2012 ACM conference on Computer and Communications Security, pp. 121–132. ACM (2012)

72.

Wang, X., Reiter, M.K.: Defending against denial-of-service attacks with puzzle auctions. In: Proceedings of the 2003 Symposium on Security and Privacy, 2003, pp. 78–92. IEEE (2003)

73.

Wendlandt, D., Andersen, D.G., Perrig, A.: Perspectives: improving SSH-style host authentication with multi-path probing. In: USENIX annual technical conference, pp. 321–334. static.usenix.org (2008)

74.

Yadron, D.: Syrian Electronic Army’s Alleged Attacks Expose Soft Spot. http://online.wsj.com/news/articles/SB10001424127887324009304579040900023429122 (2013)

Title: OnionDNS: a seizure-resistant top-level domain
Authors: Nolen Scaife
Henry Carter
Lyrissa Lidsky
Rachael L. Jones
Patrick Traynor
Publication date: 24-10-2017
Publisher: Springer Berlin Heidelberg
Published in: International Journal of Information Security / Issue 6/2018
Print ISSN: 1615-5262
Electronic ISSN: 1615-5270
DOI: https://doi.org/10.1007/s10207-017-0391-z

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 6/2018

Comparing apples with apples: performance analysis of lattice-based authenticated key exchange protocols

Talos: no more ransomware victims with formal methods

Optimization algorithm for k-anonymization of datasets with low information loss

A framework for estimating information security risk assessment method completeness

DomainProfiler: toward accurate and early discovery of domain names abused in future

Optimal noise functions for location privacy on continuous regions

Premium Partner