Top

Published in:

2019 | OriginalPaper | Chapter

Security in Plain TXT

Observing the Use of DNS TXT Records in the Wild

Authors : Adam Portier, Henry Carter, Charles Lever

Published in: Detection of Intrusions and Malware, and Vulnerability Assessment

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

The Domain Name System is a critical piece of infrastructure that has expanded into use cases beyond its original intent. DNS TXT records are intentionally very permissive in what information can be stored there, and as a result are often used in broad and undocumented ways to support Internet security and networked applications. In this paper, we identified and categorized the patterns in TXT record use from a representative collection of resource record sets. We obtained the records from a data set containing 1.4 billion TXT records collected over a 2 year period and used pattern matching to identify record use cases present across multiple domains. We found that 92% of these records generally fall into 3 categories; protocol enhancement, domain verification, and resource location. While some of these records are required to remain public, we discovered many examples that unnecessarily reveal domain information or present other security threats (e.g., amplification attacks) in conflict with best practices in security.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Large-Scale Analysis of Infrastructure-Leaking DNS Servers

next chapter No Need to Marry to Change Your Name! Attacking Profinet IO Automation Networks Using DCP

Agar, R.J.M.: The domain name system (DNS): security challenges and improvements. Royal Holloway, University of London, Technical report (2010)

Agten, P., Joosen, W., Piessens, F., Nikiforakis, N.: Seven months’ worth of mistakes: a longitudinal study of typosquatting abuse. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2015)

Akamai: Security bulletin: Crafted DNS text attack (2014). https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/dns-txt-amplification-attacks-cybersecurity-threat-advisory.pdf

Allman, E., Callas, J., Delany, M., Libbey, M., Fenton, J., Thomas, M.: Domainkeys identified mail (DKIM) signatures. RFC 4871, RFC Editor (2007). http://www.rfc-editor.org/rfc/rfc4871.txt

Alrwais, S.A., Yuan, K., Alowaisheq, E., Li, Z., Wang, X.: Understanding the dark side of domain parking. In: USENIX Security Symposium (2014)

Amann, J., Gasser, O., Brent, L., Carle, G., Holz, R.: Mission accomplished? HTTPS security after DigiNotar. In: Proceedings of the ACM Internet Measurement Conference (IMC) (2017)

Barnes, R., Hoffman-Andrews, J., McCarney, D., Kasten, J.: Draft: automatic certificate management environment (ACME) (2019). https://www.ietf.org/id/draft-ietf-acme-acme-18.txt

Bellis, R.: DNS transport over TCP - implementation requirements. RFC 5966, RFC Editor (2010). http://www.rfc-editor.org/rfc/rfc5966.txt

Borgolte, K., Fiebig, T., Hao, S., Kruegel, C., Vigna, G.: Cloud strife: mitigating the security risks of domain-validated certificates. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2018)

10.

Brandt, M., Dai, T., Klein, A., Shulman, H., Waidner, M.: Domain validation++ for MitM-resilient PKI. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2018)

11.

Bushart, J., Rossow, C.: DNS unchained: amplified application-layer DoS attacks against DNS authoritatives. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) RAID 2018. LNCS, vol. 11050, pp. 139–160. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00470-5_7CrossRef

12.

Chung, T., et al.: A longitudinal, end-to-end view of the DNSSEC ecosystem. In: USENIX Security Symposium (2017)

13.

Chung, T., van Rijswijk-Deij, R., Choffnes, D., Levin, D., Maggs, B.M., Mislove, A., Wilson, C.: Understanding the role of registrars in DNSSEC deployment. In: Proceedings of the ACM Internet Measurement Conference (IMC) (2017)

14.

Cisco: Cisco umbrella populatiry list, 26 September 2017. http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m-TLD-2017-09-26.csv.zip

15.

Dagon, D., Provos, N., Lee, C.P., Lee, W.: Corrupted DNS resolution paths: the rise of a malicious resolution authority. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2008)

16.

Dietrich, C., Krombholz, K., Borgolte, K., Fiebig, T.: Investigating system operators’ perspective on security misconfigurations. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2018)

17.

Dinaburg, A.: Bitsquatting: DNS hijacking without exploitation. In: Proceedings of BlackHat Security (2011)

18.

DMARC.org: Dmarc overview. https://dmarc.org/overview/

19.

Durumeric, Z., Adrian, D., Mirian, A., Kasten, J.: Neither snow nor rain nor MITM... an empirical analysis of mail delivery security. In: Proceedings of the ACM Internet Measurement Conference (IMC) (2015)

20.

Foster, I.D., Larson, J., Masich, M., Snoeren, A.C., Savage, S., Levchenko, K.: Security by any other name: on the effectiveness of provider based email security. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2015)

21.

Görling, S.: An overview of the sender policy framework (SPF) as an anti-phishing mechanism. Internet Res. 17(2), 169–179 (2007)CrossRef

22.

Herzberg, A., Shulman, H.: DNSSEC: security and availability challenges. In: IEEE Conference on Communications and Network Security (CNS), pp. 365–366. IEEE (2013)

23.

Hu, H., Wang, G.: End-to-end measurements of email spoofing attacks. In: USENIX Security Symposium (2018)

24.

Kaminsky, D.: Black ops 2008: it’s the end of the cache as we know it. Black Hat USA (2008)

25.

Kintis, P., et al.: Hiding in plain sight: a longitudinal study of combosquatting abuse. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2017)

26.

Kountouras, A., et al.: Enabling network security through active DNS datasets. In: Proceedings of the International Symposium on Research in Attacks, Intrusions, and Defenses (RAID) (2016)CrossRef

27.

Le, T., Van Rijswijk-Deij, R., Allodi, L., Zannone, N.: Economic incentives on DNSSEC deployment: time to move from quantity to quality. In: IEEE/IFIP Network Operations and Management Symposium (NOMS) (2018)

28.

Lever, C., Walls, R., Nadji, Y., Dagon, D., McDaniel, P., Antonakakis, M.: Domain-z: 28 registrations later measuring the exploitation of residual trust in domains. In: IEEE Symposium on Security and Privacy (SP) (2016)

29.

Lyon, J., Wong, M.: Sender id: authenticating e-mail. internet engineering task force (IETF). RFC 4406, RFC Editor (2006). http://www.rfc-editor.org/rfc/rfc4406.txt

30.

M. Kucherawy, E., E. Zwicky, E.: Domain-based message authentication, reporting, and conformance (DMARC). RFC 7489, RFC Editor (2015). http://www.rfc-editor.org/rfc/rfc7489.txt

31.

MacFarland, D.C., Shue, C.A., Kalafut, A.J.: Characterizing optimal DNS amplification attacks and effective mitigation. In: Mirkovic, J., Liu, Y. (eds.) PAM 2015. LNCS, vol. 8995, pp. 15–27. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-15509-8_2CrossRef

32.

Mockapetris, P.: Domain names - implementation and specification. RFC 1035, RFC Editor (1987). http://www.rfc-editor.org/rfc/rfc1035.txt

33.

Neij, F., Norberg, A., Brown, C.: Bep 34: DNS tracker preferences. http://www.bittorrent.org/beps/bep_0034.html

34.

Nikiforakis, N., Balduzzi, M., Desmet, L., Piessens, F., Joosen, W.: Soundsquatting: uncovering the use of homophones in domain squatting. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 291–308. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13257-0_17CrossRef

35.

Nikiforakis, N., Van Acker, S., Meert, W., Desmet, L., Piessens, F., Joosen, W.: Bitsquatting: exploiting bit-flips for fun, or profit? In: Proceedings of the International Conference on World Wide Web (WWW) (2013)

36.

Osterweil, E., Ryan, M., Massey, D., Zhang, L.: Quantifying the operational status of the DNSSEC deployment. In: Proceedings of the ACM Internet Measurement Conference (IMC) (2008)

37.

Pearce, P., et al.: Global measurement of DNS manipulation. In: USENIX Security Symposium (2017)

38.

van Rijswijk-Deij, R., Sperotto, A., Pras, A.: DNSSEC and its potential for DDoS attacks. In: Proceedings of the ACM Internet Measurement Conference (IMC) (2014)

39.

Scheitle, Q., et al.: A long way to the top: significance, structure, and stability of internet top lists. In: Proceedings of the ACM Internet Measurement Conference (IMC) (2018)

40.

Scheitle, Q., et al.: A first look at certification authority authorization (CAA). ACM SIGCOMM Comput. Commun. Rev. 48(2), 10–23 (2018)CrossRef

41.

Schlitt, W., Wong, M.W.: Sender policy framework (SPF) for authorizing use of domains in e-mail, version 1. RFC 4408, RFC Editor (2006). http://www.rfc-editor.org/rfc/rfc4408.txt

42.

Statuspage: DNS configuration requirements. https://help.statuspage.io/knowledge_base/topics/domain-ownership

43.

Szalachowski, P., Perrig, A.: Short paper: on deployment of DNS-based security enhancements. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 424–433. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70972-7_24CrossRef

44.

Telnames Limited:tel (2019). https://www.do.tel/

45.

Wander, M.: Measurement survey of server-side DNSSEC adoption. In: Proceedings of the Network Traffic Measurement and Analysis Conference (TMA) (2017)

46.

Wang, Y.M., Beck, D., Wang, J., Verbowski, C., Daniels, B.: Strider typo-patrol: discovery and analysis of systematic typo-squatting. SRUTI 6, 31–36 (2006)

47.

Weaver, N., Kreibich, C., Paxson, V.: Redirecting DNS for ads and profit. In: USENIX Workshop on Free and Open Communications on the Internet (FOCI) (2011)

48.

Zdrnja, B., Brownlee, N., Wessels, D.: Passive monitoring of DNS anomalies. In: Hämmerli, B.M., Sommer, R. (eds.) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2007. Lecture Notes in Computer Science, vol. 4579, pp. 129–139. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73614-1_8CrossRef

49.

Zmijewski, E.: Accidentally importing censorship, March 2010. https://dyn.com/blog/fouling-the-global-nest/

Title: Security in Plain TXT
Authors: Adam Portier
Henry Carter
Charles Lever
Publisher: Springer International Publishing
Book: Detection of Intrusions and Malware, and Vulnerability Assessment
Print ISBN: 978-3-030-22037-2

Electronic ISBN: 978-3-030-22038-9

Copyright Year: 2019
DOI: https://doi.org/10.1007/978-3-030-22038-9_18

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner