Article Preview
Top1. Introduction
Initially, the Internet was designed only for limited users and with no security in mind. However, the number of Internet users has been increasing very rapidly. Many cyber attackers have come into the world of the Internet and focused on several security flaws in various networking protocols, thereby exploiting it.
DNS servers are used to look up the IP address against a name. Thus, the DNS server can provide the corresponding IP address from a domain name. However, DNS servers are not secured. A spoofed DNS server might provide a fake or malicious IP address for a requested domain name, thereby redirecting a client to some malicious website. To address this problem, DNSSEC (Rose, Larson, Massey, Austein, & Arends, DNS Security Introduction and Requirements, 2005) has been proposed where the domain name and its IP address (along with HTTPS ability information) are mapped in a secured fashion. Currently, DNSSEC (Rose, Larson, Massey, Austein, & Arends, DNS Security Introduction and Requirements, 2005) is roughly above 80% implemented. DNSSEC has an NSEC sub-protocol (Arends, Sisson, Blacka, & Laurie, 2008) (Weiler & Blacka, 2013) to securely pass the non-existence of domain names. Nevertheless, the problem is that NSEC is vulnerable to zone walking attacks.
A zone walking attack is a kind of privacy invasion into the DNS records. The zone walking attack is to get all existing domain information from the DNSSEC server. The fetched information might contain some domain names and their detailed information. To prevent zone walking attacks, NSEC3 (Arends, Sisson, Blacka, & Laurie, 2008) (Weiler & Blacka, 2013) protocol has been proposed and implemented in DNSSEC. But NSEC3 (Arends, Sisson, Blacka, & Laurie, 2008) (Weiler & Blacka, 2013) is comparatively slower than NSEC.
The existing solution NSEC3 needs domain name hashing in DNSSEC servers NSEC3 (Arends, Sisson, Blacka, & Laurie, 2008) (Weiler & Blacka, 2013). Using NSEC3, the zone walking attack is not possible, because an intruder cannot do reverse engineering domain names from the received hashed values. However, since domain name hashing is mandatory for NSEC3, it uses more CPU time in DNSSEC servers.
In the paper, we have addressed the efficiency issue in NSEC3 in the existing DNSSEC servers to defend against zone walking attacks. To the best of our knowledge, there exists no previous work that attempts to deal with the performance improvement of the NSEC3 approach. This is the novelty of our approach.
Our proposed mechanism can be utilized in DNSSEC servers to prevent zone walking attacks. Our solution Low Profiling can be a better alternative to NSEC3 in DNSSEC servers. Because it does not use any domain name hashing, rather it profiles clients to detect suspicious clients.
To analyze our proposed solution, we have simulated a simplified DNSSEC server using Java programming language. The zone walking attack was also simulated (Paul, 2018). Then, we have changed both server-side (e.g., Server Tolerance) and client-side (e.g., Attack Noise) parameters to analyze different scenarios of the DNSSEC server and attackers. Then, we have carefully plotted (i.e., considering experimental error) several graphs for these scenarios.
The result of our experiment shows that our solution Low Profiling can be effective against zone walking attacks for up to specific server-side and client-side parameters. Therefore, we have realized the usefulness of our proposed solution against the zone walking attack. Our work can help researchers to understand how a new approach in the DNSSEC server can defend against the zone walking attack. It can also be useful to understand how the different approaches of the DNSSEC server (i.e., server parameters) can play against zone walking attacks of different strengths (i.e., Attack Noise), and to understand how effective the DNSSEC server’s approach is. In the future, a variant of our proposed defensive approach can be built upon the experiment’s result.
The rest of the paper is organized as follows. In Section II, we have described related terminologies to the DNS system. In Section III, we have described our two proposed approaches: dividing list and Low Profiling. In Section IV, we have described the algorithm and the simulation setup of the Low Profiling experiment. In Section V, we have analyzed the results of our experiment. Finally, Section VI has the concluding remarks.