More Web Proxy on the site http://driver.im/

research-article

A Large-Scale Behavioral Analysis of the Open DNS Resolvers on the Internet

Authors:

Manar Mohaisen,

David MohaisenAuthors Info & Claims

IEEE/ACM Transactions on Networking, Volume 30, Issue 1

Pages 76 - 89

https://doi.org/10.1109/TNET.2021.3105599

Published: 26 August 2021 Publication History

Abstract

Open DNS resolvers are resolvers that perform recursive resolution on behalf of any user. They can be exploited by adversaries because they are open to the public and require no authorization to use. Therefore, it is important to understand the state of open resolvers to gauge their potentially negative impact on the security and stability of the Internet. In this study, we conducted a comprehensive probing over the entire IPv4 address space and found that more than 3 million IP addresses of open resolvers still exist in the wild. Moreover, we found that many of them work in a way that deviates from the standard. More importantly, we found that many open resolvers answer queries with incorrect, even malicious, responses. Contrasting to results obtained in 2013, we found that while the number of open resolvers has decreased significantly, the number of resolvers providing incorrect responses is almost the same, while the number of open resolvers providing malicious responses has increased, highlighting the prevalence of their threat. Through an extended analysis, we also empirically show that the use of forwarders in the open resolver ecosystem and the possibility that incorrect or malicious responses can be manipulated by these forwarders.

References

[1]

J. Park, A. Khormali, M. Mohaisen, and A. Mohaisen, “Where are you taking me? Behavioral analysis of open DNS resolvers,” in Proc. 49th Annu. IEEE/IFIP Int. Conf. Dependable Syst. Netw. (DSN), Jun. 2019, pp. 493–504.

[2]

Public DNS–Google Developers. Accessed: Aug. 17, 2021. [Online]. Available: https://developers.google.com/speed/public-dns/

[3]

Cloud Delivered Enterprise Security by Opendns. Accessed: Aug. 17, 2021. [Online]. Available: https://www.opendns.com

[4]

M. Kührer, T. Hupperich, C. Rossow, and T. Holz, “Exit from hell? Reducing the impact of ampli?cation DDoS attacks,” in Proc. USENIX Secur. Symp., 2014, pp. 111–125.

[5]

Open Resolver Project. Accessed: Sep. 5, 2020. [Online]. Available: http://openresolverproject.org/

[6]

D. Dagon, N. Provos, C. P. Lee, and W. Lee, “Corrupted DNS resolution paths: The rise of a malicious resolution authority,” in Proc. Netw. Distrib. Syst. Secur. Symp. (NDSS), 2008, pp. 1–15. [Online]. Available: https://www.ndss-symposium.org/wp-content/uploads/2017/09/Corrupted-DNS-Resolution-Paths-The-Rise-of-a-Malicious-Resolution-Authority-paper-David-Dagon.pdf

[7]

M. Antonakakis, D. Dagon, X. Luo, R. Perdisci, W. Lee, and J. Bellmor, “A centralized monitoring infrastructure for improving DNS security,” in Proc. Int. Workshop Recent Adv. Intrusion Detection (RAID), 2010, pp. 18–37.

[8]

CloudFlare. (2013). The DDoS That Knocked Spamhaus Offline (and How we Mitigated it). [Online]. Available: http://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho

[9]

Y. Takano, R. Ando, T. Takahashi, S. Uda, and T. Inoue, “A measurement study of open resolvers and DNS server version,” in Proc. Internet Conf. (IC), 2013, pp. 23–32.

[10]

M. Kührer, T. Hupperich, J. Bushart, C. Rossow, and T. Holz, “Going wild: Large-scale classification of open DNS resolvers,” in Proc. ACM Internet Meas. Conf. (IMC), 2015, pp. 355–368.

[11]

K. Schomp, T. Callahan, M. Rabinovich, and M. Allman, “Assessing DNS vulnerability to record injection,” in Proc. Int. Conf. Passive Active Netw. Meas. (PAM), 2014, pp. 214–223.

[12]

P. Pearceet al., “Global measurement of DNS manipulation,” in Proc. USENIX Secur. Symp., 2017, pp. 307–323.

[13]

N. Weaver, C. Kreibich, and V. Paxson, “Redirecting DNS for Ads and profit,” in Proc. USENIX Workshop Free Open Commun. Internet (FOCI), 2011, pp. 1–6.

[14]

B. Ager, W. Mühlbauer, G. Smaragdakis, and S. Uhlig, “Comparing DNS resolvers in the wild,” in Proc. 10th Annu. Conf. Internet Meas. (IMC), 2010, pp. 15–21.

[15]

G. Sisson. (2010). DNS Survey: October 2010. [Online]. Available: http://dns.measurement-factory.com/surveys/201010/dns_survey_2010.pdf

[16]

J. Damas, M. Graff, and P. Vixie, Extension Mechanisms for DNS (EDNS(0)), IETF document RFC 6891, 2013.

[17]

Z. Durumeric, E. Wustrow, and J. A. Halderman, “ZMap: Fast internet-wide scanning and its security applications,” in Proc. USENIX Secur. Symp., 2013, pp. 605–620.

[18]

GoDaddy. Accessed: Aug. 17, 2021. [Online]. Available: https://www.godaddy.com/

[19]

P. V. Mockapetris, Domain Names–Implementation and Specification, IETF document RFC 1035, 1987.

Digital Library

[20]

P. V. Mockapetris, Domain Names–Concepts and Facilities, IETF document RFC 1034, 1987.

Digital Library

[21]

D. Eastlake, Domain Name System (DNS) IANA Considerations, IETF document RFC 6895, 2013.

[22]

R. Tracker. Accessed: Nov. 20, 2019. [Online]. Available: https://ransomwaretracker.abuse.ch/ip/208.91.197.91/

[23]

Cymon. Accessed: Sep. 5, 2020. [Online]. Available: https://cymon.io/208.91.197.91

[24]

C. API. Accessed: Sep. 5, 2020. [Online]. Available: http://docs.cymon.io/

[25]

IP2location. Accessed: Aug. 17, 2021. [Online]. Available: https://lite.ip2location.com/

[26]

I. A. R. by Country (IP2location). Accessed: Aug. 17, 2021. [Online]. Available: https://lite.ip2location.com/ip-address-ranges-by-country

[27]

Shadowserver. Accessed: Aug. 17, 2021. [Online]. Available: https://dnsscan.shadowserver.org/

[28]

Censys. Accessed: Aug. 17, 2021. [Online]. Available: https://censys.io/data/

[29]

Rapid7. Accessed: Aug. 17, 2021. [Online]. Available: https://opendata.rapid7.com/

[30]

K. Fukuda, S. Sato, and T. Mitamura, “A technique for counting DNSSEC validators,” in Proc. IEEE INFOCOM, Apr. 2013, pp. 80–84.

[31]

Y. Yu, D. Wessels, M. Larson, and L. Zhang, “Check-repeat: A new method of measuring DNSSEC validating resolvers,” in Proc. IEEE INFOCOM, Apr. 2013, pp. 381–386.

[32]

O. Gasseret al., “Clusters in the expanse: Understanding and unbiasing IPv6 hitlists,” in Proc. ACM Internet Meas. Conf. (IMC), 2018, pp. 364–378.

[33]

J. Jiang, J. Liang, K. Li, J. Li, H. Duan, and J. Wu, “Ghost domain names: Revoked yet still resolvable,” in Proc. Netw. Distrib. Syst. Secur. Symp. (NDSS), 2012, pp. 1–13. [Online]. Available: https://www.ndss-symposium.org/wp-content/uploads/2017/09/12_1.pdf

[34]

K. Schomp, T. Callahan, M. Rabinovich, and M. Allman, “On measuring the client-side DNS infrastructure,” in Proc. Conf. Internet Meas. Conf., Oct. 2013, pp. 77–90.

[35]

H. Gaoet al., “An empirical reexamination of global DNS behavior,” in Proc. ACM SIGCOMM Conf. SIGCOMM, Aug. 2013, pp. 267–278.

[36]

W. Scott, S. Berg, and A. Krishnamurth, “Satellite: Observations of the internet’s star,” Univ. Washington, Seattle, WA, USA, Tech. Rep. UW-CSE-2015-06-02, 2015.

[37]

S. Hao, H. Wang, A. Stavrou, and E. Smirni, “On the DNS deployment of modern web services,” in Proc. IEEE 23rd Int. Conf. Netw. Protocols (ICNP), Nov. 2015, pp. 100–110.

[38]

M. Thomas and A. Mohaisen, “Measuring the leakage of onion at the root: A measurement of Tor’s. onion pseudo-TLD in the global domain name system,” in Proc. 13th Workshop Privacy Electron. Soc. (WPES), 2014, pp. 173–180.

[39]

A. Klein, H. Shulman, and M. Waidner, “Internet-wide study of DNS cache injections,” in Proc. IEEE Conf. Comput. Commun. (INFOCOM), May 2017, pp. 1–9.

[40]

X. Chen, H. Wang, S. Ren, and X. Zhang, “Maintaining strong cache consistency for the domain name system,” IEEE Trans. Knowl. Data Eng., vol. 19, no. 8, pp. 1057–1071, Aug. 2007.

[41]

S. Hao and H. Wang, “Exploring domain name based features on the effectiveness of DNS caching,” ACM SIGCOMM Comput. Commun. Rev., vol. 47, no. 1, pp. 36–42, Jan. 2017.

[42]

X. Chen, H. Wang, and S. Ren, “DNScup: Strong cache consistency protocol for DNS,” in Proc. 26th IEEE Int. Conf. Distrib. Comput. Syst. (ICDCS), Jul. 2006, p. 40.

Cited By

Li BZhu YDing YSun YZhang YLiu QGuo L(2024)From Fingerprint to Footprint: Characterizing the Dependencies in Encrypted DNS InfrastructuresComputer Security – ESORICS 202410.1007/978-3-031-70890-9_3(45-64)Online publication date: 16-Sep-2024
https://dl.acm.org/doi/10.1007/978-3-031-70890-9_3
Yazdani RJonker MSperotto A(2024)Swamp of Reflectors: Investigating the Ecosystem of Open DNS ResolversPassive and Active Measurement10.1007/978-3-031-56252-5_1(3-18)Online publication date: 11-Mar-2024
https://dl.acm.org/doi/10.1007/978-3-031-56252-5_1
Anagnostopoulos MLagos SKambourakis G(2022)Large-scale empirical evaluation of DNS and SSDP amplification attacksJournal of Information Security and Applications10.1016/j.jisa.2022.10316866:COnline publication date: 1-May-2022
https://dl.acm.org/doi/10.1016/j.jisa.2022.103168

Index Terms

A Large-Scale Behavioral Analysis of the Open DNS Resolvers on the Internet

Index terms have been assigned to the content through auto-classification.

Recommendations

Comparing DNS resolvers in the wild
IMC '10: Proceedings of the 10th ACM SIGCOMM conference on Internet measurement

The Domain Name System (DNS) is a fundamental building block of the Internet. Today, the performance of more and more applications depend not only on the responsiveness of DNS, but also the exact answer returned by the queried DNS resolver, e.g., for ...
Swamp of Reflectors: Investigating the Ecosystem of Open DNS Resolvers
Passive and Active Measurement
Abstract
DNS reflection-based DDoS attacks rely on open DNS resolvers to reflect and amplify attack traffic towards victims. While the majority of these resolvers are considered to be open because of misconfiguration, there remains a lot to be learned ...
Pollution resilience for DNS resolvers
ICC'09: Proceedings of the 2009 IEEE international conference on Communications

The DNS is a cornerstone of the Internet. Unfortunately, no matter how securely an organization provisions and guards its own DNS infrastructure, it is at the mercy of others' provisioning when it comes to resolutions its resolvers perform on behalf of ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image IEEE/ACM Transactions on Networking

IEEE/ACM Transactions on Networking Volume 30, Issue 1

Feb. 2022

473 pages

ISSN:1063-6692

Issue’s Table of Contents

1558-2566 © 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See https://www.ieee.org/publications/rights/index.html for more information.

Publisher

IEEE Press

Publication History

Published: 26 August 2021

Published in TON Volume 30, Issue 1

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
59
Total Downloads

Downloads (Last 12 months)12
Downloads (Last 6 weeks)3

Reflects downloads up to 13 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Li BZhu YDing YSun YZhang YLiu QGuo L(2024)From Fingerprint to Footprint: Characterizing the Dependencies in Encrypted DNS InfrastructuresComputer Security – ESORICS 202410.1007/978-3-031-70890-9_3(45-64)Online publication date: 16-Sep-2024
https://dl.acm.org/doi/10.1007/978-3-031-70890-9_3
Yazdani RJonker MSperotto A(2024)Swamp of Reflectors: Investigating the Ecosystem of Open DNS ResolversPassive and Active Measurement10.1007/978-3-031-56252-5_1(3-18)Online publication date: 11-Mar-2024
https://dl.acm.org/doi/10.1007/978-3-031-56252-5_1
Anagnostopoulos MLagos SKambourakis G(2022)Large-scale empirical evaluation of DNS and SSDP amplification attacksJournal of Information Security and Applications10.1016/j.jisa.2022.10316866:COnline publication date: 1-May-2022
https://dl.acm.org/doi/10.1016/j.jisa.2022.103168

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents