Towards Security of Internet Naming Infrastructure

  • Haya ShulmanEmail author
  • Michael Waidner
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9326)


We study the operational characteristics of the server-side of the Internet’s naming infrastructure. Our findings discover common architectures whereby name servers are ‘hidden’ behind server-side caching DNS resolvers. We explore the extent and the scope of the name servers that use server-side caching resolvers, and find such configurations in at least \(38\,\%\) of the domains in a forward DNS tree, and higher percents of the domains in a reverse DNS tree. We characterise the operators of the server-side caching resolvers and provide motivations, explaining their prevalence.

Our experimental evaluation indicates that the caching infrastructures are typically run by third parties, and that the services, provided by the third parties, often do not deploy best practices, resulting in misconfigurations, vulnerabilities and degraded performance of the DNS servers in popular domains.



This research was supported by the German Federal Ministry of Education and Research (BMBF) within EC SPRIDE, by the Hessian LOEWE excellence initiative within CASED, and co-funded by the DFG as part of the CRC 1119 CROSSING.

Supplementary material


  1. 1.
    Antonakakis, M., Perdisci, R., Lee, W., Vasiloglou II, N., Dagon, D.: Detecting malware domains at the upper dns hierarchy. In: USENIX Security Symposium, p. 16 (2011)Google Scholar
  2. 2.
    Canali, D., Balzarotti, D., et al.: Behind the scenes of online attacks: an analysis of exploitation behaviors on the web. In: Proceedings of the 20th Annual Network & Distributed System Security Symposium (2013)Google Scholar
  3. 3.
    Chen, Y., Antonakakis, M., Perdisci, R., Nadji, Y., Dagon, D., Lee, W.: DNS noise: measuring the pervasiveness of disposable domains in modern DNS traffic (2014)Google Scholar
  4. 4.
    Feamster, N.: Outsourcing home network security. In: Proceedings of the 2010 ACM SIGCOMM Workshop on Home Networks, pp. 37–42. ACM (2010)Google Scholar
  5. 5.
    Gao, H., Yegneswaran, V., Chen, Y., Porras, P., Ghosh, S., Jiang, J., Duan, H.: An empirical reexamination of global dns behavior. In: Proceedings of the ACM SIGCOMM 2013 Conference on SIGCOMM, pp. 267–278. ACM (2013)CrossRefGoogle Scholar
  6. 6.
    Gersch, J., Massey, D.: Rover: Route origin verification using DNS. In: 2013 22nd International Conference on Computer Communications and Networks (ICCCN), pp. 1–9. IEEE (2013)Google Scholar
  7. 7.
    Gudmundsson, O., Crocker, S.D.: Observing DNSSEC Validation in the Wild. In: SATIN, March 2011Google Scholar
  8. 8.
    Herzberg, A.: DNS-based email sender authentication mechanisms: a critical review. Comput. Secur. 28(8), 731–742 (2009)CrossRefGoogle Scholar
  9. 9.
    Herzberg, A., Shulman, H.: Security of patched DNS. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 271–288. Springer, Heidelberg (2012). Scholar
  10. 10.
    Herzberg, A., Shulman, H.: DNSSEC: interoperability challenges and transition mechanisms. In: Eighth International Conference on Availability, Reliability and Security (ARES), 2013, Regensburg, Germany, pp. 398–405. IEEE (2013)Google Scholar
  11. 11.
    Herzberg, A., Shulman, H.: Fragmentation Considered Poisonous: or In: IEEE CNS 2013. The Conference on Communications and Network Security. Washington, IEEE (2013)Google Scholar
  12. 12.
    Herzberg, A., Shulman, H.: Socket overloading for fun and cache poisoning. In: Payne Jr., C.N. (ed.) ACM Annual Computer Security Applications Conference (ACM ACSAC), New Orleans, Louisiana, U.S., December 2013Google Scholar
  13. 13.
    Herzberg, A., Shulman, H.: Vulnerable delegation of DNS resolution. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 219–236. Springer, Heidelberg (2013). Scholar
  14. 14.
    Herzberg, A., Shulman, H.: Retrofitting security into network protocols: the case of DNSSEC. IEEE Internet Compu. 18(1), 66–71 (2014)CrossRefGoogle Scholar
  15. 15.
    Kaminsky, D.: It’s the end of the cache as we know it. In: Black Hat Conference, August 2008.
  16. 16.
    Kleiman, S.R.: Apparatus and method for interrupt handling in a multi-threaded operating system kernel, US Patent 5,515,538, 7 May 1996Google Scholar
  17. 17.
    Kührer, M., Hupperich, T., Rossow, C., Holz, T.: Exit from hell? reducing the impact of amplification DDoS attacks. In: Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, 20–22 August 2014, pp. 111–125 (2014)Google Scholar
  18. 18.
    Lian, W., Rescorla, E., Shacham, H., Savage, S.: Measuring the practical impact of DNSSEC Deployment. In: Proceedings of USENIX Security (2013)Google Scholar
  19. 19.
    Ramakrishnan, K.: Performance considerations in designing network interfaces. IEEE J. Sel. Areas Commun. 11(2), 203–219 (1993)CrossRefGoogle Scholar
  20. 20.
    Ramasubramanian, V., Sirer, E.: Perils of transitive trust in the domain name system. In: Proceedings of the 5th ACM SIGCOMM Conference on Internet Measurement, pp. 35–35. USENIX Association (2005)Google Scholar
  21. 21.
    Rayburn, D.: CDN market getting crowded: Now tracking 28 providers in the industry. Bus. Online Video Blog (2007)Google Scholar
  22. 22.
    Rossow, C.: Amplification hell: Revisiting network protocols for ddos abuse (2014)Google Scholar
  23. 23.
    Salah, K., El-Badawi, K., Haidari, F.: Performance analysis and comparison of interrupt-handling schemes in gigabit networks. Comput. Commun. 30(17), 3425–3441 (2007)CrossRefGoogle Scholar
  24. 24.
    Schomp, K., Callahan, T., Rabinovich, M., Allman, M.: On measuring the client-side DNS infrastructure. In: Proceedings of the 2013 Conference on Internet Measurement Conference, pp. 77–90. ACM (2013)Google Scholar
  25. 25.
    Shulman, H.: Pretty bad privacy: pitfalls of DNS encryption. In: Proceedings of the 13th Annual ACM Workshop on Privacy in the Electronic Society, WPES 2014, pp. 191–200 (2014). IETF/IRTF Applied Networking Research AwardGoogle Scholar
  26. 26.
    Shulman, H., Ezra, S.: Poster: On the resilience of DNS infrastructure. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 1499–1501. ACM (2014)Google Scholar
  27. 27.
    Shulman, Haya, Waidner, Michael: Fragmentation considered leaking: port inference for DNS poisoning. In: Boureanu, Ioana, Owesarski, Philippe, Vaudenay, Serge (eds.) ACNS 2014. LNCS, vol. 8479, pp. 531–548. Springer, Heidelberg (2014) Google Scholar
  28. 28.
    Stewart, J.: DNS cache poisoning-the next generation (2003)Google Scholar
  29. 29.
    Wouters, P.: Using DANE to Associate OpenPGP public keys with email addresses (2014).
  30. 30.
    Yang, H., Osterweil, E., Massey, D., Lu, S., Zhang, L.: Deploying cryptography in internet-scale systems: A case study on dnssec. IEEE Trans. Dependable Secure Comput. 8(5), 656–669 (2011)CrossRefGoogle Scholar
  31. 31.
    Yu, Y., Wessels, D., Larson, M., Zhang, L.: Authority server selection of DNS caching resolvers. ACM SIGCOMM Comput. Commun. Rev. 42, 80–86 (2012)CrossRefGoogle Scholar
  32. 32.
    Zhang, J., Durumeric, Z., Bailey, M., Liu, M., Karir, M.: On the mismanagement and maliciousness of networks. In: Proceedings of the 21st Annual Network & Distributed System Security Symposium (NDSS 2014), San Diego, California, USA (2014, to appear)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Open Access This chapter is licensed under the terms of the Creative Commons Attribution-NonCommercial 2.5 International License (, which permits any noncommercial use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

Authors and Affiliations

  1. 1.Fraunhofer Institute for Secure Information Technology (SIT)Technische Universität DarmstadtDarmstadtGermany
  2. 2.Fachbereich InformatikTechnische Universität DarmstadtDarmstadtGermany

Personalised recommendations