Search Results (34)

The Domain Name System (DNS) is a fundamental component of the Internet, yet its distributed and caching nature makes it susceptible to various attacks, especially cache poisoning. Although the use of random port numbers and transaction IDs has reduced the probability of cache poisoning, recent developments such as DNS Forwarder fragmentation and side-channel attacks have increased the possibility of cache poisoning. To counteract these emerging cache poisoning techniques, this paper proposes the DNS Cache Sensor (DNS-Sensor) system, which operates as a distributed sensor network for DNS security. Like environmental sensors monitoring physical parameters, DNS-Sensor continuously scans DNS cache records, comparing them with authoritative data to detect anomalies with sensor-grade precision. It involves checking whether the DNS cache is consistent with authoritative query results by continuous observation to determine whether cache poisoning has occurred. In the event of cache poisoning, the system switches to a disaster recovery resolution system. To expedite comparison and DNS query speeds and isolate the impact of cache poisoning on the disaster recovery resolution system, this paper uses a local top-level domain authoritative mirror query system. Experimental results demonstrate the accuracy of the DNS-Sensor system in detecting cache poisoning, while the local authoritative mirror query system significantly improves the efficiency of DNS-Sensor. Compared to traditional DNS, the integrated DNS query and DNS-Sensor method and local top-level domain authoritative mirror query system is faster, thus improving DNS performance and security. Full article

In a digital landscape marked by the exponential growth of cyber threats, the development of automated domain reputation systems is extremely important. Emerging technologies such as artificial intelligence and machine learning now enable proactive and scalable approaches to early identification of malicious or suspicious domains. This paper presents an adaptive domain name reputation system that integrates advanced machine learning to enhance cybersecurity resilience. The proposed framework uses domain data from .ro domain Registry and several other sources (blacklists, whitelists, DNS, SSL certificate), detects anomalies using machine learning techniques, and scores domain security risk levels. A supervised XGBoost model is trained and assessed through five-fold stratified cross-validation and a held-out 80/20 split. On an example dataset of 25,000 domains, the system attains accuracy 0.993 and F1 0.993 and is exposed through a lightweight Flask service that performs asynchronous feature collection for near real-time scoring. The contribution is a blueprint that links list supervision with registry/DNS/TLS features and deployable inference to support proactive domain abuse mitigation in ccTLD environments. Full article

Artificial Intelligence (AI) and Machine Learning (ML) are employed in numerous fields and applications. Even if most of these approaches offer a very good performance, they are affected by the “black-box” problem. The way they operate and make decisions is complex and difficult for human users to interpret, making the systems impossible to manually adjust in case they make trivial (from a human viewpoint) errors. In this paper, we show how a “white-box” approach based on eXplainable AI (XAI) can be applied to the Domain Name System (DNS) tunneling detection problem, a cybersecurity problem already successfully addressed by “black-box” approaches, in order to make the detection explainable. The obtained results show that the proposed solution can achieve a performance comparable to the one offered by an autoencoder-based solution while offering a clear view of how the system makes its choices and the possibility of manual analysis and adjustments. Full article

The Encrypted Client Hello (ECH) extension to Transport Layer Security (TLS) and the new type of Domain Name System (DNS) records called HTTPS represent the latest efforts to improve user privacy by encrypting the server’s domain name during the TLS handshake. While prior studies have assessed ECH adoption from the server perspective, little is known about its usage in the wild from a passive network standpoint. In this paper, we present the first passive analysis of ECH and HTTPS DNS adoption using a month-long dataset collected from an operational network. We find that HTTPS DNS queries already make up approximately 8% of total DNS traffic, although responses to those queries are often incomplete, leading to increased query volume. Furthermore, 59% of QUIC flows include ECH, although only a negligible fraction is directed to servers supporting it. The remaining ECH flows are composed of GREASE values, intended to prevent protocol ossification. Our findings provide new insights into the current state and challenges in deploying privacy-enhancing protocols at scale. Full article

The Domain Name System (DNS) is a key part of the Internet, and it is used for global domain name resolution. However, it has security risks due to its centralized or semi-centralized design and reliance on a few root servers. To improve DNS security and long-term stability, this study proposes the consensus roots system, a blockchain-based distributed domain architecture. The system uses a 1 + N master-subchain structure to solve the problem of trust and data synchronization across blockchains. The master chain acts as a relay and uses Hyperledger Fabric, a consortium blockchain platform, to support semi-centralized cross-chain communication. Subchains are local blockchains that need to connect with the master chain. To ensure safe and reliable transactions, the system uses a staged-proposal atomic swap method on the master chain. Compared to prior approaches, this work introduces a cross-chain architecture that enables more efficient trust synchronization, reducing latency and improving scalability without compromising security. Full article

As technology advances, the services provided by domain servers require new innovative techniques that can be optimized for frequent changes. Man-in-the-Middle (MitM) attacks on Domain Name Servers (DNS) pose a security threat, enabling attackers to intercept, modify, and redirect network traffic to malicious sites or users. This study designed an anomaly-based detection scheme that identifies and mitigates MitM attacks on DNS. The proposed model utilizes machine learning algorithms and statistical analysis techniques to ensure that the analysis of DNS query patterns can efficiently detect anomalies associated with the MitM. By integrating the Cuckoo Search Algorithm, the scheme minimizes false positives while improving the detection rate. The Proposed scheme was evaluated using the Internet of Things Intrusion Detection (IoTID) and Intrusion Detection System (IDS) datasets, achieving a detection accuracy of 99.6% and demonstrating its effectiveness in minimizing the MitM attacks on DNS. Full article

Domain Name Server (DNS) amplification Distributed Reflection Denial of Service (DRDoS) attacks are a Distributed Denial of Service (DDoS) attack technique in which multiple IT systems forge the original IP of the target system, send a request to the DNS server, and then send a large number of response packets to the target system. In this attack, it is difficult to identify the attacker because of its ability to deceive the source, and unlike TCP-based DDoS attacks, it usually uses the UDP protocol, which has a fast communication speed and amplifies network traffic by simple manipulating options, making it one of the most widely used DDoS techniques. In this study, we propose a simple convolutional neural network (CNN) model that is designed to detect DNS amplification DRDoS attack traffic and has hyperparameters adjusted through experiments. As a result of evaluating the accuracy of the proposed CNN model for detecting DNS amplification DRDoS attacks, the average accuracy of the experiment was 0.9995, which was significantly better than several machine learning (ML) models in terms of performance. It also showed good performance compared to other deep learning (DL) models, and, in particular, it was confirmed that this simple CNN had the fastest time in terms of execution compared to other deep learning models by experimentation. Full article

DNS is an essential component for internet access, but the traditional centralized structure is not suitable for the rapidly growing Web3 ecosystem. Currently, Web3 services rely on Web2-based access paths, revealing limitations such as the Single Point of Failure (SPoF) issue and the compromise of decentralization principles. To address these issues, this paper proposes Setonix, a blockchain-based decentralized DNS. Experimental results of the implemented Setonix showed that it had only a marginal performance difference of up to approximately 5% compared to Google and Cloudflare DNS. Additionally, it demonstrated over 95% lower latency compared to Handshake DNS, proving its high efficiency. Setonix eliminates dependency on centralized access paths and brings the hierarchical address structure of existing domain names into the blockchain network, adhering to legacy systems to minimize user resistance. Additionally, it provides a blockchain-based architecture that supports cross-compatibility between traditional domain names and Web3 domain names through a simple interface. This design significantly enhances the scalability and accessibility of Web3, presenting a new standard for decentralized internet services. By doing so, it helps to establish a foundation that contributes to the growth and innovation of the Web3 ecosystem. Full article

Named Data Networking (NDN) is a future Internet architecture that requires an Inter-Domain Routing (IDR) to route its traffic globally. Address resolution is a vital component of any IDR system that relies on a Domain Name System (DNS) resolver to translate domain names into their IP addresses in TCP/IP networks. This paper presents a novel two-element solution to enhance name-to-delivery location resolution in NDN networks, consisting of (1) a mapping table data structure and a searching mechanism and (2) a management protocol to automatically populate and modify the mapping table. The proposed solution is implemented and tested on the Peer Name Provider Server (PNPS) mapping table, and its performance is compared with two other algorithms: component and character tries. The findings show a notable enhancement in the operational speed of the mapping table when utilizing the proposed data structure. For instance, the insertion process is 37 times faster compared to previous algorithms. Full article

Domain Name System (DNS) plays an infrastructure role in providing the directory service for mapping domains to IPs on the Internet. Considering the foundation and openness of DNS, it is not surprising that adversaries register massive domains to enable multiple malicious activities, such as spam, command and control (C&C), malware distribution, click fraud, etc. Therefore, detecting malicious domains is a significant topic in security research. Although a substantial quantity of research has been conducted, previous work has failed to fuse multiple relationship features to uncover the deep underlying relationships between domains, thus largely limiting their level of performance. In this paper, we proposed AGCN-Domain to detect malicious domains by combining various relations. The core concept behind our work is to analyze relations between domains according to their behaviors in multiple perspectives and fuse them intelligently. The AGCN-Domain model utilizes three relationships (client relation, resolution relation, and cname relation) to construct three relationship feature graphs to extract features and intelligently fuse the features extracted from the graphs through an attention mechanism. After the relationship features are extracted from the domain names, they are put into the trained classifier to be processed. Through our experiments, we have demonstrated the performance of our proposed AGCN-Domain model. With 10% initialized labels in the dataset, our AGCN-Domain model achieved an accuracy of 94.27% and the F1 score of 87.93%, significantly outperforming other methods in the comparative experiments. Full article

The cybersecurity landscape presents daunting challenges, particularly in the face of Denial of Service (DoS) attacks such as DoS Http Unbearable Load King (HULK) attacks and DoS GoldenEye attacks. These malicious tactics are designed to disrupt critical services by overwhelming web servers with malicious requests. In contrast to DoS attacks, there exists nefarious Operating System (OS) scanning, which exploits vulnerabilities in target systems. To provide further context, it is essential to clarify that NMAP, a widely utilized tool for identifying host OSes and vulnerabilities, is not inherently malicious but a dual-use tool with legitimate applications, such as asset inventory services in company networks. Additionally, Domain Name System (DNS) botnets can be incredibly damaging as they harness numerous compromised devices to inundate a target with malicious DNS traffic. This can disrupt online services, leading to downtime, financial losses, and reputational damage. Furthermore, DNS botnets can be used for other malicious activities like data exfiltration, spreading malware, or launching other cyberattacks, making them a versatile tool for cybercriminals. As attackers continually adapt and modify specific attributes to evade detection, our paper introduces an automated detection method that requires no expert input. This innovative approach identifies the distinct characteristics of DNS botnet attacks, DoS HULK attacks, DoS GoldenEye attacks, and OS-Scanning, explicitly using the NMAP tool, even when attackers alter their tactics. By harnessing a representative dataset, our proposed method ensures robust detection of such attacks against varying attack parameters or behavioral shifts. This heightened resilience significantly raises the bar for attackers attempting to conceal their malicious activities. Significantly, our approach delivered outstanding outcomes, with a mid 95% accuracy in categorizing NMAP OS scanning and DNS botnet attacks, and 100% for DoS HULK attacks and DoS GoldenEye attacks, proficiently discerning between malevolent and harmless network packets. Our code and the dataset are made publicly available. Full article

The Domain Name System (DNS) is a fundamental component of the internet, responsible for resolving domain names into IP addresses. DNS servers are typically categorized into four types: recursive resolvers, root name servers, Top-Level Domain (TLD) name servers, and authoritative name servers. The latter three types of servers store actual records, while recursive resolvers do not store any real data and are only responsible for querying the other three types of servers and responding to clients. Recursive resolvers typically maintain a caching system to speed up response times, but these caching systems have the drawbacks of a low real-time performance, a poor accuracy, and many security and privacy issues. In this paper, we propose a caching system based on a consortium blockchain, namely DNS-BC, which uses the synchronization mechanism of the consortium blockchain to achieve a high real-time performance, uses the immutable mechanism of the consortium blockchain and our designed credibility management system to achieve up to a 100% accuracy, and has been combined with encrypted transmission protocols to solve common security and privacy issues. At the same time, this caching system can greatly reduce the traffic that name servers need to handle, thereby protecting them from Denial-of-Service (DoS) attacks. To further accelerate the data transmission speed, we have designed a new encrypted DNS protocol called DNS over KCP (DoK). The DoK protocol is based on the KCP protocol, which is a fast and reliable transmission protocol, and its latency can reach one-third of that of TCP when the network environment deteriorates. In our experiments, the transmission time of this protocol is about a quarter of that of the widely used encrypted protocols DNS over TLS (DoT) and DNS over HTTPS (DoH). Full article

In recent years, the number of people using the Internet has increased worldwide, and the use of web applications in many areas of daily life, such as education, healthcare, finance, and entertainment, has also increased. On the other hand, there has been an increase in the number of web application security issues that directly compromise the confidentiality, availability, and integrity of data. One of the most widespread web problems is defacement. In this research, we focus on the vulnerabilities detected on the websites previously exploited and distorted by attackers, and we show the vulnerabilities discovered by the most popular scanning tools, such as OWASP ZAP, Burp Suite, and Nikto, depending on the risk from the highest to the lowest. First, we scan 1000 URLs of defaced websites by using three web application assessment tools (OWASP ZAP, Burp Suite, and Nikto) to detect vulnerabilities which should be taken care of and avoided when building and structuring websites. Then, we compare these tools based on their performance, scanning time, the names and number of vulnerabilities, and the severity of their impact (high, medium, low). Our results show that Burp Suite Professional has the highest number of vulnerabilities, while Nikto has the highest scanning speed. Additionally, the OWASP ZAP tool is shown to have medium- and low-level alerts, but no high-level alerts. Moreover, we detail the best and worst uses of these tools. Furthermore, we discuss the concept of Domain Name System (DNS), how it can be attacked in the most common ways, such as poisoning, DDOS, and DOS, and link it to our topic on the basis of the importance of its infrastructure and how it can be the cause of hacking and distorting sites. Moreover, we introduce the tools used for DNS monitoring. Finally, we give recommendations about the importance of security in the community and for programmers and application developers. Some of them do not have enough knowledge about security, which allow vulnerabilities to occur. Full article

The root zone is located at the top level of the DNS system’s hierarchical structure and serves as the entry point for all domain name resolutions. The accuracy of the root zone file determines whether domain names can be resolved correctly. To solve the problems of single-source distrust and inaccurate data in the use of root zone files, this paper utilizes multi-source root zone files to build an accurate, real-time, and highly trustworthy root zone file through the validation of data accuracy and integrity. First, we propose a weighted voting statistical verification method. We select top-level domain name records with the highest confidence from the multi-source root zone data, thereby improving data accuracy. Second, through a dynamic cyclic construction process, we achieve dynamic monitoring of root zone file version changes, effectively ensuring the real-time nature of root zone data. Finally, we adopt a DNSSEC verification mechanism to address the issue of unreliable transmission paths for actively probed root zone data, ensuring data integrity by verifying the signed top-level domain name records and their ZSK, KSK keys. In addition, through the analysis of experimental data, we find that the main reason for the inaccuracy and unreliability of the root zone file is the delay in updating and synchronizing the file. We also discover the presence of redundant KSK keys in some of the source root zone data, which led to failure in the DNSSEC validation chain. The high-trust root zone file constructed in this paper provides data support for research on the root-side resolution anomaly detection and localization application of root zone files and has wide-ranging practical value. Full article

The Internet of Things (IoT) is paving the way to becoming necessary in numerous aspects of people’s lives. IoT is becoming integrated in many domains, such as medical, industrial, and personal. Recent years have witnessed the creation of many IoT technologies that differ not only in their applications and use cases but also in standards. The absence of universally accepted standards and the variety of technologies are only some challenges the IoT market faces. Other challenges include the constrained nature of most IoT devices, the diverse identification schemes, the inadequate security mechanisms, and the lack of interoperability between different technologies. The Domain Name System (DNS) persisted throughout the years as the Internet’s naming service and accumulated more trust from users with the introduction of its security extensions. DNS could be utilized to address some of the challenges the IoT market faces. However, using DNS for IoT applications might jeopardize DNS infrastructure. In this survey, we study the coexistence of DNS and IoT. We define IoT, present its architecture and discuss its main challenges. We then introduce DNS and its function; we discuss its security and privacy drawbacks and the extensions standardized to address them. We further discuss the uses of DNS in IoT environments to address some of IoT’s challenges and the impact these uses might have on DNS. Full article