Analysis of main attacks on DNS-server and methods of use DNSSEC for protection DNS-server
DOI:
https://doi.org/10.15587/2312-8372.2013.12951Keywords:
DNS-server, DNSSEC, domain, encryption, digital signature, attacks, survival capabilityAbstract
A detailed analysis of survival capability of DNS-servers were realized. The principle of operation DNSSEC and basic attacks that are implemented on the DNS-server were describe. Testing protection of DNS-server conducted through the organization of various kinds of attacks with a standard DNS-server protection and protection system DNSSEC, which has been additionally installed. Organization MITM-attacks was carried out; spoofing of DNS packet ID field was conducted; the attacks were conducted, when the name resolution requests were addressed to the cracker’s DNS-server. The methods, that were used when attacking the standard DNS-server, proved unsuccessful during the attacks on the server which deployed DNSSEC. In analyzing the attack, it was found that DNSSEC can compete with DNS survival capability as "cache poisoning" or "man in the middle". The analysis of influence of DNSSEC introduction on efficiency and the network load were realized. It was revealed that the introduction of DNSSEC increases the amount of transmitted data, the load on the memory, CPU and bandwidth of the servers by 20%, but this value is not critical.References
- Мамаев, М. А. Технологии защиты информации в Интернете [Текст] / М. А. Мамаев, С. К. Петренко. – СПб.: Питер, 2002. – 243 С.
- Карпов, Г.А. Атака на ДНС [Электронный ресурс] / Г.А. Карпов. – Режим доступа: www/ URL: http://www.hackzone.ru/articles/dns-poison.html. – Загл. с экрана.
- Arends, R. L. DNSSecurity Introduction and Requirement [Text] / R. L. Arends, R. U. Austein // RFC 4033. – 2005. – 47 p.
- DNS ID Hacking – ADM Crew [Электронный ресурс] – Режим доступа: www/ URL: http://packetstorm.securify.com/groups/ADM/ADM-DNS-SPOOF/ADMID.txt – Загл. c экрана.
- Abley, J., Larson, M. DNSSEC for the Root Zone – Update [Text] / J. Abley, M. Larson // IETF 78, Maastricht, Нидерланды. – 2010. – 44 p.
- Waterman, S. UPI Analysis: Owning the keys to the Internet. [Электронный ресурс] / S. Waterman. – Режим доступа: www/ URL: http://www.mail-archive.com/osint@yahoogroups.com/msg39697.html – Загл. c экрана.
- Kerner, S.M. ORG the Most Secure Domain? [Электронный ресурс] / S.M. Kerner. – Режим доступа: www/ URL: http://www.internetnews.com/security/article.php/3774131/ORG+the+Most+Secure+Domain.htm – Загл. c экрана.
- Singel, R. Feds Start Moving on Net Security Hole. [Text] / R. Singel. – Wired News (CondéNet). 2006. – 76 p.
- Eklund-Löwinder, Anne-Marie. Swedish ISP TCD Song Adopts DNSSEC. [Text] / Eklund-Löwinder, Anne-Marie //. DNS-wg mailing list, RIPE NCC. – 2012. – 8 p.
- Andrews, M., Weiler, S. The DNSSEC Lookaside Validation (DLV) DNS Resource Record. [Text] // M. Andrews, S. Weiler // RFC 4431. – 2006. – 22 p.
- Metzger, Perry, Simpson, W.A. and Vixie, P. Improving TCP security with robust cookies. [Text] / P. Metzger, W.A. Simpson, P. Vixie // 26th Large Installation System Administration Conference (LISA '12), volume 34, № 6. – 2009. – pp. 86-97.
- Mamayev M., Petrenko S. (2002). Technologies of protection information on the Internet. St.Petersburg, 243.
- Karpov А. (02.06.2007). Attack on the DNS. Mode of access: http://www.hackzone.ru/articles/dns-poison.html.
- R. L. Arends, R.U.Austein. (2005). DNSSecurity Introduction and Requirement. RFC 4033, 47.
- DNS ID Hacking – ADM Crew. (2010). Mode of access: http://packetstorm.securify.com/groups/ADM/ADM-DNS-SPOOF/ADMID.txt.
- Abley, J., Larson, M. (2010). DNSSEC for the Root Zone – Update. IETF 78, Maastricht, the Netherlands, 44.
- Waterman, S. (23.04.2007). UPI Analysis: Owning the keys to the Internet. Mode of access: http://www.mail-archive.com/osint@yahoogroups.com/msg39697.html.
- Kerner, S.M. (27.09-2008). ORG the Most Secure Domain? Mode of access: http://www.internetnews.com/security/article.php/3774131/ORG+the+Most+Secure+Domain.htm.
- Singel, R. (08.10.2006). Feds Start Moving on Net Security Hole. Wired News (CondéNet). 76.
- Eklund-Löwinder, Anne-Marie. (12.02.2012). Swedish ISP TCD Song Adopts DNSSEC. DNS-wg mailing list. RIPE NCC, 8.
- Andrews, M., Weiler, S. (2006). The DNSSEC Lookaside Validation (DLV) DNS Resource Record. RFC 4431, 22.
- Metzger, Perry, Simpson, W.A. and Vixie, P. (17.12.2009). Improving TCP security with robust cookies. 26th Large Installation System Administration Conference (LISA '12). Volume 34, № 6, 86-97.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2016 Тамара Анатольевна Радивилова, Виктор Сергеевич Бушманов
This work is licensed under a Creative Commons Attribution 4.0 International License.
The consolidation and conditions for the transfer of copyright (identification of authorship) is carried out in the License Agreement. In particular, the authors reserve the right to the authorship of their manuscript and transfer the first publication of this work to the journal under the terms of the Creative Commons CC BY license. At the same time, they have the right to conclude on their own additional agreements concerning the non-exclusive distribution of the work in the form in which it was published by this journal, but provided that the link to the first publication of the article in this journal is preserved.