Analysis of main attacks on DNS-server and methods of use DNSSEC for protection DNS-server

Authors

  • Тамара Анатольевна Радивилова Kharkiv National University of Radio Electronics, Lenina 16, Kharkov, 61166, Ukraine
  • Виктор Сергеевич Бушманов Kharkiv National University of Radio Electronics, Lenina 16, Kharkov, 61166, Ukraine

DOI:

https://doi.org/10.15587/2312-8372.2013.12951

Keywords:

DNS-server, DNSSEC, domain, encryption, digital signature, attacks, survival capability

Abstract

A detailed analysis of survival capability of DNS-servers were realized. The principle of operation DNSSEC and basic attacks that are implemented on the DNS-server were describe. Testing protection of DNS-server conducted through the organization of various kinds of attacks with a standard DNS-server protection and protection system DNSSEC, which has been additionally installed. Organization MITM-attacks was carried out; spoofing of DNS packet ID field was conducted; the attacks were conducted, when the name resolution requests were addressed to the cracker’s DNS-server. The methods, that were used when attacking the standard DNS-server, proved unsuccessful during the attacks on the server which deployed DNSSEC. In analyzing the attack, it was found that DNSSEC can compete with DNS survival capability as "cache poisoning" or "man in the middle". The analysis of influence of DNSSEC introduction on efficiency and the network load were realized. It was revealed that the introduction of DNSSEC increases the amount of transmitted data, the load on the memory, CPU and bandwidth of the servers by 20%, but this value is not critical.

Author Biographies

Тамара Анатольевна Радивилова, Kharkiv National University of Radio Electronics, Lenina 16, Kharkov, 61166

Associate professor 

Department of Telecommunication Systems

Виктор Сергеевич Бушманов, Kharkiv National University of Radio Electronics, Lenina 16, Kharkov, 61166

Student

Department of Telecommunication Systems

References

  1. Мамаев, М. А. Технологии защиты информации в Интернете [Текст] / М. А. Мамаев, С. К. Петренко. – СПб.: Питер, 2002. – 243 С.
  2. Карпов, Г.А. Атака на ДНС [Электронный ресурс] / Г.А. Карпов. – Режим доступа: www/ URL: http://www.hackzone.ru/articles/dns-poison.html. – Загл. с экрана.
  3. Arends, R. L. DNSSecurity Introduction and Requirement [Text] / R. L. Arends, R. U. Austein // RFC 4033. – 2005. – 47 p.
  4. DNS ID Hacking – ADM Crew [Электронный ресурс] – Режим доступа: www/ URL: http://packetstorm.securify.com/groups/ADM/ADM-DNS-SPOOF/ADMID.txt – Загл. c экрана.
  5. Abley, J., Larson, M. DNSSEC for the Root Zone – Update [Text] / J. Abley, M. Larson // IETF 78, Maastricht, Нидерланды. – 2010. – 44 p.
  6. Waterman, S. UPI Analysis: Owning the keys to the Internet. [Электронный ресурс] / S. Waterman. – Режим доступа: www/ URL: http://www.mail-archive.com/osint@yahoogroups.com/msg39697.html – Загл. c экрана.
  7. Kerner, S.M. ORG the Most Secure Domain? [Электронный ресурс] / S.M. Kerner. – Режим доступа: www/ URL: http://www.internetnews.com/security/article.php/3774131/ORG+the+Most+Secure+Domain.htm – Загл. c экрана.
  8. Singel, R. Feds Start Moving on Net Security Hole. [Text] / R. Singel. – Wired News (CondéNet). 2006. – 76 p.
  9. Eklund-Löwinder, Anne-Marie. Swedish ISP TCD Song Adopts DNSSEC. [Text] / Eklund-Löwinder, Anne-Marie //. DNS-wg mailing list, RIPE NCC. – 2012. – 8 p.
  10. Andrews, M., Weiler, S. The DNSSEC Lookaside Validation (DLV) DNS Resource Record. [Text] // M. Andrews, S. Weiler // RFC 4431. – 2006. – 22 p.
  11. Metzger, Perry, Simpson, W.A. and Vixie, P. Improving TCP security with robust cookies. [Text] / P. Metzger, W.A. Simpson, P. Vixie // 26th Large Installation System Administration Conference (LISA '12), volume 34, № 6. – 2009. – pp. 86-97.
  12. Mamayev M., Petrenko S. (2002). Technologies of protection information on the Internet. St.Petersburg, 243.
  13. Karpov А. (02.06.2007). Attack on the DNS. Mode of access: http://www.hackzone.ru/articles/dns-poison.html.
  14. R. L. Arends, R.U.Austein. (2005). DNSSecurity Introduction and Requirement. RFC 4033, 47.
  15. DNS ID Hacking – ADM Crew. (2010). Mode of access: http://packetstorm.securify.com/groups/ADM/ADM-DNS-SPOOF/ADMID.txt.
  16. Abley, J., Larson, M. (2010). DNSSEC for the Root Zone – Update. IETF 78, Maastricht, the Netherlands, 44.
  17. Waterman, S. (23.04.2007). UPI Analysis: Owning the keys to the Internet. Mode of access: http://www.mail-archive.com/osint@yahoogroups.com/msg39697.html.
  18. Kerner, S.M. (27.09-2008). ORG the Most Secure Domain? Mode of access: http://www.internetnews.com/security/article.php/3774131/ORG+the+Most+Secure+Domain.htm.
  19. Singel, R. (08.10.2006). Feds Start Moving on Net Security Hole. Wired News (CondéNet). 76.
  20. Eklund-Löwinder, Anne-Marie. (12.02.2012). Swedish ISP TCD Song Adopts DNSSEC. DNS-wg mailing list. RIPE NCC, 8.
  21. Andrews, M., Weiler, S. (2006). The DNSSEC Lookaside Validation (DLV) DNS Resource Record. RFC 4431, 22.
  22. Metzger, Perry, Simpson, W.A. and Vixie, P. (17.12.2009). Improving TCP security with robust cookies. 26th Large Installation System Administration Conference (LISA '12). Volume 34, № 6, 86-97.

Published

2013-03-29

How to Cite

Радивилова, Т. А., & Бушманов, В. С. (2013). Analysis of main attacks on DNS-server and methods of use DNSSEC for protection DNS-server. Technology Audit and Production Reserves, 2(1(10), 16–19. https://doi.org/10.15587/2312-8372.2013.12951