SOEN 321 Project

SOEN 321 Winter 2019

Topic 6 DNS Interception Study

Who Is Answering My Queries

What need to do

  • Set a few free domains
  • Use a residential proxy service like the authors - instead you can also start with free hosting services
  • Attempt to replicate as much as you can from the paper (exclude the China part)

What is in the article

Terminology

  1. ISPs: Internet Service Providers
  2. DNS: Domain Name System, resolving human-readable names to numerical IP addresses
  3. DNS transparent proxy
    • Web proxies work by intercepting a request, modifying the request if necessary, then handling or forwarding the request to its destination. Proxies allow service providers to shape and optimize the way users connect to their services, but they also allow network providers to impact the way users or employees access external resources.
    • Traditionally, proxies are accessed by configuring the user’s application or network settings.
    • With transparent proxying, the proxy intercepts requests by intercepting packets directed to the destination, making it seem as though the request is handled by the destination itself. This allows service providers to implement proxying without having to reconfigure the user’s computer.
    • What is a Transparent Proxy?
  4. ASes: Autonomous Systems
  5. DNSIntercept: hidden interception of the DNS resolution path
  6. TLD: Top-Level Domains
  7. SLD: Second-Level Domains
  8. FQDN: a fully qualified domain name

1. Introduction

  • How

    1. DNS queries from end users are handled by recursive DNS servers for scalability.

  • The concerns rasied from DNS interception:

    1. The interception is not authorized by users and is difficult to detect on the users’ side, which leads to ethical concerns;
    2. Users have higher risks to put the resolution trust to alternative recursive DNS servers, which often lack proper maintenance (e.g., equipped with outdated DNS software), compared to well-known public DNS servers;
    3. Certain security-related functionalities are affected or even broken, e.g., some alternative DNS resolvers do not provide DNSSEC.

  • Challenges:

    1. Acquire clients belonging to different ASes to perform a large-scale measurement, which also should allow fine-tuning on the measurement parameters. Advertising networks, HTTP proxy networks, and Internet scanners cannot fulfill the conditions at the same time.
    2. Verify whether the DNS resolution is intercepted rather than reaching users’ designated recursive nameservers. Since on-path devices are able to spoof the IP addresses in the DNS responses, it is difficult to sense the existence of DNS interception merely from the clients.

  • Approaches

    1. Devise a new measurement methodology.
    2. Register a set of domains (e.g., OurDomain.TLD), and use the authoritative nameservers controlled by us to handle resolutions.

2. Threat Model and Mechanisms

  1. Domain Resolution Process

    1. FQDN: www.example.com
    2. SLD: example.com
    3. TLD: com

    Domain Resolution Process

  2. Threat Model

    Threat Model

    1. redirect or replicate the requests to alternative resolvers
    2. before responses are sent from alternative resolvers back to clients, the sources are replaced with addresses of the original resolvers.

    DNS resolution paths

    • Taxonomy of DNS resolution paths:
      1. Normal resolution
      2. Request redirection
      3. Request replication
      4. Direct responding

  3. Potential Interceptors

    • Censor and firewall
    • Malware and anti-virus (AV) software
    • Enterprise proxy

3. Methodology and Dataset

  1. Overview
    • Approach
      1. instruct a client to send a DNS request about one of our controlled domains to a public resolver A;
      2. record its corresponding request at our authoritative nameservers, which originates from recursive resolver B; and
      3. compare A with B. As a complementary step, we also
      4. validate the response eventually received by the client.
  2. Methodology
    • DNS packet: {Src IP, Dst IP, Protocol, RR Type, Requested Domain}
    • Generate DNS requets: UUID.Google.OurDomain.TLD, UUID should be distinct.
    • Generate DNS responses
    • Identifying egress IPs of public DNS
  3. Vantage points
  4. Dataset

DNS Profiling (Python)

Source code

Steps

  1. Domains are fetching from website global topsites and category topsites
  2. Use BeautifulSoup to crab the webpage to get the domains of top websites.
  3. Write these records to files top-world-%yyyyMMdd% and top-categories-%yyyyMMdd%.
  4. Get the list of the countries of so-called the enemy of Internet from wikipedia
  5. Search these countries' DNS from web.
  6. Use these DNSs to query the domains which fetched from the third step.
  7. Log the response to output-%yyyyMMdd% file.
  8. Total 20+20+ DNSs, 800+800+ domains, 1870018700 records.

Next

  1. Add custome domains
  2. Confirm unuseful DNS
  3. Statistics
Edit this page
Last updated on