Improving DNS security: a measurement-based approach

Roland van Rijswijk-Deij

Research output: ThesisPhD Thesis - Research external, graduation UTAcademic

Abstract

The Domain Name System (DNS) is a vital part of the core infrastructure of the Internet. It maps human readable names (such as www.example.com) to machine readable information (such as 93.184.216.34). This thesis studies two aspects of the DNS. First, it studies problems in the DNS Security Extensions. DNSSEC was developed to address security problems in the DNS. As we show in this thesis, however, while the deployment of DNSSEC does improve DNS security, it also introduces new problems. Two problems in particular stand out: unreachability problems due to IP fragmentation and abuse of DNSSEC-signed domains in so-called amplification DDoS attacks. The thesis shows that the default cryptographic algorithm used in DNSSEC, RSA, is at the root of these problems. Based on real-world measurements, the thesis shows that alternative cryptographic algorithms based on Elliptic Curve Cryptography (ECC) are much more suited for DNSSEC and solve the two problems discussed before. The thesis also shows that ECC performance in terms of speed is sufficient for DNSSEC, something that was uncertain before.

The second main contribution of this thesis is that it introduces a unique large-scale long-term active measurement infrastructure for the DNS. This infrastructure currently measures 60% of all domains in the global DNS name space once every 24 hours. Using five case studies, this thesis illustrates how the data collected by this infrastructure (currently spanning more than two years) enables novel research into the security, stability and evolution of the Internet.
LanguageEnglish
Awarding Institution
  • University of Twente
Supervisors/Advisors
  • Pras, Aiko , Supervisor
  • Sperotto, Anna , Supervisor
Award date28 Jun 2017
Place of PublicationEnschede
Publisher
Print ISBNs978-90-365-4329-3
DOIs
Publication statusPublished - 28 Jun 2017

Fingerprint

Security systems
Cryptography
Internet
Amplification

Cite this

van Rijswijk-Deij, R. (2017). Improving DNS security: a measurement-based approach. Enschede: University of Twente. https://doi.org/10.3990/1.9789036543293
van Rijswijk-Deij, Roland. / Improving DNS security : a measurement-based approach. Enschede : University of Twente, 2017. 227 p.
@phdthesis{3f7258867b8f4fa5b9fa1d13657cf7a0,
title = "Improving DNS security: a measurement-based approach",
abstract = "The Domain Name System (DNS) is a vital part of the core infrastructure of the Internet. It maps human readable names (such as www.example.com) to machine readable information (such as 93.184.216.34). This thesis studies two aspects of the DNS. First, it studies problems in the DNS Security Extensions. DNSSEC was developed to address security problems in the DNS. As we show in this thesis, however, while the deployment of DNSSEC does improve DNS security, it also introduces new problems. Two problems in particular stand out: unreachability problems due to IP fragmentation and abuse of DNSSEC-signed domains in so-called amplification DDoS attacks. The thesis shows that the default cryptographic algorithm used in DNSSEC, RSA, is at the root of these problems. Based on real-world measurements, the thesis shows that alternative cryptographic algorithms based on Elliptic Curve Cryptography (ECC) are much more suited for DNSSEC and solve the two problems discussed before. The thesis also shows that ECC performance in terms of speed is sufficient for DNSSEC, something that was uncertain before.The second main contribution of this thesis is that it introduces a unique large-scale long-term active measurement infrastructure for the DNS. This infrastructure currently measures 60{\%} of all domains in the global DNS name space once every 24 hours. Using five case studies, this thesis illustrates how the data collected by this infrastructure (currently spanning more than two years) enables novel research into the security, stability and evolution of the Internet.",
author = "{van Rijswijk-Deij}, Roland",
note = "CTIT Ph.D. thesis series no. 17-430",
year = "2017",
month = "6",
day = "28",
doi = "10.3990/1.9789036543293",
language = "English",
isbn = "978-90-365-4329-3",
publisher = "University of Twente",
address = "Netherlands",
school = "University of Twente",

}

van Rijswijk-Deij, R 2017, 'Improving DNS security: a measurement-based approach', University of Twente, Enschede. https://doi.org/10.3990/1.9789036543293

Improving DNS security : a measurement-based approach. / van Rijswijk-Deij, Roland.

Enschede : University of Twente, 2017. 227 p.

Research output: ThesisPhD Thesis - Research external, graduation UTAcademic

TY - THES

T1 - Improving DNS security

T2 - a measurement-based approach

AU - van Rijswijk-Deij, Roland

N1 - CTIT Ph.D. thesis series no. 17-430

PY - 2017/6/28

Y1 - 2017/6/28

N2 - The Domain Name System (DNS) is a vital part of the core infrastructure of the Internet. It maps human readable names (such as www.example.com) to machine readable information (such as 93.184.216.34). This thesis studies two aspects of the DNS. First, it studies problems in the DNS Security Extensions. DNSSEC was developed to address security problems in the DNS. As we show in this thesis, however, while the deployment of DNSSEC does improve DNS security, it also introduces new problems. Two problems in particular stand out: unreachability problems due to IP fragmentation and abuse of DNSSEC-signed domains in so-called amplification DDoS attacks. The thesis shows that the default cryptographic algorithm used in DNSSEC, RSA, is at the root of these problems. Based on real-world measurements, the thesis shows that alternative cryptographic algorithms based on Elliptic Curve Cryptography (ECC) are much more suited for DNSSEC and solve the two problems discussed before. The thesis also shows that ECC performance in terms of speed is sufficient for DNSSEC, something that was uncertain before.The second main contribution of this thesis is that it introduces a unique large-scale long-term active measurement infrastructure for the DNS. This infrastructure currently measures 60% of all domains in the global DNS name space once every 24 hours. Using five case studies, this thesis illustrates how the data collected by this infrastructure (currently spanning more than two years) enables novel research into the security, stability and evolution of the Internet.

AB - The Domain Name System (DNS) is a vital part of the core infrastructure of the Internet. It maps human readable names (such as www.example.com) to machine readable information (such as 93.184.216.34). This thesis studies two aspects of the DNS. First, it studies problems in the DNS Security Extensions. DNSSEC was developed to address security problems in the DNS. As we show in this thesis, however, while the deployment of DNSSEC does improve DNS security, it also introduces new problems. Two problems in particular stand out: unreachability problems due to IP fragmentation and abuse of DNSSEC-signed domains in so-called amplification DDoS attacks. The thesis shows that the default cryptographic algorithm used in DNSSEC, RSA, is at the root of these problems. Based on real-world measurements, the thesis shows that alternative cryptographic algorithms based on Elliptic Curve Cryptography (ECC) are much more suited for DNSSEC and solve the two problems discussed before. The thesis also shows that ECC performance in terms of speed is sufficient for DNSSEC, something that was uncertain before.The second main contribution of this thesis is that it introduces a unique large-scale long-term active measurement infrastructure for the DNS. This infrastructure currently measures 60% of all domains in the global DNS name space once every 24 hours. Using five case studies, this thesis illustrates how the data collected by this infrastructure (currently spanning more than two years) enables novel research into the security, stability and evolution of the Internet.

U2 - 10.3990/1.9789036543293

DO - 10.3990/1.9789036543293

M3 - PhD Thesis - Research external, graduation UT

SN - 978-90-365-4329-3

PB - University of Twente

CY - Enschede

ER -

van Rijswijk-Deij R. Improving DNS security: a measurement-based approach. Enschede: University of Twente, 2017. 227 p. https://doi.org/10.3990/1.9789036543293