Large-scale DNS and DNSSEC data sets for network security research

    Research output: Book/ReportReportProfessional

    28 Downloads (Pure)

    Abstract

    The Domain Name System protocol is often abused to perform denial-of-service attacks. These attacks, called DNS amplification, rely on two properties of the DNS. Firstly, DNS is vulnerable to source address spoofing because it relies on the asynchronous connectionless UDP protocol. Secondly, DNS queries are usually small whereas DNS responses may be much larger than the query. In recent years, the DNS has been extended to include security features based on public key cryptography. This extension, called DNSSEC, adds integrity and authenticity to the DNS and solves a serious vulnerability in the original protocol. A downside of DNSSEC is that it may further increase the potential DNS has for amplification attacks. This disadvantage is often cited by opponents of DNSSEC as a major reason not to deploy the protocol. Until recently, however, ground truth about how serious an issue this can be was never established. This technical report describes the data sets obtained during a study we carried out to establish this ground truth. We make these data sets available as open data under a permissive Creative Commons license. We believe these data sets have a lot of value beyond our research. They, for example, allow characterisations of EDNS0 implementations, provide information on IPv6 deployment (presence or absence of AAAA records) for a large number of domains in separate TLDs, etc.
    Original languageUndefined
    Place of PublicationEnschede
    PublisherCentre for Telematics and Information Technology (CTIT)
    Number of pages10
    Publication statusPublished - Sep 2014

    Publication series

    NameCTIT Technical Report Series
    PublisherUniversity of Twente, Centre for Telematics and Information Technology (CTIT)
    No.TR-CTIT-14-13
    ISSN (Print)1381-3625

    Keywords

    • METIS-309621
    • EWI-25211
    • DNSSEC
    • Attack
    • IR-93979
    • Measurements
    • reflection at- tack
    • amplification attack
    • Denial of service
    • DDoS
    • DNS
    • Network Security

    Cite this

    van Rijswijk, R. M., Sperotto, A., & Pras, A. (2014). Large-scale DNS and DNSSEC data sets for network security research. (CTIT Technical Report Series; No. TR-CTIT-14-13). Enschede: Centre for Telematics and Information Technology (CTIT).