CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • apa.csl
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Cybersecurity Mechanisms in DNS Resolvers: An Internet Measurement Perspective
Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science (from 2013).ORCID iD: 0000-0002-0961-9489
2025 (English)Licentiate thesis, comprehensive summary (Other academic)Alternative title
Cybersäkerhetsmekanismer i DNS-resolvrar : Ett perspektiv med internetmätningar (Swedish)
Abstract [en]

Using the Internet today, both end-users and automated systems rely on the Domain Name System (DNS) to translate human-readable domain names to IP addresses for communication between machines. This system from 1985 has only in recent years seen Internet standards addressing security and privacy concerns. In the position as a machine-in-the-middle between the client and the distributed hierachical system of authoritative name servers, we find the DNS resolver. Due to its purpose of forwarding, looking up, and caching queries and responses, in addition to its location between the clients and the name servers, the DNS resolver becomes a critical point for implementing these security and privacy features. The widespread adoption of these features, their variation in implementation, and impact on both clients and other name servers remain as interesting topics in the research community. The goal of this thesis is to analyze servers in the wild and conduct a comprehensive investigation into the security and privacy mechanisms configured on DNS resolvers. Using an Internet measurement approach, we explore the trends in the adoption and implementation of these features by generating and observing our own queries to and from the resolvers. We also investigate how clients and the DNS ecosystem as a whole are impacted by resolver configurations. We use and improve methods for measuring adoption of various security and privacy related features. Based on these measurements we report the current level of adoption and adoption over time, investigate anomalies, and identify limitations with measurement approaches. We fingerprint the software and version of popular open-source DNS resolvers by classifying query patterns. Comparing the ingress and egress resolvers we analyze forwarding behaviors and their impact on the availability and effectiveness of security and privacy features. We also cross-analyze features in DNS resolvers to find correlations, which could help us understand obstacles and find solutions to feature adoption.

Abstract [sv]

För att maskiner ska kunna kommunicera på Internet idag så bygger det på att domännamnssystemet (DNS) översätter domännamn till IP-adresser för både användare och automatiska system. Internetstandardiseringar som behandlar säkerhet och personlig integritet i detta system från 1985 har huvudsakligen dykt upp på senare år. Mellan klienter och den distribuerade hierakin av auktoritativa namnservrar finner vi DNS-resolvern. På grund av dess syfte att vidarebefodra och slå upp klienternas frågor samt cacha svar, och dess position som en låda-i-mitten blir den en kritisk punkt för säkerhet och personlig integritet. Hur antagna dessa mekanismer är, deras variation vid implementering samt påverkan på både klienter och andra namnservrar är fortfarande intressanta ämnen i forskningsvärlden. Målet med denna avhandling är att analysera DNS-resolvrar på internet för att genomföra en omfattande utvärdering av relaterade mekanismer runt säkerhet och personlig integritet. Vi utforskar trenderna i antagandet och och implementeringen av dessa funktioner, och analyserar hur de påverkar klienter och ekosystemet som helhet genom att observera trafik från DNS-frågor. Vi använder och förbättrar metoder för att mäta antagning av olika funktioner relaterade till säkerhet och personlig integritet. Baserat på dessa mätningar rapporterar vi den nuvarande nivån av antagning och antagning över tid. Vi undersöker även intressanta avvikelser i resultaten och identifierar begränsningar med mätmetoderna som används. Genom att klassifiera trafikmönster, lyckas vi identifiera versioner av programmvara från populära DNS-resolvrar med öppen källkod. När vi observerar resolvrar involverade i en uppslagning så analyserar vi hur de vidarebefodrar och hur detta påverkar tillgängligheten och effektiviteten av olika mekanismer. Vi undersöker även samband mellan olika mekanismer, vilket skulle kunna leda till en djupare förståelse om utmaningar och lösningar till högre antagande.

Place, publisher, year, edition, pages
Karlstad: Karlstads universitet, 2025. , p. 18
Series
Karlstad University Studies, ISSN 1403-8099 ; 2025:1
Keywords [en]
Domain Name System, Resolver, Security, Privacy, Traffic Analysis, Internet Measurements
Keywords [sv]
Domännamnssystemet, Uppslagningstjänst, Säkerhet, Personlig Integritet, Trafikanalys, Internetmätningar
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
URN: urn:nbn:se:kau:diva-102373DOI: 10.59217/rbhs6890ISBN: 978-91-7867-518-0 (print)ISBN: 978-91-7867-519-7 (electronic)OAI: oai:DiVA.org:kau-102373DiVA, id: diva2:1918396
Presentation
2025-01-21, 1B309 Sjöström, Karlstads Universitet, Karlstad, 13:15 (English)
Opponent
Supervisors
Funder
.SE (The Internet Infrastructure Foundation), 6458Available from: 2025-01-02 Created: 2024-12-05 Last updated: 2025-01-02Bibliographically approved
List of papers
1. A Second Look at DNS QNAME Minimization
Open this publication in new window or tab >>A Second Look at DNS QNAME Minimization
2023 (English)In: Passive and Active Measurement: 24th International Conference, PAM 2023, Virtual Event, March 21–23, 2023, Proceedings / [ed] Anna Brunström; Marcel Flores; Marco Fiore, Springer, 2023, p. 496-521Conference paper, Published paper (Refereed)
Abstract [en]

The Domain Name System (DNS) is a critical Internet infrastructure that translates human-readable domain names to IP addresses. It was originally designed over 35 years ago and multiple enhancements have since then been made, in particular to make DNS lookups more secure and privacy preserving. Query name minimization (qmin) was initially introduced in 2016 to limit the exposure of queries sent across DNS and thereby enhance privacy. In this paper, we take a look at the adoption of qmin, building upon and extending measurements made by De Vries et al. in 2018. We analyze qmin adoption on the Internet using active measurements both on resolvers used by RIPE Atlas probes and on open resolvers. Aside from adding more vantage points when measuring qmin adoption on open resolvers, we also increase the number of repetitions, which reveals conflicting resolvers – resolvers that support qmin for some queries but not for others. For the passive measurements at root and Top-Level Domain (TLD) name servers, we extend the analysis over a longer period of time, introduce additional sources, and filter out non-valid queries. Furthermore, our controlled experiments measure performance and result quality of newer versions of the qmin -enabled open source resolvers used in the previous study, with the addition of PowerDNS. Our results, using extended methods from previous work, show that the adoption of qmin has significantly increased since 2018. New controlled experiments also show a trend of higher number of packets used by resolvers and lower error rates in the DNS queries. Since qmin is a balance between performance and privacy, we further discuss the depth limit of minimizing labels and propose the use of a public suffix list for setting this limit.

Place, publisher, year, edition, pages
Springer, 2023
Series
Lecture Notes in Computer Science, ISSN 0302-9743, E-ISSN 1611-3349 ; 13882
Keywords
Internet protocols; Privacy-preserving techniques, Controlled experiment; Domain name system; Domain names; Human-readable; Internet infrastructure; Lookups; Minimisation; Performance; Privacy; QNAME minimization, Quality control
National Category
Computer and Information Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:kau:diva-94279 (URN)10.1007/978-3-031-28486-1_21 (DOI)2-s2.0-85151060508 (Scopus ID)
Conference
24th International Conference, PAM 2023, Virtual Event, March 21–23, 2023
Available from: 2023-04-19 Created: 2023-04-19 Last updated: 2024-12-05Bibliographically approved
2. Fingerprinting DNS Resolvers using Query Patterns from QNAME Minimization
Open this publication in new window or tab >>Fingerprinting DNS Resolvers using Query Patterns from QNAME Minimization
2024 (English)In: Secure IT Systems: 29th Nordic Conference, Karlstad, November 6-7, 2024, 2024Conference paper, Published paper (Refereed)
Abstract [en]

The Domain Name System (DNS) plays a pivotal role in the function of the Internet, but if the DNS resolvers are not correctly configured or updated, they could pose security and privacy risks. Fingerprinting resolvers helps the analysis of the DNS ecosystem and can reveal outdated software and misconfigurations. This study aims to evaluate if patterns in queries from DNS resolvers---implementing query name minimization as a privacy enhancing feature---can reveal their characteristics such as their software and versions. We examined the query patterns of minimizing resolvers at the authoritative name server side, and our findings indicate that distinct patterns correlate with specific open-source resolver software versions. Notably, none of the resolvers fully follow the recommended query name minimization algorithm outlined in RFC 9156, suggesting a discrepancy between recommendations and real-world implementations. We also identified high rates of query amplification, possibly caused in part by the combination of minimization and forwarding configurations. Our research contributes to understanding the current state of the DNS ecosystem, highlighting the potential for fingerprinting to enhance Internet security by identifying and addressing resolver-related risks.

National Category
Computer Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:kau:diva-102370 (URN)
Conference
NordSec 2024
Available from: 2024-12-03 Created: 2024-12-03 Last updated: 2024-12-05
3. SweDNS: Evaluating Privacy and Security of DNS Resolvers used in Sweden
Open this publication in new window or tab >>SweDNS: Evaluating Privacy and Security of DNS Resolvers used in Sweden
(English)Manuscript (preprint) (Other academic)
Abstract [en]

The Domain Name System (DNS), responsible for translating domain names into resources such as IP addresses, is critical Internet infrastructure. A key role within DNS is the resolver, which performs tasks such as caching, forwarding, and querying authoritative name servers on behalf of clients. However, DNS resolvers also introduce several security and privacy concerns as a machine-in-the-middle between client queries and name server responses. In this study, we examine DNS resolvers used by clients in Sweden, conducting active measurements to assess the adoption of security and privacy standards. We categorize the resolvers based on their network proximity to the client, allowing for more in-depth analysis. We utilize the RIPE Atlas network of volunteer-run probes for our measurements in October 2024 and reveal that 86% of the identified resolvers supported IPv6, 85% were validating DNSSEC, 85% implemented QNAME Minimization, 86% avoided using EDNS Client Subnet, and 93% returned minimal responses to the client. A deeper analysis of private, within-AS, and public (outside-AS) resolvers shows varying levels of feature adoption across these categories. We also identified strong correlations between privacy-focused features and links between DNSSEC and both QNAME Minimization and IPv6 support.

National Category
Computer Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:kau:diva-102371 (URN)
Available from: 2024-12-03 Created: 2024-12-03 Last updated: 2024-12-05

Open Access in DiVA

fulltext(627 kB)80 downloads
File information
File name FULLTEXT02.pdfFile size 627 kBChecksum SHA-512
94deb585ce3b2f86699ff91ea7abd248bdd239e6a753f65a6c904590cbe7c39beb589192ef1b553b4ccbab3a92f00621893da64a3d712371516aa4a1ee852042
Type fulltextMimetype application/pdf

Other links

Publisher's full text

Authority records

Magnusson, Jonathan

Search in DiVA

By author/editor
Magnusson, Jonathan
By organisation
Department of Mathematics and Computer Science (from 2013)
Computer Sciences

Search outside of DiVA

GoogleGoogle Scholar
Total: 80 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

doi
isbn
urn-nbn

Altmetric score

doi
isbn
urn-nbn
Total: 242 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • apa.csl
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf