Home > Research > Publications & Outputs > DNS-over-TCP considered vulnerable

Research

Links

Text available via DOI:

Keywords

View graph of relations

DNS-over-TCP considered vulnerable

Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSNConference contribution/Paperpeer-review

Published

Standard

DNS-over-TCP considered vulnerable. / Dai, Tianxiang; Shulman, Haya; Waidner, Michael.
ANRW 2021 - Proceedings of the 2021 Applied Networking Research Workshop. New York: ACM, 2021. p. 76-81 (ANRW 2021 - Proceedings of the 2021 Applied Networking Research Workshop).

Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSNConference contribution/Paperpeer-review

Harvard

Dai, T, Shulman, H & Waidner, M 2021, DNS-over-TCP considered vulnerable. in ANRW 2021 - Proceedings of the 2021 Applied Networking Research Workshop. ANRW 2021 - Proceedings of the 2021 Applied Networking Research Workshop, ACM, New York, pp. 76-81. https://doi.org/10.1145/3472305.3472884

APA

Dai, T., Shulman, H., & Waidner, M. (2021). DNS-over-TCP considered vulnerable. In ANRW 2021 - Proceedings of the 2021 Applied Networking Research Workshop (pp. 76-81). (ANRW 2021 - Proceedings of the 2021 Applied Networking Research Workshop). ACM. https://doi.org/10.1145/3472305.3472884

Vancouver

Dai T, Shulman H, Waidner M. DNS-over-TCP considered vulnerable. In ANRW 2021 - Proceedings of the 2021 Applied Networking Research Workshop. New York: ACM. 2021. p. 76-81. (ANRW 2021 - Proceedings of the 2021 Applied Networking Research Workshop). doi: 10.1145/3472305.3472884

Author

Dai, Tianxiang ; Shulman, Haya ; Waidner, Michael. / DNS-over-TCP considered vulnerable. ANRW 2021 - Proceedings of the 2021 Applied Networking Research Workshop. New York : ACM, 2021. pp. 76-81 (ANRW 2021 - Proceedings of the 2021 Applied Networking Research Workshop).

Bibtex

@inproceedings{59647c0243d44f07a9f529c050ad04ad,
title = "DNS-over-TCP considered vulnerable",
abstract = "The research and operational communities believe that TCP provides protection against IP fragmentation attacks and recommend that servers avoid sending DNS responses over UDP but use TCP instead. In this work we show that IP fragmentation attacks also apply to servers that communicate over TCP. Our measurements indicate that in the 100K-top Alexa domains there are 393 additional domains whose nameservers can be forced to (source) fragment IP packets that contain TCP segments. In contrast, responses from these domains cannot be forced to fragment when sent over UDP. Our study not only shows that the recommendation to use TCP instead of UDP in order to avoid attacks that exploit fragmentation is risky, but it also unveils that the attack surface due to fragmentation is larger than was previously believed. We evaluate IP fragmentation-based DNS cache poisoning attacks against DNS responses over TCP.",
keywords = "DNS cache poisoning, IP fragmentation, TCP",
author = "Tianxiang Dai and Haya Shulman and Michael Waidner",
year = "2021",
month = jul,
day = "24",
doi = "10.1145/3472305.3472884",
language = "English",
series = "ANRW 2021 - Proceedings of the 2021 Applied Networking Research Workshop",
publisher = "ACM",
pages = "76--81",
booktitle = "ANRW 2021 - Proceedings of the 2021 Applied Networking Research Workshop",

}

RIS

TY - GEN

T1 - DNS-over-TCP considered vulnerable

AU - Dai, Tianxiang

AU - Shulman, Haya

AU - Waidner, Michael

PY - 2021/7/24

Y1 - 2021/7/24

N2 - The research and operational communities believe that TCP provides protection against IP fragmentation attacks and recommend that servers avoid sending DNS responses over UDP but use TCP instead. In this work we show that IP fragmentation attacks also apply to servers that communicate over TCP. Our measurements indicate that in the 100K-top Alexa domains there are 393 additional domains whose nameservers can be forced to (source) fragment IP packets that contain TCP segments. In contrast, responses from these domains cannot be forced to fragment when sent over UDP. Our study not only shows that the recommendation to use TCP instead of UDP in order to avoid attacks that exploit fragmentation is risky, but it also unveils that the attack surface due to fragmentation is larger than was previously believed. We evaluate IP fragmentation-based DNS cache poisoning attacks against DNS responses over TCP.

AB - The research and operational communities believe that TCP provides protection against IP fragmentation attacks and recommend that servers avoid sending DNS responses over UDP but use TCP instead. In this work we show that IP fragmentation attacks also apply to servers that communicate over TCP. Our measurements indicate that in the 100K-top Alexa domains there are 393 additional domains whose nameservers can be forced to (source) fragment IP packets that contain TCP segments. In contrast, responses from these domains cannot be forced to fragment when sent over UDP. Our study not only shows that the recommendation to use TCP instead of UDP in order to avoid attacks that exploit fragmentation is risky, but it also unveils that the attack surface due to fragmentation is larger than was previously believed. We evaluate IP fragmentation-based DNS cache poisoning attacks against DNS responses over TCP.

KW - DNS cache poisoning

KW - IP fragmentation

KW - TCP

U2 - 10.1145/3472305.3472884

DO - 10.1145/3472305.3472884

M3 - Conference contribution/Paper

T3 - ANRW 2021 - Proceedings of the 2021 Applied Networking Research Workshop

SP - 76

EP - 81

BT - ANRW 2021 - Proceedings of the 2021 Applied Networking Research Workshop

PB - ACM

CY - New York

ER -