Abstract
DNS is a protocol responsible for translating human-readable domain names into IP addresses. Despite being essential for many Internet services to work properly, it is inherently vulnerable to manipulation. In November 2021, users from Mexico received bogus DNS responses when resolving whatsapp.net. It appeared that a BGP route leak diverged DNS queries to the local instance of the k-root located in China. Those queries, in turn, encountered middleboxes that injected fake DNS responses. In this paper, we analyze that event from the RIPE Atlas point of view and observe that its impact was more significant than initially thought—the Chinese root server instance was reachable from at least 15 countries several months before being reported. We then launch a nine-month longitudinal measurement campaign using RIPE Atlas probes and locate 11 probes outside China reaching the same instance, although this time over IPv6. More broadly, motivated by the November 2021 event, we study the extent of DNS response injection when contacting root servers. While only less than 1% of queries are impacted, they originate from 7% of RIPE Atlas probes in 66 countries. We conclude by discussing several countermeasures that limit the probability of DNS manipulation.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Root Server Technical Operations Association (2022). https://root-servers.org
Anderson, C., Winter, P., Ensafi, R.: Global censorship detection over the RIPE Atlas network. In: USENIX FOCI (2014)
Anonymous: The Collateral Damage of Internet Censorship by DNS Injection. SIGCOMM Comput. Commun. Rev. 42(3), June 2012
Anonymous: Towards a Comprehensive Picture of the Great Firewall’s DNS Censorship. In: USENIX FOCI (2014)
Anonymous, Niaki, A.A., Hoang, N.P., Gill, P., Houmansadr, A.: Triplet censors: demystifying great firewall’s DNS censorship behavior. In: USENIX FOCI (2020)
APNIC: Encrypted DNS World Map, January 2023. https://stats.labs.apnic.net/edns
Filastò, A., Appelbaum, J.: OONI: open observatory of network interference. In: USENIX FOCI (2012)
Austein, R.: DNS Name Server Identifier (NSID) Option. RFC 5001 (2007)
Bailey, M., Kenneally, E., Maughan, D., Dittrich, D.: The menlo report. IEEE Secur. Privacy 10(02), 71–75 (2012)
Bayer, J., Nosyk, Y., Hureau, O., Fernandez, S., Paulovics, I., Duda, A., Korczyński, M.: Study on Domain Name System (DNS) abuse : technical report. Appendix 1. Publications Office of the European Union (2022). https://doi.org/10.2759/473317
Bhaskar, A., Pearce, P.: Many roads lead to Rome: how packet headers influence DNS censorship measurement. In: USENIX Security (2022)
Bock, K., Alaraj, A., Fax, Y., Hurley, K., Wustrow, E., Levin, D.: Weaponizing middleboxes for TCP reflected amplification. In: USENIX Security (2021)
Bortzmeyer, S.: DNS Censorship (DNS Lies) As Seen By RIPE Atlas, December 2015. https://labs.ripe.net/author/stephane_bortzmeyer/dns-censorship-dns-lies-as-seen-by-ripe-atlas/
Bortzmeyer, S., Dolmans, R., Hoffman, P.E.: DNS query name minimisation to improve privacy. RFC 9156 (2021)
Bretelle, M.: [dns-operations] K-root in CN leaking outside of CN, November 2021. https://lists.dns-oarc.net/pipermail/dns-operations/2021-November/021437.html
Chung, T., Choffnes, D., Mislove, A.: Tunneling for transparency: a large-scale analysis of end-to-end violations in the internet. In: IMC (2016)
Chung, T., van Rijswijk-Deij, R., Chandrasekaran, B., Choffnes, D., Levin, D., Maggs, B.M., Mislove, A., Wilson, C.: A Longitudinal. USENIX Security, End-to-End View of the DNSSEC Ecosystem. In (2017)
Conrad, D.R., Woolf, S.: Requirements for a Mechanism Identifying a Name Server Instance. RFC 4892 (2007)
Dagon, D., Lee, C., Lee, W., Provos, N.: Corrupted DNS resolution paths: the rise of a malicious resolution authority. In: NDSS (2008)
DNSFilter: DNS Threat Protection (2022). https://www.dnsfilter.com
Fan, X., Heidemann, J., Govindan, R.: Evaluating anycast in the domain name system. In: IEEE INFOCOM (2013)
Farnan, O., Darer, A., Wright, J.: Poisoning the well: exploring the great firewall’s poisoned DNS responses. In: WPES (2016)
Gill, P., Crete-Nishihata, M., Dalek, J., Goldberg, S., Senft, A., Wiseman, G.: Characterizing Web censorship worldwide: another look at the OpenNet initiative data. ACM Trans. Web 9(1), 1–29 (2015)
Gillmor, D.K., Salazar, J., Hoffman, P.E.: Unilateral Opportunistic Deployment of Encrypted Recursive-to-Authoritative DNS. Internet-Draft draft-ietf-dprive-unilateral-probing-02, Internet Engineering Task Force, September 2022. work in Progress
Google: SafeSearch (2022). https://safety.google/products/#search
Hilton, A., Deccio, C., Davis, J.: Fourteen years in the life: a root server’s perspective on DNS resolver security. In: USENIX Security (2023)
Hoang, N.P., Doreen, S., Polychronakis, M.: Measuring I2P censorship at a global scale. In: USENIX FOCI (2019)
Hoang, N.P., Niaki, A.A., Dalek, J., Knockel, J., Lin, P., Marczak, B., Crete-Nishihata, M., Gill, P., Polychronakis, M.: How Great is the Great Firewall? USENIX Security, Measuring China’s DNS Censorship. In (2021)
Hoffman, P.E., McManus, P.: DNS Queries over HTTPS (DoH). RFC 8484 (2018)
Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., Hoffman, P.E.: Specification for DNS over Transport Layer Security (TLS). RFC 7858 (2016)
Huitema, C., Dickinson, S., Mankin, A.: DNS over Dedicated QUIC Connections. RFC 9250 (2022)
Jones, B., Feamster, N., Paxson, V., Weaver, N., Allman, M.: Detecting DNS root manipulation. In: PAM (2016)
Kührer, M., Hupperich, T., Rossow, C., Holz, T.: Exit from hell? reducing theimpact of amplification DDoS attacks. In: USENIX Security (2014)
Kumari, W.A., Hoffman, P.E.: Running a Root Server Local to a Resolver. RFC 8806 (2020)
Li, C., Cheng, Y., Men, H., Zhang, Z., Li, N.: Performance analysis of root anycast nodes based on active measurement. Electronics 11(8), 1194 (2022)
Li, Z., Levin, D., Spring, N., Bhattacharjee, B.: Internet Anycast: Performance, Problems, & Potential. SIGCOMM (2018)
Lindqvist, K.E., Abley, J.: Operation of Anycast Services. RFC 4786 (2006)
Liu, B., Lu, C., Duan, H., Liu, Y., Li, Z., Hao, S., Yang, M.: Who is answering my queries: understanding and characterizing interception of the DNS resolution path. In: USENIX Security (2018)
Lowe, G., Winters, P., Marcus, M.L.: The Great DNS Wall of China. New York University, Technical report (2007)
Lu, C., et al.: An end-to-end, large-scale measurement of DNS-over-encryption: how far have we come? In: IMC (2019)
Mockapetris, P.: Domain names - concepts and facilities. RFC 1034 (1987)
Mockapetris, P.: Domain names - implementation and specification. RFC 1035 (1987)
Moura, G.C.M., et al.: Old but gold: prospecting TCP to engineer and live monitor DNS anycast. In: PAM (2022)
Moura, G.C.M., et al.: Anycast vs. DDoS: evaluating the November 2015 root DNS event. In: IMC (2016)
Nawrocki, M., Koch, M., Schmidt, T.C., Wählisch, M.: Transparent forwarders: an unnoticed component of the open DNS infrastructure. In: CoNEXT (2021)
Niaki, A.A., et al.: ICLab: a global, longitudinal internet censorship measurement platform. In: IEEE S &P (2020)
Pearce, P., Ensafi, R., Li, F., Feamster, N., Paxson, V.: Towards continual measurement of global network-level censorship. In: IEEE S &P (2018)
Pearce, P., et al.: Global measurement of DNS manipulation. In: USENIX Security (2017)
Le Pochat, V., Van Goethem, T., Tajalizadehkhoob, S., Korczyński, M., Joosen, W.: Tranco: a research-oriented top sites ranking hardened against manipulation. In: NDSS (2019)
Raman, R.S., Stoll, A., Dalek, J., Ramesh, R., Scott, W., Ensafi, R.: Measuring the deployment of network censorship filters at global scale. In: NDSS (2020)
Randall, A., et al.: Home is where the hijacking is: understanding DNS interception by residential routers. In: IMC (2021)
RIPE Atlas: Legal (2020). https://atlas.ripe.net/legal/terms-conditions/
RIPE Atlas: Built-in Measurements (2022). https://atlas.ripe.net/docs/built-in-measurements/
RIPE Ncc: RIPE Atlas (2022). https://atlas.ripe.net
Rose, S., Larson, M., Massey, D., Austein, R., Arends, R.: DNS Security Introduction and Requirements. RFC 4033 (2005)
Snabb, J.: F.ROOT-SERVERS.NET moved to Beijing? https://seclists.org/nanog/2011/Oct/12, October 2011
Sundara Raman, R., Shenoy, P., Kohls, K., Ensafi, R.: Censored planet: aninternet-wide, longitudinal censorship observatory. In: CCS (2020)
VanderSloot, B., McDonald, A., Scott, W., Halderman, J.A., Ensafi, R.: Quack: scalable remote measurement of application-layer censorship. In: USENIX Security (2018)
Vergara Ereche, M.: [dns-operations] Odd behaviour on one node in I root-server (facebook, youtube & twitter), March 2010. https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005263.html
Weaver, N., Kreibich, C., Nechaev, B., Paxson, V.: Implications of Netalyzrs DNS Measurements. In: SATIN (2011)
Weaver, N., Kreibich, C., Paxson, V.: Redirecting DNS for Ads and Profit. In: USENIX FOCI (2011)
Acknowledgments
We thank root server operators for validating the nameserver identifiers. This work was partially supported by RIPE NCC, Carnot LSI, the Grenoble Alpes Cybersecurity Institute (under the contract ANR-15-IDEX-02), and the French Ministry of Research (PERSYVAL-Lab project under the contract ANR-11-LABX-0025-01 and DiNS project under the contract ANR-19-CE25-0009-01).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
1.1 Generalized Linear Mixed-Effects Model
To determine which factors make DNS queries more susceptible to manipulation, we fit a generalized linear mixed-effects model (GLMM) assuming a binomial distribution with logit link function (logistic regression) while accounting for the country-level random effects, i.e., with the response variable as a logit transformation of DNS response state: 1 (manipulated) or 0 (not manipulated). With the inclusion of country effects, we account for observable and unobservable factors specific to queries executed within a country such as state-level filtering factors, which potentially influence DNS response manipulation. We describe the results in odds ratios, indicating the change in the odds of DNS queries getting manipulated. The modeling results are presented in Fig. 5 and discussed in detail in Sect. 3.6.
Odds ratios of DNS injection survival. Values above 1 (in blue) indicate that the corresponding variables increase the chances of DNS injection, while ratios below 1 (in red) decrease the chances of DNS injection. The 95% confidence limits are delimited by horizontal lines. Those that do not cross the zero line correspond to variables that affect DNS injection more significantly. (Color figure online)
The ratio (in %) of probes that experienced response injection to all the probes participating in our measurements. We did not receive any results for countries highlighted in grey. (Color figure online)
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Nosyk, Y. et al. (2023). Intercept and Inject: DNS Response Manipulation in the Wild. In: Brunstrom, A., Flores, M., Fiore, M. (eds) Passive and Active Measurement. PAM 2023. Lecture Notes in Computer Science, vol 13882. Springer, Cham. https://doi.org/10.1007/978-3-031-28486-1_19
Download citation
DOI: https://doi.org/10.1007/978-3-031-28486-1_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-28485-4
Online ISBN: 978-3-031-28486-1
eBook Packages: Computer ScienceComputer Science (R0)