D-TS: A Secure and Trusted Authentication Framework for Domain Name Server

Автор: Usman Aijaz N, Syed Mustafa, Mohammed Misbahuddin

Журнал: International Journal of Wireless and Microwave Technologies @ijwmt

Статья в выпуске: 6 Vol.11, 2021 года.

Бесплатный доступ

DNS is responsible for the hostname to IP address translation. It is an open resolver that's why vulnerable to different kinds of attacks such as cache poisoning, man-in-the-middle, DOS and DDOS, etc. DNS is responsible for the hostname to IP address translation. To protect DNS IETF added a layer of security to it known as Domain Name System Security Extensions (DNSSEC). DNSSEC is also vulnerable to phishing, spoofing, and MITM attacks. To protect DNS, along with DNSSEC we require certifying authorities to authenticate the communicating parties. DNSSEC combined with an SSL certificate issued by Certifying Authorities (CA's) can protect the DNS from various attacks. The main weakness of this system is there are too many CA's and It is not feasible to trust all of them. Any breached CA can issue a certificate for any domain name. A certificate issued from a compromised CA's is valid. In this scenario, it is necessary for the organization to limit the number of CAs and to check whether the server is signed by a trusted CA's or not. DNS Based Authentication of Named Entities (DANE) permits a domain possessor to stipulate specific CA's issue certificates for a specific resource. DANE will not allow any CA to issue certificates for any domain. It limits the number of CA's used by the client. As there were still some security issues left in it that can be resolved using a mechanism called D-TS. It is a DANE-based trusted server that acts as a third party and validates the certificates of all the entities of the network. D-TS will be a proof-of-concept for enhancing the security in communications between Internet applications by using information available in DNS. The system attempts to solve the shortcomings of DANE by establishing a trust zone between the clients and the services. By adding multiple levels of validations, it aims to provide improved authenticity of services to clients, thereby mitigating attacks like phishing, Spoofing, Dos, and man-in-the-middle attack. In this paper, we will discuss the detailed working of our proposed solution D-TS.

Еще

Certifying Authority (CA), DNS, DNSSEC, DANE, D-TS

Короткий адрес: https://sciup.org/15018251

IDR: 15018251   |   DOI: 10.5815/ijwmt.2021.06.04

Список литературы D-TS: A Secure and Trusted Authentication Framework for Domain Name Server

  • "Data Science and Security", Springer Science and Business Media LLC, 2021
  • https://www.inetdaemon.com/tutorials/internet/dns/operation/hierarchy.shtml
  • "17th International Conference on Information Technology–New Generations (ITNG 2020)", Springer Science and Business Media LLC, 2020.
  • Đorđe Antić, Mladen Veinović. "Upgrading and Securing External Domain Space in the City of Niš Administration Infrastructure", Proceedings of the International Scientific Conference - Sinteza 2016
  • Daniel M. Hein, Ronald Toegl, Stefan Kraxberger. "An autonomous attestation token to secure mobile agents in disaster response", Security and Communication Networks, 2010
  • Zhenhua Li, Charles A. Kamhoua, Laurent L. Njilla, DaeHun Nyang. "Look-Aside at Your Own Risk: Privacy Implications of DNSSEC LookAside Validation", IEEE Transactions on Dependable and Secure Computing, 2020
  • https://www.varonis.com/blog/what-is-saml/#:~:text=SAML%20works%20by%20passing%20 information, attempts%20to%20access%20those%20services.
  • Sanjay, Balaji Rajendran, and Pushparaj Shetty Domain Name System (DNS) Security: Attacks Identification and Protection Methods Int'l Conf. Security and Management | SAM'18.
  • C. Aishwarya, Raghuram M A, Sachin Hosmani, M.S. Sannidhan, Balaji Rajendran, K.Chandrasekaran, Bindhumadhava. "DANE: An inbuilt security extension",International Conference on Green Computing and Internet of Things (ICGCIoT), 2015.
  • Jeremy Clark and Paul C. van Oorschot SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements 2013 IEEE Symposium on Security and Privacy
  • Amir Herzberg, Haya Shulman, DNSSEC: Security and availability challenge 2013 IEEE Conference on Communications and Network Security (CNS).
  • L. S. Huang, A. Rice, E. Ellingsen, and C. Jackson, "Analyzing Forged SSL Certificates in the Wild," 2014 IEEE Symposium on Security and Privacy, Berkeley, CA, USA, 2014, pp. 83-97, DOI: 10.1109/SP.2014.13.
  • N. Usman Aijaz, Mohammed Misbahuddin, Syed Raziuddin. "Chapter 9 Survey on DNS Specific Security Issues and Solution Approaches", Springer Science and Business Media LLC, 2021
  • Sanjay, Balaji Rajendran, and Pushparaj Shetty Domain Name System (DNS) Security: Attacks Identification and Protection Methods Int'l Conf. Security and Management | SAM'18
  • Hariharan. M, Abhishek H. K, B. G. Prasad, "DDoS Attack Detection Using C5.0 Machine Learning Algorithm", International Journal of Wireless and Microwave Technologies(IJWMT), Vol.9, No.1, pp. 52-59, 2019.DOI: 10.5815/ijwmt.2019.01.06
  • Kaushik Sekaran, G.Raja Vikram, B.V. Chowdary, "Design of Effective Security Architecture for Mobile Cloud Computing to Prevent DDoS Attacks ", International Journal of Wireless and Microwave Technologies(IJWMT), Vol.9, No.1, pp. 43-51, 2019.DOI: 10.5815/ijwmt.2019.01.05
  • Manos Antonakakis, Roberto Perdisci, Wenke Lee and David Dagon, Detecting malware domains at the upper DNS hierarchy, August-2011, 27-27
  • Ramzi Bassil, Roula Hobeica and Wassim Itani, Security analysis and solution for thwarting cache poisoning attacks in the domain name system, IEEE -2012, Electronic ISBN: 978-1-4673- 0747-5, Print ISBN: 978-1-4673-0745-1, Online ISBN: 978-1-4673-0746-8, DOI: 10.1109/ICTEL.2012.6221233.
  • Muhammad Yasir Arafat, Muhammad Morshed Alam, and Feroz Ahmed, A Realistic Approach and Mitigation Techniques for Amplifying DDOS Attack on DNS, Proceedings of 10th Global Engineering, Science and Technology Conference 2-3 January 2015, BIAM Foundation, Dhaka, Bangladesh, ISBN: 978-1-922069-69-6.
  • Liang Zhu, Zi Hu and John Heidemann, Connection-Oriented DNS to Improve Privacy and Security, IEEE-2015, DOI: 10.1109/SP.2015.18.
  • Jonathan Trostle, Bill Van Besien and Ashish Pujari Protecting against DNS cache poisoning attacks, IEEE-2010, DOI: 10.1109/NPSEC.2010.5634454.
  • Hosni Rafiee and Christoph Meinel, A Secure, Flexible Framework for DNS Authentication in IPv6 Autoconfiguration, IEEE-2013, DOI: 10.1109/NCA.2013.37.
  • Caiyun Huang, Peng Zhang, Junpeng Liu, Yong Sun, Xueqiang Zou, SFCSD: A Self-Feedback Correction System for DNS Based on Active and Passive Measurement, arXiv: 1704.06569 [cs.NI].
Еще
Статья научная