Intercept and Inject: DNS Response Manipulation in the Wild

Yevheniya Nosyk; Qasim Lone; Yury Zhauniarovich; Carlos H. Gañán; Emile Aben; Giovane C.M. Moura; Samaneh Tajalizadehkhoob; Andrzej Duda; Maciej Korczyński

doi:10.1007/978-3-031-28486-1_19

Intercept and Inject: DNS Response Manipulation in the Wild

Yevheniya Nosyk^*, Qasim Lone, Yury Zhauniarovich, Carlos H. Gañán, Emile Aben, Giovane C.M. Moura, Samaneh Tajalizadehkhoob, Andrzej Duda, Maciej Korczyński

^*Corresponding author for this work

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

597 Downloads (Pure)

Abstract

DNS is a protocol responsible for translating human-readable domain names into IP addresses. Despite being essential for many Internet services to work properly, it is inherently vulnerable to manipulation. In November 2021, users from Mexico received bogus DNS responses when resolving whatsapp.net. It appeared that a BGP route leak diverged DNS queries to the local instance of the k-root located in China. Those queries, in turn, encountered middleboxes that injected fake DNS responses. In this paper, we analyze that event from the RIPE Atlas point of view and observe that its impact was more significant than initially thought—the Chinese root server instance was reachable from at least 15 countries several months before being reported. We then launch a nine-month longitudinal measurement campaign using RIPE Atlas probes and locate 11 probes outside China reaching the same instance, although this time over IPv6. More broadly, motivated by the November 2021 event, we study the extent of DNS response injection when contacting root servers. While only less than 1% of queries are impacted, they originate from 7% of RIPE Atlas probes in 66 countries. We conclude by discussing several countermeasures that limit the probability of DNS manipulation.

Original language	English
Title of host publication	Passive and Active Measurement - 24th International Conference, PAM 2023, Proceedings
Editors	Anna Brunstrom, Marcel Flores, Marco Fiore
Publisher	Springer
Pages	461-478
Number of pages	18
ISBN (Print)	9783031284854
DOIs	https://doi.org/10.1007/978-3-031-28486-1_19
Publication status	Published - 2023
Event	24th International Conference on Passive and Active Measurement, PAM 2023 - Virtual, Online Duration: 21 Mar 2023 → 23 Mar 2023

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	13882 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	24th International Conference on Passive and Active Measurement, PAM 2023
City	Virtual, Online
Period	21/03/23 → 23/03/23

Keywords

BGP route leaks
DNS
DNS censorship
DNS manipulation
Root servers

Access to Document

10.1007/978-3-031-28486-1_19

978-3-031-28486-1_19Final published version, 378 KB

Cite this

Nosyk, Y., Lone, Q., Zhauniarovich, Y., Gañán, C. H., Aben, E., Moura, G. C. M., Tajalizadehkhoob, S., Duda, A., & Korczyński, M. (2023). Intercept and Inject: DNS Response Manipulation in the Wild. In A. Brunstrom, M. Flores, & M. Fiore (Eds.), Passive and Active Measurement - 24th International Conference, PAM 2023, Proceedings (pp. 461-478). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13882 LNCS). Springer. https://doi.org/10.1007/978-3-031-28486-1_19

Nosyk, Yevheniya ; Lone, Qasim ; Zhauniarovich, Yury et al. / Intercept and Inject : DNS Response Manipulation in the Wild. Passive and Active Measurement - 24th International Conference, PAM 2023, Proceedings. editor / Anna Brunstrom ; Marcel Flores ; Marco Fiore. Springer, 2023. pp. 461-478 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{be654e40f3694808a304a422e3861d2b,

title = "Intercept and Inject: DNS Response Manipulation in the Wild",

abstract = "DNS is a protocol responsible for translating human-readable domain names into IP addresses. Despite being essential for many Internet services to work properly, it is inherently vulnerable to manipulation. In November 2021, users from Mexico received bogus DNS responses when resolving whatsapp.net. It appeared that a BGP route leak diverged DNS queries to the local instance of the k-root located in China. Those queries, in turn, encountered middleboxes that injected fake DNS responses. In this paper, we analyze that event from the RIPE Atlas point of view and observe that its impact was more significant than initially thought—the Chinese root server instance was reachable from at least 15 countries several months before being reported. We then launch a nine-month longitudinal measurement campaign using RIPE Atlas probes and locate 11 probes outside China reaching the same instance, although this time over IPv6. More broadly, motivated by the November 2021 event, we study the extent of DNS response injection when contacting root servers. While only less than 1% of queries are impacted, they originate from 7% of RIPE Atlas probes in 66 countries. We conclude by discussing several countermeasures that limit the probability of DNS manipulation.",

keywords = "BGP route leaks, DNS, DNS censorship, DNS manipulation, Root servers",

author = "Yevheniya Nosyk and Qasim Lone and Yury Zhauniarovich and Ga{\~n}{\'a}n, {Carlos H.} and Emile Aben and Moura, {Giovane C.M.} and Samaneh Tajalizadehkhoob and Andrzej Duda and Maciej Korczy{\'n}ski",

year = "2023",

doi = "10.1007/978-3-031-28486-1_19",

language = "English",

isbn = "9783031284854",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer",

pages = "461--478",

editor = "Anna Brunstrom and Marcel Flores and Marco Fiore",

booktitle = "Passive and Active Measurement - 24th International Conference, PAM 2023, Proceedings",

note = "24th International Conference on Passive and Active Measurement, PAM 2023 ; Conference date: 21-03-2023 Through 23-03-2023",

}

Nosyk, Y, Lone, Q, Zhauniarovich, Y , Gañán, CH, Aben, E, Moura, GCM, Tajalizadehkhoob, S, Duda, A & Korczyński, M 2023, Intercept and Inject: DNS Response Manipulation in the Wild. in A Brunstrom, M Flores & M Fiore (eds), Passive and Active Measurement - 24th International Conference, PAM 2023, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 13882 LNCS, Springer, pp. 461-478, 24th International Conference on Passive and Active Measurement, PAM 2023, Virtual, Online, 21/03/23. https://doi.org/10.1007/978-3-031-28486-1_19

Intercept and Inject: DNS Response Manipulation in the Wild. / Nosyk, Yevheniya; Lone, Qasim; Zhauniarovich, Yury et al.
Passive and Active Measurement - 24th International Conference, PAM 2023, Proceedings. ed. / Anna Brunstrom; Marcel Flores; Marco Fiore. Springer, 2023. p. 461-478 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13882 LNCS).

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

TY - GEN

T1 - Intercept and Inject

T2 - 24th International Conference on Passive and Active Measurement, PAM 2023

AU - Nosyk, Yevheniya

AU - Lone, Qasim

AU - Zhauniarovich, Yury

AU - Gañán, Carlos H.

AU - Aben, Emile

AU - Moura, Giovane C.M.

AU - Tajalizadehkhoob, Samaneh

AU - Duda, Andrzej

AU - Korczyński, Maciej

PY - 2023

Y1 - 2023

N2 - DNS is a protocol responsible for translating human-readable domain names into IP addresses. Despite being essential for many Internet services to work properly, it is inherently vulnerable to manipulation. In November 2021, users from Mexico received bogus DNS responses when resolving whatsapp.net. It appeared that a BGP route leak diverged DNS queries to the local instance of the k-root located in China. Those queries, in turn, encountered middleboxes that injected fake DNS responses. In this paper, we analyze that event from the RIPE Atlas point of view and observe that its impact was more significant than initially thought—the Chinese root server instance was reachable from at least 15 countries several months before being reported. We then launch a nine-month longitudinal measurement campaign using RIPE Atlas probes and locate 11 probes outside China reaching the same instance, although this time over IPv6. More broadly, motivated by the November 2021 event, we study the extent of DNS response injection when contacting root servers. While only less than 1% of queries are impacted, they originate from 7% of RIPE Atlas probes in 66 countries. We conclude by discussing several countermeasures that limit the probability of DNS manipulation.

AB - DNS is a protocol responsible for translating human-readable domain names into IP addresses. Despite being essential for many Internet services to work properly, it is inherently vulnerable to manipulation. In November 2021, users from Mexico received bogus DNS responses when resolving whatsapp.net. It appeared that a BGP route leak diverged DNS queries to the local instance of the k-root located in China. Those queries, in turn, encountered middleboxes that injected fake DNS responses. In this paper, we analyze that event from the RIPE Atlas point of view and observe that its impact was more significant than initially thought—the Chinese root server instance was reachable from at least 15 countries several months before being reported. We then launch a nine-month longitudinal measurement campaign using RIPE Atlas probes and locate 11 probes outside China reaching the same instance, although this time over IPv6. More broadly, motivated by the November 2021 event, we study the extent of DNS response injection when contacting root servers. While only less than 1% of queries are impacted, they originate from 7% of RIPE Atlas probes in 66 countries. We conclude by discussing several countermeasures that limit the probability of DNS manipulation.

KW - BGP route leaks

KW - DNS

KW - DNS censorship

KW - DNS manipulation

KW - Root servers

UR - http://www.scopus.com/inward/record.url?scp=85151050488&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-28486-1_19

DO - 10.1007/978-3-031-28486-1_19

M3 - Conference contribution

AN - SCOPUS:85151050488

SN - 9783031284854

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 461

EP - 478

BT - Passive and Active Measurement - 24th International Conference, PAM 2023, Proceedings

A2 - Brunstrom, Anna

A2 - Flores, Marcel

A2 - Fiore, Marco

PB - Springer

Y2 - 21 March 2023 through 23 March 2023

ER -

Nosyk Y, Lone Q, Zhauniarovich Y , Gañán CH, Aben E, Moura GCM et al. Intercept and Inject: DNS Response Manipulation in the Wild. In Brunstrom A, Flores M, Fiore M, editors, Passive and Active Measurement - 24th International Conference, PAM 2023, Proceedings. Springer. 2023. p. 461-478. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-031-28486-1_19

Intercept and Inject: DNS Response Manipulation in the Wild

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cybersecurity (TPM)

Cite this

Intercept and Inject: DNS Response Manipulation in the Wild

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Projects

Cybersecurity (TPM)

Cite this