Naming and security in a mobile, multihomed and multiple interfaces environement

Migault, Daniel

26 September 2012

ISPs are concerned about providing and maintaining the level of security of its End User's communications. A communication is initiated by the End User with a name, and goes on by exchanging packets between two IP addresses. In this thesis, we focused our attention on two main points: (1) providing a secure Naming service, and (2) making IPsec communication resilient to IP address modification, addition or lost of an interface. We designed MOBIKE-X for that purpose and propose it as a standard at the IETF

[INFO:INFO_OH] Computer Science/Other

[INFO:INFO_OH] Informatique/Autre

DNS

DNSSEC

IPsec

Mobility

Multiple interfaces

DHT

Laboratorní scénáře popisující systém DNS / Laboratory scenarios describing DNS system

Sakala, Peter

January 2018

The master’s thesis deals with Domain Name System (DNS) and its practical use. It describes hierarchy of domain names, resource record types, protocol used, as well as DNSSEC extension. The most utilized implementations of authoritative and recursive DNS servers are presented. Virtualization, containers and other tools with potential use in labs are described. Two lab scenarios in virtualized environment with instructions for students were designed and developed in this thesis.

A new Internet Naming System

Pfeifer, Gert

21 September 2009

In this thesis I describe my research activities and results of the last 4 years. I also provide an outlook and guidelines on how to proceed with our project, that we named SEDNS - Security-Enhanced Domain Name System. This project’s ambitions are to complement DNS, the Domain Name System, in a way that allows us to keep using it in the future. The main reason for this strategy is, that it has proven to be difficult to change any part of the Internet infrastructure, such as parts of the protocols stack or well established Internet authorities, like ICANN or IANA. The main problems of DNS are twofold. (1) The DNS protocol does not contain any measures to prevent data from being tampered with. (2) Furthermore, it is difficult to configure DNS correctly since most of the configuration is done within the DNS data itself, e.g., delegating authority. It is well known that DNS problems lead to reduced availability of Internet-based services in many different ways. In this thesis, I present four main results. All of them contribute to improvements and deeper understanding of DNS’ dependability issues. First, I discuss, how well established cryptographic tools can be used to enhance DNS’ security without getting into the same problems that prevent DNSSEC from being globally deployed. These problems are explained as well. This is an important topic for the Internet and DNS community, since at the moment most of the protocol improvements are connected to DNSSEC. Second, I thoroughly discuss the technique that was used in the recent years to overcome any problems related to client-server architectures, i.e., peer-to-peer systems. Such solutions have been proposed to improve DNS’ availability and reduce configuration effort. I show, that those systems do not keep up with the expectations, neither as client side tools nor as server infrastructure replacement. To reach this conclusion, a novel DHT scheme has been developed. The evaluation of it is shown as well. Third, results of our DNS data mining show that it is useful to improve the quality of DNS data and therefore, to protect clients from malicious or erroneous information. And fourth, an outlook is presented, which combines all the results of the first three points to suggest an architecture that indeed can improve our supply with DNS data, omitting the shortcomings of the classical client-server-architecture and its peer-to-peer replacements. Note, that although the development of future DNS standards and protocols is subject to political struggle, e.g., on whether or not an international organization should maintain the root zone instead of the USA, this thesis focuses only on technical aspects. / In dieser Dissertation beschreibe ich meine Forschungsaktivitäten und Ergebnisse der letzten 4 Jahre. Ich gebe auch einen Ausblick und Hinweise, wie unser Project, das wir SEDNS - Security-Enhanced Domain Name System genannt haben, fortgesetzt werden sollte. Die Ambitionen dieses Projektes sind, DNS, das Domain Name System, zu in einer Art und Weise zu erweitern, die es uns erlauben soll, dieses System auch in der Zukunft weiter zu benutzen. Der Hauptgrund für diese Strategie ist, dass es sich in der Vergangenheit als schwierig erwiesen hat, Teile der Internet-Infrastruktur, wie zum Beispiel Teile des Protokollstapels oder gut etablierte Internet-Behörden wie ICANN oder IANA, zu ändern bzw. auszutauschen. Daher wollen wir nicht versuchen, DNS komplett zu ersetzen. DNS hat zwei Hauptprobleme: (1) Das DNS Protokoll bietet keinerlei Möglichkeiten, Daten vor Verfälschung zu schützen, und (2) es ist schwierig, DNS korrekt zu konfigurieren, weil ein Großteil der Konfiguration direkt innerhalb der DNS Daten selbst stattfindet, wie zum Beispiel die Delegation von Verantwortungsbereichen, und diese oft nicht global konsistent und korrekt sind. Diese Probleme sind umso bedeutender, weil es allgemein bekannt ist, dass DNS Probleme auf verschiedene Art und Weisen zu reduzierter Verfügbarkeit von wichtigen Internet-basierten Diensten führen. In dieser Arbeit präsentiere ich vier Hauptergebnisse. Zuerst diskutiere ich, wie gut etablierte kryptographische Werkzeuge benutzt werden können um die Sicherheit von DNS zu verbessern, ohne dabei auf dieselben Probleme zu stoßen, die DNSSEC davon abhalten, weltweit benutzt zu werden. Diese Probleme werden dabei erläutert. Es handelt sich dabei um ein wichtiges Thema für die Internet- und DNS-Community, weil im Moment die meisten Weiterentwicklungen des DNS Protokolls mit DNSSEC zusammenhängen. Als zweites diskutiere ich im Detail die Technik, die in den vergangenen Jahren benutzt wurde um Probleme beliebiger Client-Server Anwendungen zu überwinden: Peer-to-Peer Systeme. Derartige Lösungen wurden vorgeschlagen, um DNS' Verfügbarkeit zu verbessern und Konfigurationsaufwand zu reduzieren. Ich zeige allerdings, dass solche Lösungen nicht die in sie gesetzten Erwartungen erfüllen, weder als Client-seitige Tools noch als Ersatz für die Server-Infrastruktur. Um diesen Schluss zu ziehen, wurde ein neues, auf die Bedürfnisse von DNS zugeschnittenes DHT Schema entwickelt und evaluiert im Vergleich zu DNS und existierenden Systemen. Als drittes werden DNS Data Mining Ergebnisse präsentiert, die zeigen, wie sinnvoll es ist, die Qualität der DNS Daten zu verbessern, und somit Clients vor bösartigen oder fehlerhaften Informationen zu schützen. Als viertes wird ein Ausblick präsentiert, der die Ergebnisse der vorherigen drei Punkte kombiniert und eine Architektur vorschlägt, die unsere Versorgung mit DNS Daten tatsächlich verbessern kann und die Nachteile der klassischen Client-Server-Architektur und ihrer Peer-to-Peer Nachfolger vermeidet. Zu beachten ist, dass obwohl die Entwicklung zukünftiger DNS Standards und Protokolle Gegenstand politischer Konflikte ist, z.B. darüber ob anstelle der USA eine internationale Organisation die Root-Zone verwalten sollte, diese Arbeit nur auf die technischen Aspekte ausgerichtet ist.

info:eu-repo/classification/ddc/004

ddc:004

DNS, Peer-to-Peer, Internet, Map-Reduce

Web site security maturity of the European Union and its member states : A survey study on the compliance with best practices of DNSSEC, HSTS, HTTPS, TLS-version, and certificate validation types

Rapp, Axel

January 2021

With e-governance steadily growing, citizen-to-state communication via Web sites is as well, placing enormous trust in the protocols designed to handle this communication in a secure manner. Since breaching any of the protocols enabling Web site communication could yield benefits to a malicious attacker and bring harm to end-users, the battle between hackers and information security professionals is ongoing and never-ending. This phenomenon is the main reason why it is of importance to adhere to the latest best practices established by specialized independent organizations. Best practice compliance is important for any organization, but maybe most of all for our governing authorities, which we should hold to the highest standard possible due to the nature of their societal responsibility to protect the public. This report aims to, by conducting a quantitative survey, study the Web sites of the governments and government agencies of the member states of the European Union, as well as Web sites controlled by the European Union to assess to what degree their domains comply with the current best practices of DNSSEC, HSTS, HTTPS, SSL/TLS, and certificate validation types. The findings presented in this paper show that there are significant differences in compliance level between the different parameters measured, where HTTPS best practice deployment was the highest (96%) and HSTS best practice deployment was the lowest (3%). Further, when comparing the average best practice compliance by country, Denmark and the Netherlands performed the best, while Cyprus had the lowest average.

Web site security

information security

e-governance

best practice

DNSSEC

HSTS

HTTPS

SSL

TLS

certificate validation

Information Systems, Social aspects

The Status Of Web Security In Sweden

Alkhateeb, Firas

January 2022

Getting incorrect website content has increased in recent years, which is a reflection of the web security status on the Internet. However, when It comes to government and other professional organisations websites, they should have the best security requirements and follow security recommendations. This research will study websites located in the SE zone. The total number of investigated websites is 1166. The testing process was done in two ways. The firstway is a Dutch test website tool called Internet.nl. The second is using a tool developed as part of the research. The investigation focuses on Swedish websites and nine security extensions. These extensions prevent Man in the middle attack(MITM), downgrade attacks, Cross-Site Scripting (XSS), Click-jacking, and ensure that the correct information is obtained when a client requests a website. The paper evaluated the security between 2014 and 2022. What are the types of security taken and which sector has the best security awareness. The using of security headers had increased in 2022, the total use of tested security standards in the SE zone is around 50%, and banks have the best security awareness.

DNSsec

HTTPS

HSTS

X-Frame

X-Content-Type-Options

Content-Security-Policy (CSP)

Referrer-Policy

Digital certificate (X.509)

Computer Sciences

Datavetenskap (datalogi)

Online validace záznamů DNSSEC / Online DNSSEC Records Validation

Bachtík, Martin

January 2011

Master's Thesis is studying an extension that secures the domain name system by introducing the verifiability of authenticity of data, known as DNSSEC. Productive output is proposal of application and its subsequent implementation that at each stage of browse the namespace to the selected domain name checks the appropriatenesses of this extension and in detail reports the trusted chain.