Investigation of security of the DNS and machine learning methods for network security
Date
2024
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
University of Delaware
Abstract
DNS is one of the oldest and most important protocols developed by the internet community to support the World Wide Web and access to some critical services like web browsing, email, VPN (Virtual Private Network),IoT applications, Instant messaging etc. Due to its ubiquitous presence and fast transport, it is one of the trusted protocols and is mostly allowed by middle boxes (firewalls, access control lists) on the internet. Consequently, over time, DNS has been used in variety of ways, and including malicious ways by adversaries to fulfil different motives of the attacks. Due to the inherent security and privacy flaws in DNS, several new protocol technologies have been designed to patch the holes in DNS. With every new patch, new complexities and vulnerabilities are introduced. One of these new techniques, which has been around over a decade, is DNSSEC (DNS Security protocol). It is important to evaluate the short-comings and risks that the new technology stack introduces. ☐ This dissertation studies the security of the DNS protocol stack and one of it’s variant DNSSEC from a few different aspects. We start by explaining the brief history of DNS, how it works and the basic security concepts in the DNS in chapter 1 and 2. The work in chapter 3 provides insights into the ’Off-label’ use of DNS showing another legit vector of information leakage (legit applications that are whitelisted by an organization to use), devises two novel techniques to get those insights from the network traffic, and how it can be leveraged by the analysts to detect malware trends in the network with some real-world use-cases. In chapter 4, we investigate the encrypted traffic to understand the unique patterns that can be used to deduce the use of DNS over HTTPS (DoH) under normal traffic. The work uses machine learning and statistical analysis of encrypted traffic to classify DoH traffic. The chapter 5 discusses the research work contributed towards the development of the DNSSEC protocol parsing support and analysis of ”weird” DNSSEC use-cases in Zeek, which is one of the most popular open-source NSM/NDR (Network Security Monitoring/ Network Detection and Response) solutions. The contribution was made open-source and utilized by 10,000+ [160] deployments of Zeek worldwide including Lawrence Berkeley National Laboratory, University of Delaware, and University of Pennsylvania. Finally, chapter 6 explores the critical private DNS information leakage due to one of the known flaws in DNSSEC, called Zone-walking. It provides a new approach to solve this information leakage while keeping the integrity of the DNS/DNSSEC protocol intact - Zone-Hopping. In Chapter 9 and 10 we present research done on anomaly detection on the Wide Area Network using unsupervised learning, and Machine learning-based Analysis of COVID-19 Pandemic Impact on US Research Networks, as an extension to the network traffic analysis done for the DNS research. We present some pointers for the opportunities to keep enhancing the security and privacy of DNS work in Future Work section, and the overall conclusion of each part is presented in chapter 7 and 11.
Description
Keywords
Zone-Hopping, Machine learning, World Wide Web, Network Security Monitoring