Physics Events
[PAST EVENT] Shuai Hao, Computer Science - Ph.D. Dissertation Defense
Abstract
As one of the most critical components of the Internet, the Domain Name System (DNS) provides naming services for Internet users, who rely on DNS to perform the translation between the domain names and network entities before establishing an Internet connection. In this dissertation, we present our studies on different aspects of the naming infrastructure in today?s Internet, including DNS itself and the network services based on the naming infrastructure such as Content Delivery Networks (CDNs).
We first characterize the evolution and features of the DNS resolution in web services under the emergence of third-party hosting services and cloud platforms. At the bottom level of the DNS hierarchy, the authoritative DNS servers (ADNSes) maintain the actual mapping records and answer the DNS queries. The increasing use of upstream ADNS services (i.e., third-party ADNS-hosting services) and Infrastructure-as-a-Service (IaaS) clouds facilitates the deployment of web services, and has been fostering the evolution of the deployment of ADNS servers. To shed light on this trend, we conduct a large-scale measurement to investigate the ADNS deployment patterns of modern web services and examine the characteristics of different deployment styles, such as performance, life-cycle of servers, and availability. Furthermore, we specifically focus on the DNS deployment for subdomains hosted in IaaS clouds.
Then, we examine a pervasive misuse of DNS names and explore a straightforward solution to mitigate the performance penalty in DNS cache. DNS cache plays a critical role in domain name resolution, providing (1) high scalability at Root and Top-level-domain nameservers with reduced workloads and (2) low response latency to clients when the resource records of the queried domains are cached. However, the pervasive misuses of domain names, e.g., the domain names of ?one-time-use? pattern, have negative impact on the effectiveness of DNS caching as the cache has been filled with those entries that are highly unlikely to be retrieved. By leveraging the domain name based features that are explicitly available from a domain name itself, we propose simple policies for improving DNS cache performance and validate their efficacy using real traces.
Finally, we investigate the security implications of a fundamental vulnerability in DNS-based CDNs. The success of CDNs relies on the mapping system that leverages the dynamically generated DNS records to distribute a client?s request to a proximal server for achieving optimal content delivery. However, the mapping system is vulnerable to malicious hijacks, as it is very difficult to provide pre-computed DNSSEC signatures for dynamically generated records in CDNs. We illustrate that an adversary can deliberately tamper with the resolvers to hijack CDN?s redirection by injecting crafted but legitimate mappings between end-users and edge servers, while remaining undetectable by existing security practices, which can cause serious threats that nullify the benefits offered by CDNs, such as proximal access, load balancing, and DoS protection. We further demonstrate that DNSSEC is ineffective to address this problem, even with the newly adopted ECDSA that is capable of achieving live signing for dynamically generated DNS records. We then discuss countermeasures against this redirection hijacking.
Bio:
Shuai Hao is a Ph.D. candidate of Computer Science at William & Mary, working with Dr. Haining Wang as a visiting Ph.D. student in Department of Electrical and Computer Engineering at University of Delaware. His research interests lie in networking and security, including Internet topology, routing system and security, Internet serving infrastructure, web security and privacy, etc. He received his B.S. and Master degree in Computer Science from North China Electric Power University and Beijing University of Posts and Telecommunications, respectively.