similaropendns

Hold-On:ProtectingAgainstOn-PathDNSPoisoningHaixinDuan,NicholasWeaver,ZongxuZhao,MengHu,JinjinLiang,JianJiang,KangLiandVernPaxson§TsinghuaUniversity,Beijing,CNduanhx@tsinghua.
edu.
cnInternationalComputerScienceInstitute,Berkeley,CA,USAUniversityofGeorgia,Athens,GA,USA§UniversityofCalifornia,Berkeley,CA,USAUniversityofCaliforniaSanDiego,CA,USAAbstract—SeveralattacksonDNSinjectforgedDNSreplieswithoutsuppressingthelegitimatereplies.
Currentimplementa-tionsofDNSresolversarevulnerabletoacceptingtheinjectedrepliesiftheattacker'sreplyarrivesbeforethelegitimateone.
InthecaseofregularDNS,thisbehaviorallowsanattackertocorruptavictim'sinterpretationofaname;forDNSSEC-protectednames,itenablesdenial-of-service.
Wearguethattheresolvershouldwaitafterreceivinganinitialreplyfora"Hold-On"periodtoallowasubsequentlegitimatereplytoalsoarrive.
Weevaluatethefeasibilityofsuchanapproachanddiscussourimplementationofaprototypestubresolver/forwarderthatvalidatesDNSrepliesusingHold-On.
ByvalidatingtheIPTTLandthetimingofthereplies,weshowthattheresolvercanidentifyDNSpacketsinjectedbyanation-statecensorshipsystem,andthatitfunctionswithoutperceptibleperformancedecreaseforundisruptedlookups.
I.
INTRODUCTIONTheDomainNameSystem(DNS)providesacriticalnet-workservice,andfacesavarietyofattacksrangingfromblindpacketinjectiontoactiveman-in-the-middleattacks.
OneattackofconcernregardsDNSpoisoningbasedonpacketinjection,whereanattackerwhocanobserveandinjecttrafcinsertsfakerepliestoqueries.
Severaltypesofadversariescanemploysuchattacks,includingattackersusingsystemsonsharedWiFinetworks,ISPsseekingtoimposecontent-basedusagepolices,andgovernmentcensorship[1].
OneparticulardesignchoiceofDNSmakestheseattackseasy.
TheDNSstandardrecommendsthataDNSresolverreturnsananswerassoonasitreceivesamatchingreply[2],inordertoprovideareplyasquicklyaspossible.
Inaddition,evenDNSSEC-validatingresolverslikelywillsufferadenial-of-serviceattackuponreceiptofaninjectedreply:thenon-validatingresponseleadstheresolvertoreturnaresponseof"Bogus"[3]unlessitcontinuestowaitforareplythatproperlyvalidates.
WeexploretheopportunityofcounteringDNSinjectionattacksbasedontheobservationthatpacketinjection(ratherthanfullman-in-the-middleattacks)cannotsuppressthere-ceiptoflegitimatereplies.
Thus,ifresolverreceivesareplysoonerthanexpected,insteadofreturningtheresultimme-diately,itcanwaitfora"Hold-On"intervaltoseewhetheradditionalresponsesarrive.
Thekeyquestionsforthisapproachare(1)towhatdegreesuchambiguousrepliesoccurinnormaltrafc,whichwillleadtoHold-Onintroducingdifferentresolverbehaviorthanoccurstoday,and(2)howmuchextradelayusersencounterduetotheuseofHold-On.
Ourevaluationshowsthatreceivingtwodifferingrepliestothesamequestionoccursonlyveryrarelyinnormaltrafc,whichestablishesthatthisconditionallowsforeffectiveanomalydetection.
Wealsopresentpreliminaryresultssuggestingthattheextradelayimposedonusersisquiteminor.
WehaveimplementedaDNSproxythatusesHold-Onandevaluateitseffectivenessagainstawidelydeployednetworkcensorshiptool.
WendthatourprototypecaneffectivelylteroutfakeDNSreplies,anddoesnotappeartointroduceanyperceptibleincreaseindelay.
II.
OVERVIEWOFTHEPROBLEMSPACEA.
TaxonomyofattacksAttackersagainstDNSfallintothreecategories:off-path,on-path,andin-path.
Anoff-pathadversarylackstheabilitytoobserveDNSqueriesandresponses.
SuchanattackerwillgenerallyemploysomemeanstotriggerspecicDNSlookups,butmustguessthetransactionID[4],[5]andanyotherentropy(suchasthesourceportand0x20encoding[6])intherequesttoforgeareplythattheresolverwillaccept.
Off-pathadversariesgenerallygeneratenumerouspacketsinhopesofmatchingtherequest.
Additionally,becauseresolversdonotissuenewqueriesforanamethatisalreadycached,off-pathadversarieshavedifcultytargetingstubresolvers,sincestubs,unlikerecursiveresolvers,donotgenerallyacceptandpromoteglueentries(thebehaviorleveragedby[5]).
Anon-pathadversaryhastheabilitytopassivelyobservetheactuallookupsrequestedbyaresolver.
On-pathadversariescandirectlyforgeDNSrepliesthatmatchthefullsetofcriteriausedbytheresolvertovalidateanswers(otherthanuseofDNSSEC).
Aslongasaforgedreplyarrivesattheresolverbeforethelegitimateone,theresolverwillaccepttheinjectedanswerandbecomepoisoned.
Absentadenial-of-serviceattackonlegitimateservers,bothoff-pathandon-pathadversarieslacktheabilitytosuppressle-gitimateresponses.
Thus,bothoftheseadversariesnecessarilycreateanobservableartifact:thevictim,ifitwaitssufcientlylong,willreceiveboththeattacker'spacketandthelegitimatereply.
(WeemployedasimilarformofthisanomalytodetectTCPresetinjectionattacks[7].
)Onlyanin-pathadversary,capableofblockingandmodifyingpackets,canpreventthelegitimatereplyfromreachingthevictim.
Althoughin-pathapproacheshavemorepower,on-pathap-proacheshaveseveraladvantages,makingtheiruseappealingforattackers.
Censorshiptoolscommonlyuseon-pathratherthanin-pathtechniquestoeasedeploymentandtomakethesystemfailureandloadtolerant,asthecensorshipsystemcanthenoperateonatrafcmirrorratherthanthelivetrafc.
1Similarly,on-pathWiFipacketinjectionworkswithoutmodifyingdrivers,butsuppressinglegitimaterepliesrequireshardware-specicaccesstothelow-levelairinterfacetodetectandsquelchabroadcastinight.
B.
VulnerabilityofcurrentimplementationsSystemsthatimplementtheDNSstandard[2],[8]arevulnerabletoon-pathspoong,despitethepresenceofthelaterlegitimatereply,becausetheresolverattemptsto"gettheanswerasquicklyaspossible"[2].
Uponreceivingareply,theresolvercheckstheIDeldintheheaderandthenwill"verifythatthequestionsectioncorrespondstotheinformationcurrentlydesired"[8].
Clearly,thesestepsdonotprovidesufcientdiligence,asthedesigngoalofquicklyreturningananswercausestheresolvertoreturntheattacker'svalue.
DNSSECaddscryptographicauthenticationtopreventtheacceptanceofinvalidDNSreplies[9],[10],[3].
Althoughattackerscannotredirectvictimsusingspoofedreplies,theycanstillperformdenial-of-serviceattack,whichwilloftensufcetosatisfyacensor'sobjective.
DOSoccursbecausetheresolverwillattempttoprocesstheattacker'spacket,determinethattheDNSSECsignatureisabsentorinvalid,andimmediatelyreturn"Bogus",deprivingtheclientfromtheabilitytoconnecttothehostcorrespondingtothename.
Becauseofthisbehavior,DNSSECdoesnotsufceasareplacementforamechanismsuchasHold-On:resolversneedtomaintainanopenportforaperiodoftimeinordertoattempttovalidateallresponsesreceivedforaquery,notjusttherst.
C.
OtherrelatedworkDNShasalonghistoryofpoisoningattacks[4],[5],[11],[12].
Besidethosementionedabove,severalpreviouseffortscounterDNSpoisoningattackbyincreasingthedifcultyofblindlyinjectingDNSanswers[13],[14],[6],[15].
Theseeffortsfocusondeterringoff-pathinjectionbyincreasingtheinformationentropyrequiredtomatchavalidDNSreply.
Ourwork,however,addressesthethreatfromattackersthatcanobservequeries,whichallowsthemtocircumventthesepreviousdefenses.
1TCPtrafccontroltoolsalsohaveusedthisvantagepoint.
Forexample,ComcastdeployedSandvine'sPolicyTrafcSwitchdevicestodisruptBitTor-renttrafcinanon-pathconguration[7],eventhoughthedevicesthemselvessupportedin-pathoperation.
Poisoningattacksbasedonon-pathinjectionarenotlimitedtoDNS.
Maliciousinjection,suchasTCPRSTandICMPunreachablemessages,havebeenusedinbothindividualattacks[7]andISP-scalecensorship[16],[17].
SimilartoDNSpoisoning,trafcsentfromtheremotepeerofthelegitimatecommunicationwillstillarriveatthevictimafterthesemaliciousinjections.
Therefore,theuseofHold-Onmechanismssimilartothoseexploredherewilllikelyhaveapplicabilitytodeterthesemaliciousinjectionsaswell.
III.
HOLD-ONANDDILIGENTVALIDATIONAsaconsequenceoftheinabilityforon-pathattackerstosuppresslegitimatereplies,weinvestigatethebenetsofstubresolversorforwarderswaitingfora"Hold-On"periodtoallowsubsequentlegitimaterepliestoarrive.
Partofthisprocedureentailsvalidatingreplieswithmorediligencewhenaresolverreceivestwoormorerepliesforthesamequestion.
ThisimprovementeffectivelyprotectsagainstDNSinjectionsinthecaseofnon-disruptiveattacks,wheretheattackerlackstheabilitytotoblockeithertheresolver'srequestortheauthority'sresponse.
A.
AssumptionsWepredicateourapproachonthefollowingassumptions,whichweviewasreasonablebasedonourexperiencewithcensorshipactivitythatemployson-pathinjectors:(1)Theuserunderattackorcensorshipisabletoaccessatrustworthyrecursiveresolveroutsideoftheattackedorcensorednetworks,suchasGooglePublicDNS[18]andOpenDNS[19],whichtheyfrequentlyuse.
Inparticular,inthecensorshipcase,weassumethatthecensordoesnotblockaccesstothisresolver,whichweargueisaplausibleassumptiongiventhelargenumber(158,364inJanuary2012)ofknownopenresolvers[20].
(2)Theattacker/censorinjectsfakeresponsesaccordingtoablacklistratherthanawhitelist.
Thatis,theuserknowssomenon-sensitivedomainnamesthatcanbeusedtomeasurenormal(non-interferedbytheattacker)communicationbe-tweentheclient(stubresolver)andtheDNSserver(recursiveresolver).
(3)Theattackerinjectsfakerepliesasquicklyaspossibleinordertoensurethattherepliesarriveearlierthanthelegitimateones.
Hence,theinjectionmechanismwilltransmitimmediatelyuponseeingtheclient'srequest.
Themechanismcannotwaitforthearrivalofthelegitimatereplyfromtheserverbecausebydoingso,theinjectionmayarriveafterit,andfailtowork.
(4)TheattackercannotconstructaproperlysignedDNSSECresponse.
Basedontheseassumptions,thestubresolvercanestimatewhenitexpectslegitimaterepliestoarrive,inordertodiscernbetweeninjectedrepliesandcorrectones.
B.
Hold-OnandValidationThestubresolverorforwarderneedstorstlearntheexpectedRTTandhop-countdistance(intermsofexpectedFig.
1.
Hold-OnwhilewaitingforalegitimateDNSreply.
TTL)associatedwithcommunicationinvolvingitsremoterecursiveresolver,whichitdoesusingactivemeasurement.
(Recallthatwepresumetheremoteresolverliesoutsideofthecensorednetwork.
)Uponstart-up,theresolverissuesaseriesofnon-sensitivequeriestomeasuretheinitialRTTandTTLseenonarrivingrepliesforentriescachedattheremoteresolverbyrepeatedlyqueryingforthesamename.
Duringthisperiod,theresolvermaintainsanopenportforanadditionalperiodtovalidatethatanon-pathadversaryhasnottamperedwiththeseinitialmeasurementsbyinjectingreplies.
Duringnormaloperation,thestubresolveralsocontinuallyupdatesthesevaluesbasedonpassivemeasurementsofitsongoingtrafc.
GivenestimatesofthelegitimateRTTandTTL,theresolverworksasshowninFigure1:(1)AfterissuingaDNSquery,theresolverstartsitsHold-Ontimer.
Anaturalsettingforthetimerwouldbe15seconds,asthisreectsthedefaulttimeoutvalueforboththeBINDresolver[21,p.
108]andMicrosoftWindows[22].
Naturally,inmostcasestheresolverwillreturnmuchsooner,unlesstheremoteresolverisunreachable.
(2)WhentheresolverexpectsaDNSSEC-protectedre-sponse,foreachreplyitperformsalocalsignaturevalidation.
Itreturnstotheclienttherstfullyvalidatedreply.
IfitndsallrepliesaseitherInsecure,Bogus,orIndeterminate[3,p.
20],andtheHold-Ontimerexpires,theresolverreturnsaDNSSECerror.
(3)WithoutDNSSEC,uponreceivingareplybeforetheHold-Ontimerexpires,theresolverperformstwoadditionalvalidations:Timing.
DoesthereplyarrivestooearlyThetestweusehereisforrepliesthatarrivesoonerthanhalfoftheexpected(measurement-derived)RTT.
Wenotethattheresolvercouldalsodeterminethisthresholdmorepreciselybymeasuringknowninjectionsintheresolver'sactualenvironmentbygeneratingqueriesforcensorednamestonon-existentresolvers.
TTL.
DoestheTTLeldintheIPheaderhavetheexpectedvalue(s)WeassumethattheroutebetweentheremoteDNSserverandtheclientisstableinatleastshortperiods(suchas5minutes),sowecangetandupdatetheexpectedTTLsbyperiodicalmeasurement.
Uponobservingeitheroftheabovemismatches,theresolverignorestheresponseandcontinuestowait.
IfontheotherhandareplyarrivesbeforetheHold-Ontimeexpiresandvalidatesbasedontheabovetests,theresolveracceptsthenewreplyandreturnsittotheclient.
IfthestubresolverreceivesnovalidreplybeforetheHold-Ontimerexpires,itreturnsthelatestnon-validatingreplyitobserved.
Doingsomeansthatinthepresenceofsignicantlychangednetworkconditions,usersexperiencedelay,butnotinadvertentblockingoftheiraccess.
Inmostcases,theresolverwillnotwaituntiltheHold-Ontimertimingout;itwillstopwaitinguponreceiptofalegitimateresponse.
Thus,generallythisapproachwillnotcauseextradelay,exceptinthecasethatnetworkconditionshavechangedsuchthatlegitimaterepliesnowreturnsoonerandwithoutDNSSECprotection.
IV.
FEASIBILITYASSESSMENTToassesstheviabilityofourapproach,weinvestigatethephenomenonofobservingmultiplerepliesforasingleDNSqueryinbothacensorednetworkandanon-censorednetwork.
Inthelatter,welookatwhethernormalDNStrafcgeneratessuchreplies;thatis,whetherHold-Onandvalidationcouldcausesignicantfalsepositives.
Inthecensorednetwork,weassesshowdifferenttheinjectedrepliesappearfromthelegitimateones,whichindicateswhethertheapproachcouldsufferfromsignicantfalsenegatives.
A.
ObservationinanuncensorednetworkWecanviewuseoftheHold-Onapproachasaformofanomalydetector,lookingforaconditionthatrepresentsanattack.
Althoughitisclearthatapacket-injectionbasedDNSattackmustcreateananomalywheretheclientreceivestwodistinctreplies,wemustensurethatnormalDNStrafcdoesnotgeneratetheseanomalies,as,insomecases,theremaybenoeffectiveresolutionbeyondsimplynotingtheattackandreturningnovalidanswerifitprovesimpossibletoheuristicallydistinguishanattacker'spacketfromalegitimatenon-DNSSECsignedreply.
Iftheresolversimplyignoresrepliesitcannotvalidate(andreturnsthelastsuch,ifnovalidrepliesarereceived),thensuchanomaliesarisinginlegitimatetrafcwillnotinfactcauseanyproblems.
If,however,theresolveragssuchrepliesasreectinganattack,thenthesefalsepositiveswillincuradegreeofcollateraldamage.
WedevelopedaBro[23]IDSpolicyscripttodirectlydetectanomaloussecondaryDNSreplies.
ThisscriptoperatesbytrackingallDNSrequestsandmatchingreplies,checkinganysubsequentreplythatarriveswithina1-minutetimeout2todeterminewhetherthenumberofrecordsinthereplyandthecontentsofeachareunchanged.
WevalidatedthatthisscriptaccuratelydetectsattackpacketsusingtracesofinjectedpacketswecapturedbysendingDNSqueryrequeststhattransitedanetworkthatusesDNS-basedpacket-injectioncensorship.
Weranthisscriptagainst6daysofnormalDNStrafccapturedatICSI'sborder,consistingof11,700,000DNSrequests.
3DuringthisperiodweobservednoDNSanomaliesthatwouldcreateafalsepositive,onlydeliberatetestingintendedtotriggeraDNScensorshipsystem.
Runningona1.
5hourtracegatheredinAugust2011attheUCBerkeleycampusborder(atotalof15.
2MDNStransactions,4bothinboundandoutbound),weobservedtwobenignauthoritiesthattriggeredthebasicanomalydetector.
Therstserver,anauthorityserverfortheBBC,returnedtwodistinctrepliesforthesamequeryforseveralnames.
Althoughdistinctinvalue,bothvalueswerewithinthesame/24subnet.
Thesecond,anauthorityforbusinessinsider.
com,returnedtwovaluesforthesamequery.
TherstreplywasaCNAMEtoanexternaldomainwiththerootauthorityinformationincludedinthereply,whilethesecondwasaSERVFAILcontainingthesameCNAMEbutnoauthorityoradditionalelds,triggeringthealert.
WealsoobservedbothmultipleincidentsofDNScensorship(causedbylocalusersconguredtouseresolversinacensoredcountry)andafewfalse-positivesduetoscriptbugsthatwouldnotdisruptaHold-Onresolver.
B.
ObservationinacensorednetworkToassesspotentialfalsenegatives,wetriggeraDNScensor-shipsystemtoinjectDNSreplieswithsensitivedomainnames(suchastwitter.
com).
Wegeneratedthesemeasurementsfromwithinthecensorednetwork,communicatingwithdestinationsoutsidethecensorednetwork.
Todifferentiatethelegitimatefromtheinjectedreplies,werstqueryanon-existentDNSserveroutsidethecensorednetworkwithsensitivenames,andwereceiveonlyinjectedreplies.
WethenqueryanopenDNS2Wechosealongertimeouttobeconservativeinthisanalysis,attemptingtodetectpotentialanomaliesthatwouldnotaffectaresolverusingHold-On.
3WeexcludedlookupsissuesbyanICSImeasurementtool.
4Excludingaknownhigh-volumeDNScrawlerusedforresearch.
Fig.
2.
Comparisonofarrivaltimesforlegitimatepackets(greencross)andpacketsinjectedbycensor(redplus)Fig.
3.
ComparisonofTTLsforlegitimatepackets(greencross)andpacketsinjectedbycensor(redplus)serverwithnon-sensitivenames(suchaswww.
mit.
edu),bywhichwereceiveonlylegitimatereplies.
Withthismethod,wecollectedadatatraceincluding≈100,000queriesandcorrespondingrepliesover9days.
Figures2and3showcomparisonsofRTTsandTTLsobservedoflegitimateDNSpacketsandinjectedpacketsbytheDNScensor.
Itappearsnotdifculttoidentifythelegitimatepacketsfrominjected.
MostinjectedpacketsarrivemuchearlierthanlegitimateonesbecausetheinjectorandtheclientresidewithinthesameISP,whiletheDNSserverresidesinanothercountry.
WefoundthevaluesofIPTTLfromthelegitimateDNSresponsesarequitestableoveraperiodof9days(either44or42),buttheTTLvalueoftheinjectedpacketsvariedintherangeof[0–255],presumablytoavoidsimpleltering.
Inanother10-hourtrace,weselectonepairof(RTT,TTL)every5minutes,andusethisastheexpectedRTTandTTLtovalidateotherpacketsinthefollowingtimewindow.
Inourexperiment,wechangethethresholdofTTLandRTTtoevaluatethefalsepositiverateandfalsenegativerate,asshowninTableI.
Forexample,ifwesetthethresholdFig.
4.
EnvironmentofDNSproxyofTTLto1(thatis,thereplyisvalidonlyifTTL∈[expectedTTL1,expectedTTL+1])andsetthethresholdofRTTto0.
5·expectedRTT(thatis,thereplyisvalidonlyifitdoesnotarrive0.
5·expectedRTTearlierthanexpected),thentheapproachdoesnotgenerateanyfalsepositivesornegatives.
TTLthresholdRTTthresholdFP(%)FN(%)0-20.
50030.
500.
0140.
500.
0650.
500.
0760.
500.
1070.
500.
1120.
15.
96020.
21.
53020.
3-0.
80020.
900.
31TABLEIFALSEPOSITIVE(FP)ANDFALSENEGATIVE(FN)RATESCORRESPONDINGTODIFFERENTTHRESHOLDSFORIPTTLANDRTTDIFFERENCES.
V.
IMPLEMENTATIONANDEVALUATIONWeimplementedaDNSproxytoexplorehowHold-Onworksinpractice.
TheproxyoperatesasaDNSforwarderthataimstoprotectagainstDNSinjectionbyon-pathadversaries,asillustratedinFigure4.
A.
DesignandimplementationofaDNSproxyToestimatetheexpectedRTTandTTLto/fromtheremoterecursiveresolver,theproxyissuesrequestsuponstart-upfornon-sensitivenames.
5ToestimatetheRTT,theresolverqueriesthesamenamemultipletimes,selectingtheminimumofRTTobserved.
Theresolverexcludestherstquery,be-causeitmightincludeadditionaltimeconsumedbytheservertoresolvethenamerecursively,ratherthanansweringfromitscache.
TheexpectedTTL(s)shouldtypicallyremainconstant,butcouldvaryduetoroutingchanges.
6WeassumethatthesetofexpectedTTLsdoesnotvaryinameasurementperiod(seebelow).
Inourcurrentimplementation,thesethasonlyonevalue.
Duringitsnormaloperation,aseparatethreadrepeats5Itcouldinsteadsimplymonitorinitialqueriesforduplicatereplies,andformulateitsestimatesfromthosethatengenderonlyasinglereply.
Doingsowouldalsohelpwithcombatinginjectionfromattackerswhohavedifferentgoalsthancensorship.
6ApotentiallypathologicalcasewouldberepliesthatvaryacrossasetofarrivingTTLvaluesduetotheuseofper-owload-balancingthatcausesdifferentrepliestotakedifferentroutes.
Algorithm1Hold-OnandValidationforDNSProxyTimeout←5whileGetDNSRequestFromClient(request)doretry←1;gotAnyReply←falserepeatForwardRequestToResolver(Resolver,request);StartHoldOnTimer(retry·Timeout);whileNOTTimeoutandGetDNSReply(replyPkt)dogotAnyReply←true{fromserverorinjector}ifValidateDNSSECOK(replyPkt)thenSendDNSReplyToClient(replyPkt.
msg)StopHoldOnTimer()returnelseifValidateTTLOK(replyPkt.
ipTTL)andValidateRTTOK(replyPkt.
RTT)thenSendDNSReplyToClient(replyPkt.
msg)StopHoldOnTimer()returnelseDropAndLog(replyPkt)endifendwhileretry←retry+1untilretry==3ifgotAnyReplythen{Novalidreply,returnthelatestnon-validatingreply}SendDNSReplyToClient(replyPkt.
msg)endifendwhilethismeasurement(see§IV-B)periodically(suchasevery5minutes)andupdatestheexpectedRTTandTTLvaluesadaptedtopotentialchangeofnetworkstatus.
Algorithm1detailshowtheproxyprocesseswithDNSrequestsandreplies.
WhentheproxyreceivesaDNSrequestfromitsclient(enduserorDNSforwarder),itforwardstherequesttotheremoterecursiveresolverandstartstheHold-Ontimer.
Wesettheinitialvalueofthetimerto5seconds;ifnolegitimatereplyafterthetimerexpires,weresetthetimerto10sforthesecondtry,andsimilarlyto15sforthethirdtry.
IftheproxyreceivesaDNSreply(fromeithertheremotere-cursiveresolver,oraninjector),itvalidatesbothTTLandRTTagainsttheexpectedvalues(theexpectedTTLscouldincludemultiplevaluesbecauseofmultiplepathstotheresolver).
IftherequestisDNSSECenabled,thecorrespondingreplyshouldalsobecheckedwithDNSSECoptions(notimple-mentedyetinourprototype).
ForDNSSEC-disabledrequests,ValidateDNSSECOKalwaysreturnsfalse.
ValidateRTTOKandValidateTTLOKreturntrueif:expectedRTTreplyPkt.
RTTOpenDNSHomepage.
"http://www.
opendns.
com/.
[20]"DNSSurvey:OpenResolvers.
"http://dns.
measurement-factory.
com/surveys/openresolvers.
html.
[21]P.
AlbitzandC.
Liu,DNSandBIND,5thEdition.
O'Reilly,2006.
[22]"DNS:Theforwardingtimeoutvalueshouldbe2to10seconds,"2010.
http://technet.
microsoft.
com/en-us/library/ff807396(WS.
10).
aspx.
[23]V.
Paxson,"Bro:asystemfordetectingnetworkintrudersinreal-time,"ComputerNetworks,vol.
31,no.
23-24,pp.
2435–2463,1999.