similaropendns

opendns  时间:2021-05-20  阅读:()
Hold-On:ProtectingAgainstOn-PathDNSPoisoningHaixinDuan,NicholasWeaver,ZongxuZhao,MengHu,JinjinLiang,JianJiang,KangLiandVernPaxson§TsinghuaUniversity,Beijing,CNduanhx@tsinghua.
edu.
cnInternationalComputerScienceInstitute,Berkeley,CA,USAUniversityofGeorgia,Athens,GA,USA§UniversityofCalifornia,Berkeley,CA,USAUniversityofCaliforniaSanDiego,CA,USAAbstract—SeveralattacksonDNSinjectforgedDNSreplieswithoutsuppressingthelegitimatereplies.
Currentimplementa-tionsofDNSresolversarevulnerabletoacceptingtheinjectedrepliesiftheattacker'sreplyarrivesbeforethelegitimateone.
InthecaseofregularDNS,thisbehaviorallowsanattackertocorruptavictim'sinterpretationofaname;forDNSSEC-protectednames,itenablesdenial-of-service.
Wearguethattheresolvershouldwaitafterreceivinganinitialreplyfora"Hold-On"periodtoallowasubsequentlegitimatereplytoalsoarrive.
Weevaluatethefeasibilityofsuchanapproachanddiscussourimplementationofaprototypestubresolver/forwarderthatvalidatesDNSrepliesusingHold-On.
ByvalidatingtheIPTTLandthetimingofthereplies,weshowthattheresolvercanidentifyDNSpacketsinjectedbyanation-statecensorshipsystem,andthatitfunctionswithoutperceptibleperformancedecreaseforundisruptedlookups.
I.
INTRODUCTIONTheDomainNameSystem(DNS)providesacriticalnet-workservice,andfacesavarietyofattacksrangingfromblindpacketinjectiontoactiveman-in-the-middleattacks.
OneattackofconcernregardsDNSpoisoningbasedonpacketinjection,whereanattackerwhocanobserveandinjecttrafcinsertsfakerepliestoqueries.
Severaltypesofadversariescanemploysuchattacks,includingattackersusingsystemsonsharedWiFinetworks,ISPsseekingtoimposecontent-basedusagepolices,andgovernmentcensorship[1].
OneparticulardesignchoiceofDNSmakestheseattackseasy.
TheDNSstandardrecommendsthataDNSresolverreturnsananswerassoonasitreceivesamatchingreply[2],inordertoprovideareplyasquicklyaspossible.
Inaddition,evenDNSSEC-validatingresolverslikelywillsufferadenial-of-serviceattackuponreceiptofaninjectedreply:thenon-validatingresponseleadstheresolvertoreturnaresponseof"Bogus"[3]unlessitcontinuestowaitforareplythatproperlyvalidates.
WeexploretheopportunityofcounteringDNSinjectionattacksbasedontheobservationthatpacketinjection(ratherthanfullman-in-the-middleattacks)cannotsuppressthere-ceiptoflegitimatereplies.
Thus,ifresolverreceivesareplysoonerthanexpected,insteadofreturningtheresultimme-diately,itcanwaitfora"Hold-On"intervaltoseewhetheradditionalresponsesarrive.
Thekeyquestionsforthisapproachare(1)towhatdegreesuchambiguousrepliesoccurinnormaltrafc,whichwillleadtoHold-Onintroducingdifferentresolverbehaviorthanoccurstoday,and(2)howmuchextradelayusersencounterduetotheuseofHold-On.
Ourevaluationshowsthatreceivingtwodifferingrepliestothesamequestionoccursonlyveryrarelyinnormaltrafc,whichestablishesthatthisconditionallowsforeffectiveanomalydetection.
Wealsopresentpreliminaryresultssuggestingthattheextradelayimposedonusersisquiteminor.
WehaveimplementedaDNSproxythatusesHold-Onandevaluateitseffectivenessagainstawidelydeployednetworkcensorshiptool.
WendthatourprototypecaneffectivelylteroutfakeDNSreplies,anddoesnotappeartointroduceanyperceptibleincreaseindelay.
II.
OVERVIEWOFTHEPROBLEMSPACEA.
TaxonomyofattacksAttackersagainstDNSfallintothreecategories:off-path,on-path,andin-path.
Anoff-pathadversarylackstheabilitytoobserveDNSqueriesandresponses.
SuchanattackerwillgenerallyemploysomemeanstotriggerspecicDNSlookups,butmustguessthetransactionID[4],[5]andanyotherentropy(suchasthesourceportand0x20encoding[6])intherequesttoforgeareplythattheresolverwillaccept.
Off-pathadversariesgenerallygeneratenumerouspacketsinhopesofmatchingtherequest.
Additionally,becauseresolversdonotissuenewqueriesforanamethatisalreadycached,off-pathadversarieshavedifcultytargetingstubresolvers,sincestubs,unlikerecursiveresolvers,donotgenerallyacceptandpromoteglueentries(thebehaviorleveragedby[5]).
Anon-pathadversaryhastheabilitytopassivelyobservetheactuallookupsrequestedbyaresolver.
On-pathadversariescandirectlyforgeDNSrepliesthatmatchthefullsetofcriteriausedbytheresolvertovalidateanswers(otherthanuseofDNSSEC).
Aslongasaforgedreplyarrivesattheresolverbeforethelegitimateone,theresolverwillaccepttheinjectedanswerandbecomepoisoned.
Absentadenial-of-serviceattackonlegitimateservers,bothoff-pathandon-pathadversarieslacktheabilitytosuppressle-gitimateresponses.
Thus,bothoftheseadversariesnecessarilycreateanobservableartifact:thevictim,ifitwaitssufcientlylong,willreceiveboththeattacker'spacketandthelegitimatereply.
(WeemployedasimilarformofthisanomalytodetectTCPresetinjectionattacks[7].
)Onlyanin-pathadversary,capableofblockingandmodifyingpackets,canpreventthelegitimatereplyfromreachingthevictim.
Althoughin-pathapproacheshavemorepower,on-pathap-proacheshaveseveraladvantages,makingtheiruseappealingforattackers.
Censorshiptoolscommonlyuseon-pathratherthanin-pathtechniquestoeasedeploymentandtomakethesystemfailureandloadtolerant,asthecensorshipsystemcanthenoperateonatrafcmirrorratherthanthelivetrafc.
1Similarly,on-pathWiFipacketinjectionworkswithoutmodifyingdrivers,butsuppressinglegitimaterepliesrequireshardware-specicaccesstothelow-levelairinterfacetodetectandsquelchabroadcastinight.
B.
VulnerabilityofcurrentimplementationsSystemsthatimplementtheDNSstandard[2],[8]arevulnerabletoon-pathspoong,despitethepresenceofthelaterlegitimatereply,becausetheresolverattemptsto"gettheanswerasquicklyaspossible"[2].
Uponreceivingareply,theresolvercheckstheIDeldintheheaderandthenwill"verifythatthequestionsectioncorrespondstotheinformationcurrentlydesired"[8].
Clearly,thesestepsdonotprovidesufcientdiligence,asthedesigngoalofquicklyreturningananswercausestheresolvertoreturntheattacker'svalue.
DNSSECaddscryptographicauthenticationtopreventtheacceptanceofinvalidDNSreplies[9],[10],[3].
Althoughattackerscannotredirectvictimsusingspoofedreplies,theycanstillperformdenial-of-serviceattack,whichwilloftensufcetosatisfyacensor'sobjective.
DOSoccursbecausetheresolverwillattempttoprocesstheattacker'spacket,determinethattheDNSSECsignatureisabsentorinvalid,andimmediatelyreturn"Bogus",deprivingtheclientfromtheabilitytoconnecttothehostcorrespondingtothename.
Becauseofthisbehavior,DNSSECdoesnotsufceasareplacementforamechanismsuchasHold-On:resolversneedtomaintainanopenportforaperiodoftimeinordertoattempttovalidateallresponsesreceivedforaquery,notjusttherst.
C.
OtherrelatedworkDNShasalonghistoryofpoisoningattacks[4],[5],[11],[12].
Besidethosementionedabove,severalpreviouseffortscounterDNSpoisoningattackbyincreasingthedifcultyofblindlyinjectingDNSanswers[13],[14],[6],[15].
Theseeffortsfocusondeterringoff-pathinjectionbyincreasingtheinformationentropyrequiredtomatchavalidDNSreply.
Ourwork,however,addressesthethreatfromattackersthatcanobservequeries,whichallowsthemtocircumventthesepreviousdefenses.
1TCPtrafccontroltoolsalsohaveusedthisvantagepoint.
Forexample,ComcastdeployedSandvine'sPolicyTrafcSwitchdevicestodisruptBitTor-renttrafcinanon-pathconguration[7],eventhoughthedevicesthemselvessupportedin-pathoperation.
Poisoningattacksbasedonon-pathinjectionarenotlimitedtoDNS.
Maliciousinjection,suchasTCPRSTandICMPunreachablemessages,havebeenusedinbothindividualattacks[7]andISP-scalecensorship[16],[17].
SimilartoDNSpoisoning,trafcsentfromtheremotepeerofthelegitimatecommunicationwillstillarriveatthevictimafterthesemaliciousinjections.
Therefore,theuseofHold-Onmechanismssimilartothoseexploredherewilllikelyhaveapplicabilitytodeterthesemaliciousinjectionsaswell.
III.
HOLD-ONANDDILIGENTVALIDATIONAsaconsequenceoftheinabilityforon-pathattackerstosuppresslegitimatereplies,weinvestigatethebenetsofstubresolversorforwarderswaitingfora"Hold-On"periodtoallowsubsequentlegitimaterepliestoarrive.
Partofthisprocedureentailsvalidatingreplieswithmorediligencewhenaresolverreceivestwoormorerepliesforthesamequestion.
ThisimprovementeffectivelyprotectsagainstDNSinjectionsinthecaseofnon-disruptiveattacks,wheretheattackerlackstheabilitytotoblockeithertheresolver'srequestortheauthority'sresponse.
A.
AssumptionsWepredicateourapproachonthefollowingassumptions,whichweviewasreasonablebasedonourexperiencewithcensorshipactivitythatemployson-pathinjectors:(1)Theuserunderattackorcensorshipisabletoaccessatrustworthyrecursiveresolveroutsideoftheattackedorcensorednetworks,suchasGooglePublicDNS[18]andOpenDNS[19],whichtheyfrequentlyuse.
Inparticular,inthecensorshipcase,weassumethatthecensordoesnotblockaccesstothisresolver,whichweargueisaplausibleassumptiongiventhelargenumber(158,364inJanuary2012)ofknownopenresolvers[20].
(2)Theattacker/censorinjectsfakeresponsesaccordingtoablacklistratherthanawhitelist.
Thatis,theuserknowssomenon-sensitivedomainnamesthatcanbeusedtomeasurenormal(non-interferedbytheattacker)communicationbe-tweentheclient(stubresolver)andtheDNSserver(recursiveresolver).
(3)Theattackerinjectsfakerepliesasquicklyaspossibleinordertoensurethattherepliesarriveearlierthanthelegitimateones.
Hence,theinjectionmechanismwilltransmitimmediatelyuponseeingtheclient'srequest.
Themechanismcannotwaitforthearrivalofthelegitimatereplyfromtheserverbecausebydoingso,theinjectionmayarriveafterit,andfailtowork.
(4)TheattackercannotconstructaproperlysignedDNSSECresponse.
Basedontheseassumptions,thestubresolvercanestimatewhenitexpectslegitimaterepliestoarrive,inordertodiscernbetweeninjectedrepliesandcorrectones.
B.
Hold-OnandValidationThestubresolverorforwarderneedstorstlearntheexpectedRTTandhop-countdistance(intermsofexpectedFig.
1.
Hold-OnwhilewaitingforalegitimateDNSreply.
TTL)associatedwithcommunicationinvolvingitsremoterecursiveresolver,whichitdoesusingactivemeasurement.
(Recallthatwepresumetheremoteresolverliesoutsideofthecensorednetwork.
)Uponstart-up,theresolverissuesaseriesofnon-sensitivequeriestomeasuretheinitialRTTandTTLseenonarrivingrepliesforentriescachedattheremoteresolverbyrepeatedlyqueryingforthesamename.
Duringthisperiod,theresolvermaintainsanopenportforanadditionalperiodtovalidatethatanon-pathadversaryhasnottamperedwiththeseinitialmeasurementsbyinjectingreplies.
Duringnormaloperation,thestubresolveralsocontinuallyupdatesthesevaluesbasedonpassivemeasurementsofitsongoingtrafc.
GivenestimatesofthelegitimateRTTandTTL,theresolverworksasshowninFigure1:(1)AfterissuingaDNSquery,theresolverstartsitsHold-Ontimer.
Anaturalsettingforthetimerwouldbe15seconds,asthisreectsthedefaulttimeoutvalueforboththeBINDresolver[21,p.
108]andMicrosoftWindows[22].
Naturally,inmostcasestheresolverwillreturnmuchsooner,unlesstheremoteresolverisunreachable.
(2)WhentheresolverexpectsaDNSSEC-protectedre-sponse,foreachreplyitperformsalocalsignaturevalidation.
Itreturnstotheclienttherstfullyvalidatedreply.
IfitndsallrepliesaseitherInsecure,Bogus,orIndeterminate[3,p.
20],andtheHold-Ontimerexpires,theresolverreturnsaDNSSECerror.
(3)WithoutDNSSEC,uponreceivingareplybeforetheHold-Ontimerexpires,theresolverperformstwoadditionalvalidations:Timing.
DoesthereplyarrivestooearlyThetestweusehereisforrepliesthatarrivesoonerthanhalfoftheexpected(measurement-derived)RTT.
Wenotethattheresolvercouldalsodeterminethisthresholdmorepreciselybymeasuringknowninjectionsintheresolver'sactualenvironmentbygeneratingqueriesforcensorednamestonon-existentresolvers.
TTL.
DoestheTTLeldintheIPheaderhavetheexpectedvalue(s)WeassumethattheroutebetweentheremoteDNSserverandtheclientisstableinatleastshortperiods(suchas5minutes),sowecangetandupdatetheexpectedTTLsbyperiodicalmeasurement.
Uponobservingeitheroftheabovemismatches,theresolverignorestheresponseandcontinuestowait.
IfontheotherhandareplyarrivesbeforetheHold-Ontimeexpiresandvalidatesbasedontheabovetests,theresolveracceptsthenewreplyandreturnsittotheclient.
IfthestubresolverreceivesnovalidreplybeforetheHold-Ontimerexpires,itreturnsthelatestnon-validatingreplyitobserved.
Doingsomeansthatinthepresenceofsignicantlychangednetworkconditions,usersexperiencedelay,butnotinadvertentblockingoftheiraccess.
Inmostcases,theresolverwillnotwaituntiltheHold-Ontimertimingout;itwillstopwaitinguponreceiptofalegitimateresponse.
Thus,generallythisapproachwillnotcauseextradelay,exceptinthecasethatnetworkconditionshavechangedsuchthatlegitimaterepliesnowreturnsoonerandwithoutDNSSECprotection.
IV.
FEASIBILITYASSESSMENTToassesstheviabilityofourapproach,weinvestigatethephenomenonofobservingmultiplerepliesforasingleDNSqueryinbothacensorednetworkandanon-censorednetwork.
Inthelatter,welookatwhethernormalDNStrafcgeneratessuchreplies;thatis,whetherHold-Onandvalidationcouldcausesignicantfalsepositives.
Inthecensorednetwork,weassesshowdifferenttheinjectedrepliesappearfromthelegitimateones,whichindicateswhethertheapproachcouldsufferfromsignicantfalsenegatives.
A.
ObservationinanuncensorednetworkWecanviewuseoftheHold-Onapproachasaformofanomalydetector,lookingforaconditionthatrepresentsanattack.
Althoughitisclearthatapacket-injectionbasedDNSattackmustcreateananomalywheretheclientreceivestwodistinctreplies,wemustensurethatnormalDNStrafcdoesnotgeneratetheseanomalies,as,insomecases,theremaybenoeffectiveresolutionbeyondsimplynotingtheattackandreturningnovalidanswerifitprovesimpossibletoheuristicallydistinguishanattacker'spacketfromalegitimatenon-DNSSECsignedreply.
Iftheresolversimplyignoresrepliesitcannotvalidate(andreturnsthelastsuch,ifnovalidrepliesarereceived),thensuchanomaliesarisinginlegitimatetrafcwillnotinfactcauseanyproblems.
If,however,theresolveragssuchrepliesasreectinganattack,thenthesefalsepositiveswillincuradegreeofcollateraldamage.
WedevelopedaBro[23]IDSpolicyscripttodirectlydetectanomaloussecondaryDNSreplies.
ThisscriptoperatesbytrackingallDNSrequestsandmatchingreplies,checkinganysubsequentreplythatarriveswithina1-minutetimeout2todeterminewhetherthenumberofrecordsinthereplyandthecontentsofeachareunchanged.
WevalidatedthatthisscriptaccuratelydetectsattackpacketsusingtracesofinjectedpacketswecapturedbysendingDNSqueryrequeststhattransitedanetworkthatusesDNS-basedpacket-injectioncensorship.
Weranthisscriptagainst6daysofnormalDNStrafccapturedatICSI'sborder,consistingof11,700,000DNSrequests.
3DuringthisperiodweobservednoDNSanomaliesthatwouldcreateafalsepositive,onlydeliberatetestingintendedtotriggeraDNScensorshipsystem.
Runningona1.
5hourtracegatheredinAugust2011attheUCBerkeleycampusborder(atotalof15.
2MDNStransactions,4bothinboundandoutbound),weobservedtwobenignauthoritiesthattriggeredthebasicanomalydetector.
Therstserver,anauthorityserverfortheBBC,returnedtwodistinctrepliesforthesamequeryforseveralnames.
Althoughdistinctinvalue,bothvalueswerewithinthesame/24subnet.
Thesecond,anauthorityforbusinessinsider.
com,returnedtwovaluesforthesamequery.
TherstreplywasaCNAMEtoanexternaldomainwiththerootauthorityinformationincludedinthereply,whilethesecondwasaSERVFAILcontainingthesameCNAMEbutnoauthorityoradditionalelds,triggeringthealert.
WealsoobservedbothmultipleincidentsofDNScensorship(causedbylocalusersconguredtouseresolversinacensoredcountry)andafewfalse-positivesduetoscriptbugsthatwouldnotdisruptaHold-Onresolver.
B.
ObservationinacensorednetworkToassesspotentialfalsenegatives,wetriggeraDNScensor-shipsystemtoinjectDNSreplieswithsensitivedomainnames(suchastwitter.
com).
Wegeneratedthesemeasurementsfromwithinthecensorednetwork,communicatingwithdestinationsoutsidethecensorednetwork.
Todifferentiatethelegitimatefromtheinjectedreplies,werstqueryanon-existentDNSserveroutsidethecensorednetworkwithsensitivenames,andwereceiveonlyinjectedreplies.
WethenqueryanopenDNS2Wechosealongertimeouttobeconservativeinthisanalysis,attemptingtodetectpotentialanomaliesthatwouldnotaffectaresolverusingHold-On.
3WeexcludedlookupsissuesbyanICSImeasurementtool.
4Excludingaknownhigh-volumeDNScrawlerusedforresearch.
Fig.
2.
Comparisonofarrivaltimesforlegitimatepackets(greencross)andpacketsinjectedbycensor(redplus)Fig.
3.
ComparisonofTTLsforlegitimatepackets(greencross)andpacketsinjectedbycensor(redplus)serverwithnon-sensitivenames(suchaswww.
mit.
edu),bywhichwereceiveonlylegitimatereplies.
Withthismethod,wecollectedadatatraceincluding≈100,000queriesandcorrespondingrepliesover9days.
Figures2and3showcomparisonsofRTTsandTTLsobservedoflegitimateDNSpacketsandinjectedpacketsbytheDNScensor.
Itappearsnotdifculttoidentifythelegitimatepacketsfrominjected.
MostinjectedpacketsarrivemuchearlierthanlegitimateonesbecausetheinjectorandtheclientresidewithinthesameISP,whiletheDNSserverresidesinanothercountry.
WefoundthevaluesofIPTTLfromthelegitimateDNSresponsesarequitestableoveraperiodof9days(either44or42),buttheTTLvalueoftheinjectedpacketsvariedintherangeof[0–255],presumablytoavoidsimpleltering.
Inanother10-hourtrace,weselectonepairof(RTT,TTL)every5minutes,andusethisastheexpectedRTTandTTLtovalidateotherpacketsinthefollowingtimewindow.
Inourexperiment,wechangethethresholdofTTLandRTTtoevaluatethefalsepositiverateandfalsenegativerate,asshowninTableI.
Forexample,ifwesetthethresholdFig.
4.
EnvironmentofDNSproxyofTTLto1(thatis,thereplyisvalidonlyifTTL∈[expectedTTL1,expectedTTL+1])andsetthethresholdofRTTto0.
5·expectedRTT(thatis,thereplyisvalidonlyifitdoesnotarrive0.
5·expectedRTTearlierthanexpected),thentheapproachdoesnotgenerateanyfalsepositivesornegatives.
TTLthresholdRTTthresholdFP(%)FN(%)0-20.
50030.
500.
0140.
500.
0650.
500.
0760.
500.
1070.
500.
1120.
15.
96020.
21.
53020.
3-0.
80020.
900.
31TABLEIFALSEPOSITIVE(FP)ANDFALSENEGATIVE(FN)RATESCORRESPONDINGTODIFFERENTTHRESHOLDSFORIPTTLANDRTTDIFFERENCES.
V.
IMPLEMENTATIONANDEVALUATIONWeimplementedaDNSproxytoexplorehowHold-Onworksinpractice.
TheproxyoperatesasaDNSforwarderthataimstoprotectagainstDNSinjectionbyon-pathadversaries,asillustratedinFigure4.
A.
DesignandimplementationofaDNSproxyToestimatetheexpectedRTTandTTLto/fromtheremoterecursiveresolver,theproxyissuesrequestsuponstart-upfornon-sensitivenames.
5ToestimatetheRTT,theresolverqueriesthesamenamemultipletimes,selectingtheminimumofRTTobserved.
Theresolverexcludestherstquery,be-causeitmightincludeadditionaltimeconsumedbytheservertoresolvethenamerecursively,ratherthanansweringfromitscache.
TheexpectedTTL(s)shouldtypicallyremainconstant,butcouldvaryduetoroutingchanges.
6WeassumethatthesetofexpectedTTLsdoesnotvaryinameasurementperiod(seebelow).
Inourcurrentimplementation,thesethasonlyonevalue.
Duringitsnormaloperation,aseparatethreadrepeats5Itcouldinsteadsimplymonitorinitialqueriesforduplicatereplies,andformulateitsestimatesfromthosethatengenderonlyasinglereply.
Doingsowouldalsohelpwithcombatinginjectionfromattackerswhohavedifferentgoalsthancensorship.
6ApotentiallypathologicalcasewouldberepliesthatvaryacrossasetofarrivingTTLvaluesduetotheuseofper-owload-balancingthatcausesdifferentrepliestotakedifferentroutes.
Algorithm1Hold-OnandValidationforDNSProxyTimeout←5whileGetDNSRequestFromClient(request)doretry←1;gotAnyReply←falserepeatForwardRequestToResolver(Resolver,request);StartHoldOnTimer(retry·Timeout);whileNOTTimeoutandGetDNSReply(replyPkt)dogotAnyReply←true{fromserverorinjector}ifValidateDNSSECOK(replyPkt)thenSendDNSReplyToClient(replyPkt.
msg)StopHoldOnTimer()returnelseifValidateTTLOK(replyPkt.
ipTTL)andValidateRTTOK(replyPkt.
RTT)thenSendDNSReplyToClient(replyPkt.
msg)StopHoldOnTimer()returnelseDropAndLog(replyPkt)endifendwhileretry←retry+1untilretry==3ifgotAnyReplythen{Novalidreply,returnthelatestnon-validatingreply}SendDNSReplyToClient(replyPkt.
msg)endifendwhilethismeasurement(see§IV-B)periodically(suchasevery5minutes)andupdatestheexpectedRTTandTTLvaluesadaptedtopotentialchangeofnetworkstatus.
Algorithm1detailshowtheproxyprocesseswithDNSrequestsandreplies.
WhentheproxyreceivesaDNSrequestfromitsclient(enduserorDNSforwarder),itforwardstherequesttotheremoterecursiveresolverandstartstheHold-Ontimer.
Wesettheinitialvalueofthetimerto5seconds;ifnolegitimatereplyafterthetimerexpires,weresetthetimerto10sforthesecondtry,andsimilarlyto15sforthethirdtry.
IftheproxyreceivesaDNSreply(fromeithertheremotere-cursiveresolver,oraninjector),itvalidatesbothTTLandRTTagainsttheexpectedvalues(theexpectedTTLscouldincludemultiplevaluesbecauseofmultiplepathstotheresolver).
IftherequestisDNSSECenabled,thecorrespondingreplyshouldalsobecheckedwithDNSSECoptions(notimple-mentedyetinourprototype).
ForDNSSEC-disabledrequests,ValidateDNSSECOKalwaysreturnsfalse.
ValidateRTTOKandValidateTTLOKreturntrueif:expectedRTTreplyPkt.
RTTOpenDNSHomepage.
"http://www.
opendns.
com/.
[20]"DNSSurvey:OpenResolvers.
"http://dns.
measurement-factory.
com/surveys/openresolvers.
html.
[21]P.
AlbitzandC.
Liu,DNSandBIND,5thEdition.
O'Reilly,2006.
[22]"DNS:Theforwardingtimeoutvalueshouldbe2to10seconds,"2010.
http://technet.
microsoft.
com/en-us/library/ff807396(WS.
10).
aspx.
[23]V.
Paxson,"Bro:asystemfordetectingnetworkintrudersinreal-time,"ComputerNetworks,vol.
31,no.
23-24,pp.
2435–2463,1999.

buyvm美国大硬盘VPS,1Gbps带宽不限流量

buyvm正式对外开卖第四个数据中心“迈阿密”的块存储服务,和前面拉斯维加斯、纽约、卢森堡一样,依旧是每256G硬盘仅需1.25美元/月,最大支持10T硬盘。配合buyvm自己的VPS,1Gbps带宽、不限流量,在vps上挂载块存储之后就可以用来做数据备份、文件下载、刷BT等一系列工作。官方网站:https://buyvm.net支持信用卡、PayPal、支付宝付款,支付宝付款用的是加元汇率,貌似...

美得云(15元/月)美国cera 2核4G 15元/月 香港1核 1G 3M独享

美得云怎么样?美得云好不好?美得云是第一次来推广软文,老板人脾气特别好,能感觉出来会用心对待用户。美得云这次为大家提供了几款性价比十分高的产品,美国cera 2核4G 15元/月 香港1核 1G 3M独享 15元/月,并且还提供了免费空间给大家使用。嘻嘻 我也打算去白嫖一个空间了。新用户注册福利-8折优惠码:H2dmBKbF 截止2021.10.1结束。KVM架构,99.99%高可用性,依托BGP...

ZJI全新上架香港站群服务器,4C段238个IP月付1400元起

ZJI本月新上线了香港葵湾机房站群服务器,提供4个C段238个IPv4,支持使用8折优惠码,优惠后最低每月1400元起。ZJI是原Wordpress圈知名主机商家:维翔主机,成立于2011年,2018年9月更名为ZJI,提供中国香港、台湾、日本、美国独立服务器(自营/数据中心直营)租用及VDS、虚拟主机空间、域名注册等业务,所选数据中心均为国内普遍访问速度不错的机房。葵湾二型(4C站群)CPU:I...

opendns为你推荐
addresschrome小学生fastreport2glucanotransferasechrome支持ipad支付apple支持ipad支持ipadcss3圆角在HTML里如何实现圆角矩形?google中国地图求教谷歌中国地图~手机如何使用?联通iphone4iphone4想换联通的卡 是普通联通的卡都能开通3G么 还是得换联通3G卡 联通都有什么套餐 我是北京的
山东虚拟主机 申请域名 购买域名和空间 ix主机 20g硬盘 iis安装教程 国外空间 坐公交投2700元 bgp双线 工作站服务器 lol台服官网 cdn加速原理 免费活动 最漂亮的qq空间 域名与空间 英国伦敦 日本代理ip 攻击服务器 宿迁服务器 cdn服务 更多