similaropendns

opendns  时间:2021-05-20  阅读:()
Hold-On:ProtectingAgainstOn-PathDNSPoisoningHaixinDuan,NicholasWeaver,ZongxuZhao,MengHu,JinjinLiang,JianJiang,KangLiandVernPaxson§TsinghuaUniversity,Beijing,CNduanhx@tsinghua.
edu.
cnInternationalComputerScienceInstitute,Berkeley,CA,USAUniversityofGeorgia,Athens,GA,USA§UniversityofCalifornia,Berkeley,CA,USAUniversityofCaliforniaSanDiego,CA,USAAbstract—SeveralattacksonDNSinjectforgedDNSreplieswithoutsuppressingthelegitimatereplies.
Currentimplementa-tionsofDNSresolversarevulnerabletoacceptingtheinjectedrepliesiftheattacker'sreplyarrivesbeforethelegitimateone.
InthecaseofregularDNS,thisbehaviorallowsanattackertocorruptavictim'sinterpretationofaname;forDNSSEC-protectednames,itenablesdenial-of-service.
Wearguethattheresolvershouldwaitafterreceivinganinitialreplyfora"Hold-On"periodtoallowasubsequentlegitimatereplytoalsoarrive.
Weevaluatethefeasibilityofsuchanapproachanddiscussourimplementationofaprototypestubresolver/forwarderthatvalidatesDNSrepliesusingHold-On.
ByvalidatingtheIPTTLandthetimingofthereplies,weshowthattheresolvercanidentifyDNSpacketsinjectedbyanation-statecensorshipsystem,andthatitfunctionswithoutperceptibleperformancedecreaseforundisruptedlookups.
I.
INTRODUCTIONTheDomainNameSystem(DNS)providesacriticalnet-workservice,andfacesavarietyofattacksrangingfromblindpacketinjectiontoactiveman-in-the-middleattacks.
OneattackofconcernregardsDNSpoisoningbasedonpacketinjection,whereanattackerwhocanobserveandinjecttrafcinsertsfakerepliestoqueries.
Severaltypesofadversariescanemploysuchattacks,includingattackersusingsystemsonsharedWiFinetworks,ISPsseekingtoimposecontent-basedusagepolices,andgovernmentcensorship[1].
OneparticulardesignchoiceofDNSmakestheseattackseasy.
TheDNSstandardrecommendsthataDNSresolverreturnsananswerassoonasitreceivesamatchingreply[2],inordertoprovideareplyasquicklyaspossible.
Inaddition,evenDNSSEC-validatingresolverslikelywillsufferadenial-of-serviceattackuponreceiptofaninjectedreply:thenon-validatingresponseleadstheresolvertoreturnaresponseof"Bogus"[3]unlessitcontinuestowaitforareplythatproperlyvalidates.
WeexploretheopportunityofcounteringDNSinjectionattacksbasedontheobservationthatpacketinjection(ratherthanfullman-in-the-middleattacks)cannotsuppressthere-ceiptoflegitimatereplies.
Thus,ifresolverreceivesareplysoonerthanexpected,insteadofreturningtheresultimme-diately,itcanwaitfora"Hold-On"intervaltoseewhetheradditionalresponsesarrive.
Thekeyquestionsforthisapproachare(1)towhatdegreesuchambiguousrepliesoccurinnormaltrafc,whichwillleadtoHold-Onintroducingdifferentresolverbehaviorthanoccurstoday,and(2)howmuchextradelayusersencounterduetotheuseofHold-On.
Ourevaluationshowsthatreceivingtwodifferingrepliestothesamequestionoccursonlyveryrarelyinnormaltrafc,whichestablishesthatthisconditionallowsforeffectiveanomalydetection.
Wealsopresentpreliminaryresultssuggestingthattheextradelayimposedonusersisquiteminor.
WehaveimplementedaDNSproxythatusesHold-Onandevaluateitseffectivenessagainstawidelydeployednetworkcensorshiptool.
WendthatourprototypecaneffectivelylteroutfakeDNSreplies,anddoesnotappeartointroduceanyperceptibleincreaseindelay.
II.
OVERVIEWOFTHEPROBLEMSPACEA.
TaxonomyofattacksAttackersagainstDNSfallintothreecategories:off-path,on-path,andin-path.
Anoff-pathadversarylackstheabilitytoobserveDNSqueriesandresponses.
SuchanattackerwillgenerallyemploysomemeanstotriggerspecicDNSlookups,butmustguessthetransactionID[4],[5]andanyotherentropy(suchasthesourceportand0x20encoding[6])intherequesttoforgeareplythattheresolverwillaccept.
Off-pathadversariesgenerallygeneratenumerouspacketsinhopesofmatchingtherequest.
Additionally,becauseresolversdonotissuenewqueriesforanamethatisalreadycached,off-pathadversarieshavedifcultytargetingstubresolvers,sincestubs,unlikerecursiveresolvers,donotgenerallyacceptandpromoteglueentries(thebehaviorleveragedby[5]).
Anon-pathadversaryhastheabilitytopassivelyobservetheactuallookupsrequestedbyaresolver.
On-pathadversariescandirectlyforgeDNSrepliesthatmatchthefullsetofcriteriausedbytheresolvertovalidateanswers(otherthanuseofDNSSEC).
Aslongasaforgedreplyarrivesattheresolverbeforethelegitimateone,theresolverwillaccepttheinjectedanswerandbecomepoisoned.
Absentadenial-of-serviceattackonlegitimateservers,bothoff-pathandon-pathadversarieslacktheabilitytosuppressle-gitimateresponses.
Thus,bothoftheseadversariesnecessarilycreateanobservableartifact:thevictim,ifitwaitssufcientlylong,willreceiveboththeattacker'spacketandthelegitimatereply.
(WeemployedasimilarformofthisanomalytodetectTCPresetinjectionattacks[7].
)Onlyanin-pathadversary,capableofblockingandmodifyingpackets,canpreventthelegitimatereplyfromreachingthevictim.
Althoughin-pathapproacheshavemorepower,on-pathap-proacheshaveseveraladvantages,makingtheiruseappealingforattackers.
Censorshiptoolscommonlyuseon-pathratherthanin-pathtechniquestoeasedeploymentandtomakethesystemfailureandloadtolerant,asthecensorshipsystemcanthenoperateonatrafcmirrorratherthanthelivetrafc.
1Similarly,on-pathWiFipacketinjectionworkswithoutmodifyingdrivers,butsuppressinglegitimaterepliesrequireshardware-specicaccesstothelow-levelairinterfacetodetectandsquelchabroadcastinight.
B.
VulnerabilityofcurrentimplementationsSystemsthatimplementtheDNSstandard[2],[8]arevulnerabletoon-pathspoong,despitethepresenceofthelaterlegitimatereply,becausetheresolverattemptsto"gettheanswerasquicklyaspossible"[2].
Uponreceivingareply,theresolvercheckstheIDeldintheheaderandthenwill"verifythatthequestionsectioncorrespondstotheinformationcurrentlydesired"[8].
Clearly,thesestepsdonotprovidesufcientdiligence,asthedesigngoalofquicklyreturningananswercausestheresolvertoreturntheattacker'svalue.
DNSSECaddscryptographicauthenticationtopreventtheacceptanceofinvalidDNSreplies[9],[10],[3].
Althoughattackerscannotredirectvictimsusingspoofedreplies,theycanstillperformdenial-of-serviceattack,whichwilloftensufcetosatisfyacensor'sobjective.
DOSoccursbecausetheresolverwillattempttoprocesstheattacker'spacket,determinethattheDNSSECsignatureisabsentorinvalid,andimmediatelyreturn"Bogus",deprivingtheclientfromtheabilitytoconnecttothehostcorrespondingtothename.
Becauseofthisbehavior,DNSSECdoesnotsufceasareplacementforamechanismsuchasHold-On:resolversneedtomaintainanopenportforaperiodoftimeinordertoattempttovalidateallresponsesreceivedforaquery,notjusttherst.
C.
OtherrelatedworkDNShasalonghistoryofpoisoningattacks[4],[5],[11],[12].
Besidethosementionedabove,severalpreviouseffortscounterDNSpoisoningattackbyincreasingthedifcultyofblindlyinjectingDNSanswers[13],[14],[6],[15].
Theseeffortsfocusondeterringoff-pathinjectionbyincreasingtheinformationentropyrequiredtomatchavalidDNSreply.
Ourwork,however,addressesthethreatfromattackersthatcanobservequeries,whichallowsthemtocircumventthesepreviousdefenses.
1TCPtrafccontroltoolsalsohaveusedthisvantagepoint.
Forexample,ComcastdeployedSandvine'sPolicyTrafcSwitchdevicestodisruptBitTor-renttrafcinanon-pathconguration[7],eventhoughthedevicesthemselvessupportedin-pathoperation.
Poisoningattacksbasedonon-pathinjectionarenotlimitedtoDNS.
Maliciousinjection,suchasTCPRSTandICMPunreachablemessages,havebeenusedinbothindividualattacks[7]andISP-scalecensorship[16],[17].
SimilartoDNSpoisoning,trafcsentfromtheremotepeerofthelegitimatecommunicationwillstillarriveatthevictimafterthesemaliciousinjections.
Therefore,theuseofHold-Onmechanismssimilartothoseexploredherewilllikelyhaveapplicabilitytodeterthesemaliciousinjectionsaswell.
III.
HOLD-ONANDDILIGENTVALIDATIONAsaconsequenceoftheinabilityforon-pathattackerstosuppresslegitimatereplies,weinvestigatethebenetsofstubresolversorforwarderswaitingfora"Hold-On"periodtoallowsubsequentlegitimaterepliestoarrive.
Partofthisprocedureentailsvalidatingreplieswithmorediligencewhenaresolverreceivestwoormorerepliesforthesamequestion.
ThisimprovementeffectivelyprotectsagainstDNSinjectionsinthecaseofnon-disruptiveattacks,wheretheattackerlackstheabilitytotoblockeithertheresolver'srequestortheauthority'sresponse.
A.
AssumptionsWepredicateourapproachonthefollowingassumptions,whichweviewasreasonablebasedonourexperiencewithcensorshipactivitythatemployson-pathinjectors:(1)Theuserunderattackorcensorshipisabletoaccessatrustworthyrecursiveresolveroutsideoftheattackedorcensorednetworks,suchasGooglePublicDNS[18]andOpenDNS[19],whichtheyfrequentlyuse.
Inparticular,inthecensorshipcase,weassumethatthecensordoesnotblockaccesstothisresolver,whichweargueisaplausibleassumptiongiventhelargenumber(158,364inJanuary2012)ofknownopenresolvers[20].
(2)Theattacker/censorinjectsfakeresponsesaccordingtoablacklistratherthanawhitelist.
Thatis,theuserknowssomenon-sensitivedomainnamesthatcanbeusedtomeasurenormal(non-interferedbytheattacker)communicationbe-tweentheclient(stubresolver)andtheDNSserver(recursiveresolver).
(3)Theattackerinjectsfakerepliesasquicklyaspossibleinordertoensurethattherepliesarriveearlierthanthelegitimateones.
Hence,theinjectionmechanismwilltransmitimmediatelyuponseeingtheclient'srequest.
Themechanismcannotwaitforthearrivalofthelegitimatereplyfromtheserverbecausebydoingso,theinjectionmayarriveafterit,andfailtowork.
(4)TheattackercannotconstructaproperlysignedDNSSECresponse.
Basedontheseassumptions,thestubresolvercanestimatewhenitexpectslegitimaterepliestoarrive,inordertodiscernbetweeninjectedrepliesandcorrectones.
B.
Hold-OnandValidationThestubresolverorforwarderneedstorstlearntheexpectedRTTandhop-countdistance(intermsofexpectedFig.
1.
Hold-OnwhilewaitingforalegitimateDNSreply.
TTL)associatedwithcommunicationinvolvingitsremoterecursiveresolver,whichitdoesusingactivemeasurement.
(Recallthatwepresumetheremoteresolverliesoutsideofthecensorednetwork.
)Uponstart-up,theresolverissuesaseriesofnon-sensitivequeriestomeasuretheinitialRTTandTTLseenonarrivingrepliesforentriescachedattheremoteresolverbyrepeatedlyqueryingforthesamename.
Duringthisperiod,theresolvermaintainsanopenportforanadditionalperiodtovalidatethatanon-pathadversaryhasnottamperedwiththeseinitialmeasurementsbyinjectingreplies.
Duringnormaloperation,thestubresolveralsocontinuallyupdatesthesevaluesbasedonpassivemeasurementsofitsongoingtrafc.
GivenestimatesofthelegitimateRTTandTTL,theresolverworksasshowninFigure1:(1)AfterissuingaDNSquery,theresolverstartsitsHold-Ontimer.
Anaturalsettingforthetimerwouldbe15seconds,asthisreectsthedefaulttimeoutvalueforboththeBINDresolver[21,p.
108]andMicrosoftWindows[22].
Naturally,inmostcasestheresolverwillreturnmuchsooner,unlesstheremoteresolverisunreachable.
(2)WhentheresolverexpectsaDNSSEC-protectedre-sponse,foreachreplyitperformsalocalsignaturevalidation.
Itreturnstotheclienttherstfullyvalidatedreply.
IfitndsallrepliesaseitherInsecure,Bogus,orIndeterminate[3,p.
20],andtheHold-Ontimerexpires,theresolverreturnsaDNSSECerror.
(3)WithoutDNSSEC,uponreceivingareplybeforetheHold-Ontimerexpires,theresolverperformstwoadditionalvalidations:Timing.
DoesthereplyarrivestooearlyThetestweusehereisforrepliesthatarrivesoonerthanhalfoftheexpected(measurement-derived)RTT.
Wenotethattheresolvercouldalsodeterminethisthresholdmorepreciselybymeasuringknowninjectionsintheresolver'sactualenvironmentbygeneratingqueriesforcensorednamestonon-existentresolvers.
TTL.
DoestheTTLeldintheIPheaderhavetheexpectedvalue(s)WeassumethattheroutebetweentheremoteDNSserverandtheclientisstableinatleastshortperiods(suchas5minutes),sowecangetandupdatetheexpectedTTLsbyperiodicalmeasurement.
Uponobservingeitheroftheabovemismatches,theresolverignorestheresponseandcontinuestowait.
IfontheotherhandareplyarrivesbeforetheHold-Ontimeexpiresandvalidatesbasedontheabovetests,theresolveracceptsthenewreplyandreturnsittotheclient.
IfthestubresolverreceivesnovalidreplybeforetheHold-Ontimerexpires,itreturnsthelatestnon-validatingreplyitobserved.
Doingsomeansthatinthepresenceofsignicantlychangednetworkconditions,usersexperiencedelay,butnotinadvertentblockingoftheiraccess.
Inmostcases,theresolverwillnotwaituntiltheHold-Ontimertimingout;itwillstopwaitinguponreceiptofalegitimateresponse.
Thus,generallythisapproachwillnotcauseextradelay,exceptinthecasethatnetworkconditionshavechangedsuchthatlegitimaterepliesnowreturnsoonerandwithoutDNSSECprotection.
IV.
FEASIBILITYASSESSMENTToassesstheviabilityofourapproach,weinvestigatethephenomenonofobservingmultiplerepliesforasingleDNSqueryinbothacensorednetworkandanon-censorednetwork.
Inthelatter,welookatwhethernormalDNStrafcgeneratessuchreplies;thatis,whetherHold-Onandvalidationcouldcausesignicantfalsepositives.
Inthecensorednetwork,weassesshowdifferenttheinjectedrepliesappearfromthelegitimateones,whichindicateswhethertheapproachcouldsufferfromsignicantfalsenegatives.
A.
ObservationinanuncensorednetworkWecanviewuseoftheHold-Onapproachasaformofanomalydetector,lookingforaconditionthatrepresentsanattack.
Althoughitisclearthatapacket-injectionbasedDNSattackmustcreateananomalywheretheclientreceivestwodistinctreplies,wemustensurethatnormalDNStrafcdoesnotgeneratetheseanomalies,as,insomecases,theremaybenoeffectiveresolutionbeyondsimplynotingtheattackandreturningnovalidanswerifitprovesimpossibletoheuristicallydistinguishanattacker'spacketfromalegitimatenon-DNSSECsignedreply.
Iftheresolversimplyignoresrepliesitcannotvalidate(andreturnsthelastsuch,ifnovalidrepliesarereceived),thensuchanomaliesarisinginlegitimatetrafcwillnotinfactcauseanyproblems.
If,however,theresolveragssuchrepliesasreectinganattack,thenthesefalsepositiveswillincuradegreeofcollateraldamage.
WedevelopedaBro[23]IDSpolicyscripttodirectlydetectanomaloussecondaryDNSreplies.
ThisscriptoperatesbytrackingallDNSrequestsandmatchingreplies,checkinganysubsequentreplythatarriveswithina1-minutetimeout2todeterminewhetherthenumberofrecordsinthereplyandthecontentsofeachareunchanged.
WevalidatedthatthisscriptaccuratelydetectsattackpacketsusingtracesofinjectedpacketswecapturedbysendingDNSqueryrequeststhattransitedanetworkthatusesDNS-basedpacket-injectioncensorship.
Weranthisscriptagainst6daysofnormalDNStrafccapturedatICSI'sborder,consistingof11,700,000DNSrequests.
3DuringthisperiodweobservednoDNSanomaliesthatwouldcreateafalsepositive,onlydeliberatetestingintendedtotriggeraDNScensorshipsystem.
Runningona1.
5hourtracegatheredinAugust2011attheUCBerkeleycampusborder(atotalof15.
2MDNStransactions,4bothinboundandoutbound),weobservedtwobenignauthoritiesthattriggeredthebasicanomalydetector.
Therstserver,anauthorityserverfortheBBC,returnedtwodistinctrepliesforthesamequeryforseveralnames.
Althoughdistinctinvalue,bothvalueswerewithinthesame/24subnet.
Thesecond,anauthorityforbusinessinsider.
com,returnedtwovaluesforthesamequery.
TherstreplywasaCNAMEtoanexternaldomainwiththerootauthorityinformationincludedinthereply,whilethesecondwasaSERVFAILcontainingthesameCNAMEbutnoauthorityoradditionalelds,triggeringthealert.
WealsoobservedbothmultipleincidentsofDNScensorship(causedbylocalusersconguredtouseresolversinacensoredcountry)andafewfalse-positivesduetoscriptbugsthatwouldnotdisruptaHold-Onresolver.
B.
ObservationinacensorednetworkToassesspotentialfalsenegatives,wetriggeraDNScensor-shipsystemtoinjectDNSreplieswithsensitivedomainnames(suchastwitter.
com).
Wegeneratedthesemeasurementsfromwithinthecensorednetwork,communicatingwithdestinationsoutsidethecensorednetwork.
Todifferentiatethelegitimatefromtheinjectedreplies,werstqueryanon-existentDNSserveroutsidethecensorednetworkwithsensitivenames,andwereceiveonlyinjectedreplies.
WethenqueryanopenDNS2Wechosealongertimeouttobeconservativeinthisanalysis,attemptingtodetectpotentialanomaliesthatwouldnotaffectaresolverusingHold-On.
3WeexcludedlookupsissuesbyanICSImeasurementtool.
4Excludingaknownhigh-volumeDNScrawlerusedforresearch.
Fig.
2.
Comparisonofarrivaltimesforlegitimatepackets(greencross)andpacketsinjectedbycensor(redplus)Fig.
3.
ComparisonofTTLsforlegitimatepackets(greencross)andpacketsinjectedbycensor(redplus)serverwithnon-sensitivenames(suchaswww.
mit.
edu),bywhichwereceiveonlylegitimatereplies.
Withthismethod,wecollectedadatatraceincluding≈100,000queriesandcorrespondingrepliesover9days.
Figures2and3showcomparisonsofRTTsandTTLsobservedoflegitimateDNSpacketsandinjectedpacketsbytheDNScensor.
Itappearsnotdifculttoidentifythelegitimatepacketsfrominjected.
MostinjectedpacketsarrivemuchearlierthanlegitimateonesbecausetheinjectorandtheclientresidewithinthesameISP,whiletheDNSserverresidesinanothercountry.
WefoundthevaluesofIPTTLfromthelegitimateDNSresponsesarequitestableoveraperiodof9days(either44or42),buttheTTLvalueoftheinjectedpacketsvariedintherangeof[0–255],presumablytoavoidsimpleltering.
Inanother10-hourtrace,weselectonepairof(RTT,TTL)every5minutes,andusethisastheexpectedRTTandTTLtovalidateotherpacketsinthefollowingtimewindow.
Inourexperiment,wechangethethresholdofTTLandRTTtoevaluatethefalsepositiverateandfalsenegativerate,asshowninTableI.
Forexample,ifwesetthethresholdFig.
4.
EnvironmentofDNSproxyofTTLto1(thatis,thereplyisvalidonlyifTTL∈[expectedTTL1,expectedTTL+1])andsetthethresholdofRTTto0.
5·expectedRTT(thatis,thereplyisvalidonlyifitdoesnotarrive0.
5·expectedRTTearlierthanexpected),thentheapproachdoesnotgenerateanyfalsepositivesornegatives.
TTLthresholdRTTthresholdFP(%)FN(%)0-20.
50030.
500.
0140.
500.
0650.
500.
0760.
500.
1070.
500.
1120.
15.
96020.
21.
53020.
3-0.
80020.
900.
31TABLEIFALSEPOSITIVE(FP)ANDFALSENEGATIVE(FN)RATESCORRESPONDINGTODIFFERENTTHRESHOLDSFORIPTTLANDRTTDIFFERENCES.
V.
IMPLEMENTATIONANDEVALUATIONWeimplementedaDNSproxytoexplorehowHold-Onworksinpractice.
TheproxyoperatesasaDNSforwarderthataimstoprotectagainstDNSinjectionbyon-pathadversaries,asillustratedinFigure4.
A.
DesignandimplementationofaDNSproxyToestimatetheexpectedRTTandTTLto/fromtheremoterecursiveresolver,theproxyissuesrequestsuponstart-upfornon-sensitivenames.
5ToestimatetheRTT,theresolverqueriesthesamenamemultipletimes,selectingtheminimumofRTTobserved.
Theresolverexcludestherstquery,be-causeitmightincludeadditionaltimeconsumedbytheservertoresolvethenamerecursively,ratherthanansweringfromitscache.
TheexpectedTTL(s)shouldtypicallyremainconstant,butcouldvaryduetoroutingchanges.
6WeassumethatthesetofexpectedTTLsdoesnotvaryinameasurementperiod(seebelow).
Inourcurrentimplementation,thesethasonlyonevalue.
Duringitsnormaloperation,aseparatethreadrepeats5Itcouldinsteadsimplymonitorinitialqueriesforduplicatereplies,andformulateitsestimatesfromthosethatengenderonlyasinglereply.
Doingsowouldalsohelpwithcombatinginjectionfromattackerswhohavedifferentgoalsthancensorship.
6ApotentiallypathologicalcasewouldberepliesthatvaryacrossasetofarrivingTTLvaluesduetotheuseofper-owload-balancingthatcausesdifferentrepliestotakedifferentroutes.
Algorithm1Hold-OnandValidationforDNSProxyTimeout←5whileGetDNSRequestFromClient(request)doretry←1;gotAnyReply←falserepeatForwardRequestToResolver(Resolver,request);StartHoldOnTimer(retry·Timeout);whileNOTTimeoutandGetDNSReply(replyPkt)dogotAnyReply←true{fromserverorinjector}ifValidateDNSSECOK(replyPkt)thenSendDNSReplyToClient(replyPkt.
msg)StopHoldOnTimer()returnelseifValidateTTLOK(replyPkt.
ipTTL)andValidateRTTOK(replyPkt.
RTT)thenSendDNSReplyToClient(replyPkt.
msg)StopHoldOnTimer()returnelseDropAndLog(replyPkt)endifendwhileretry←retry+1untilretry==3ifgotAnyReplythen{Novalidreply,returnthelatestnon-validatingreply}SendDNSReplyToClient(replyPkt.
msg)endifendwhilethismeasurement(see§IV-B)periodically(suchasevery5minutes)andupdatestheexpectedRTTandTTLvaluesadaptedtopotentialchangeofnetworkstatus.
Algorithm1detailshowtheproxyprocesseswithDNSrequestsandreplies.
WhentheproxyreceivesaDNSrequestfromitsclient(enduserorDNSforwarder),itforwardstherequesttotheremoterecursiveresolverandstartstheHold-Ontimer.
Wesettheinitialvalueofthetimerto5seconds;ifnolegitimatereplyafterthetimerexpires,weresetthetimerto10sforthesecondtry,andsimilarlyto15sforthethirdtry.
IftheproxyreceivesaDNSreply(fromeithertheremotere-cursiveresolver,oraninjector),itvalidatesbothTTLandRTTagainsttheexpectedvalues(theexpectedTTLscouldincludemultiplevaluesbecauseofmultiplepathstotheresolver).
IftherequestisDNSSECenabled,thecorrespondingreplyshouldalsobecheckedwithDNSSECoptions(notimple-mentedyetinourprototype).
ForDNSSEC-disabledrequests,ValidateDNSSECOKalwaysreturnsfalse.
ValidateRTTOKandValidateTTLOKreturntrueif:expectedRTTreplyPkt.
RTTOpenDNSHomepage.
"http://www.
opendns.
com/.
[20]"DNSSurvey:OpenResolvers.
"http://dns.
measurement-factory.
com/surveys/openresolvers.
html.
[21]P.
AlbitzandC.
Liu,DNSandBIND,5thEdition.
O'Reilly,2006.
[22]"DNS:Theforwardingtimeoutvalueshouldbe2to10seconds,"2010.
http://technet.
microsoft.
com/en-us/library/ff807396(WS.
10).
aspx.
[23]V.
Paxson,"Bro:asystemfordetectingnetworkintrudersinreal-time,"ComputerNetworks,vol.
31,no.
23-24,pp.
2435–2463,1999.

柚子互联(34元),湖北十堰高防, 香港 1核1G 5M

柚子互联官网商家介绍柚子互联(www.19vps.cn)本次给大家带来了盛夏促销活动,本次推出的活动是湖北十堰高防产品,这次老板也人狠话不多丢了一个6.5折优惠券而且还是续费同价,稳撸。喜欢的朋友可以看看下面的活动详情介绍,自从站长这么久以来柚子互联从19年开始算是老商家了。六五折优惠码:6kfUGl07活动截止时间:2021年9月30日客服QQ:207781983本次仅推荐部分套餐,更多套餐可进...

2022年腾讯云新春采购季代金券提前领 领取满减优惠券和域名优惠

2022年春节假期陆续结束,根据惯例在春节之后各大云服务商会继续开始一年的促销活动。今年二月中旬会开启新春采购季的活动,我们已经看到腾讯云商家在春节期间已经有预告活动。当时已经看到有抢先优惠促销活动,目前我们企业和个人可以领取腾讯云代金券满减活动,以及企业用户可以领取域名优惠低至.COM域名1元。 直达链接 - 腾讯云新春采购活动抢先看活动时间:2022年1月20日至2022年2月15日我们可以在...

LOCVPS新上韩国KVM,全场8折,2G内存套餐月付44元起_网络传真服务器

LOCVPS(全球云)发布了新上韩国机房KVM架构主机信息,提供流量和带宽方式,适用全场8折优惠码,优惠码最低2G内存套餐月付仅44元起。这是一家成立较早的国人VPS服务商,目前提供洛杉矶MC、洛杉矶C3、和香港邦联、香港沙田电信、香港大埔、日本东京、日本大阪、新加坡、德国和荷兰等机房VPS主机,基于KVM或者XEN架构。下面分别列出几款韩国机房KVM主机配置信息。韩国KVM流量型套餐:KR-Pl...

opendns为你推荐
支持ipad支持ipad支持ipad支持ipad支持ipad您的iphone请仔细阅读在本报告尾部的重要法律声明itunes备份怎么使用iTunes备份googleadsense·什么是Google AdSense?如何加入Google AdSense? 谁可以告诉我吗?google搜图google自定义搜索是什么?怎么用
济南域名注册 未注册域名查询 播放vps上的视频 花生壳域名贝锐 ipage 优惠码 evssl证书 京东商城双十一活动 美国网站服务器 海外空间 帽子云排名 买空间网 远程登录 cc加速器 电信测速器在线测网速 ddos是什么 免费网络电视直播 六维空间登陆首页 网站服务器硬件配置 linuxweb服务器 更多