similaropendns
opendns 时间:2021-05-20 阅读:(
)
Hold-On:ProtectingAgainstOn-PathDNSPoisoningHaixinDuan,NicholasWeaver,ZongxuZhao,MengHu,JinjinLiang,JianJiang,KangLiandVernPaxson§TsinghuaUniversity,Beijing,CNduanhx@tsinghua.
edu.
cnInternationalComputerScienceInstitute,Berkeley,CA,USAUniversityofGeorgia,Athens,GA,USA§UniversityofCalifornia,Berkeley,CA,USAUniversityofCaliforniaSanDiego,CA,USAAbstract—SeveralattacksonDNSinjectforgedDNSreplieswithoutsuppressingthelegitimatereplies.
Currentimplementa-tionsofDNSresolversarevulnerabletoacceptingtheinjectedrepliesiftheattacker'sreplyarrivesbeforethelegitimateone.
InthecaseofregularDNS,thisbehaviorallowsanattackertocorruptavictim'sinterpretationofaname;forDNSSEC-protectednames,itenablesdenial-of-service.
Wearguethattheresolvershouldwaitafterreceivinganinitialreplyfora"Hold-On"periodtoallowasubsequentlegitimatereplytoalsoarrive.
Weevaluatethefeasibilityofsuchanapproachanddiscussourimplementationofaprototypestubresolver/forwarderthatvalidatesDNSrepliesusingHold-On.
ByvalidatingtheIPTTLandthetimingofthereplies,weshowthattheresolvercanidentifyDNSpacketsinjectedbyanation-statecensorshipsystem,andthatitfunctionswithoutperceptibleperformancedecreaseforundisruptedlookups.
I.
INTRODUCTIONTheDomainNameSystem(DNS)providesacriticalnet-workservice,andfacesavarietyofattacksrangingfromblindpacketinjectiontoactiveman-in-the-middleattacks.
OneattackofconcernregardsDNSpoisoningbasedonpacketinjection,whereanattackerwhocanobserveandinjecttrafcinsertsfakerepliestoqueries.
Severaltypesofadversariescanemploysuchattacks,includingattackersusingsystemsonsharedWiFinetworks,ISPsseekingtoimposecontent-basedusagepolices,andgovernmentcensorship[1].
OneparticulardesignchoiceofDNSmakestheseattackseasy.
TheDNSstandardrecommendsthataDNSresolverreturnsananswerassoonasitreceivesamatchingreply[2],inordertoprovideareplyasquicklyaspossible.
Inaddition,evenDNSSEC-validatingresolverslikelywillsufferadenial-of-serviceattackuponreceiptofaninjectedreply:thenon-validatingresponseleadstheresolvertoreturnaresponseof"Bogus"[3]unlessitcontinuestowaitforareplythatproperlyvalidates.
WeexploretheopportunityofcounteringDNSinjectionattacksbasedontheobservationthatpacketinjection(ratherthanfullman-in-the-middleattacks)cannotsuppressthere-ceiptoflegitimatereplies.
Thus,ifresolverreceivesareplysoonerthanexpected,insteadofreturningtheresultimme-diately,itcanwaitfora"Hold-On"intervaltoseewhetheradditionalresponsesarrive.
Thekeyquestionsforthisapproachare(1)towhatdegreesuchambiguousrepliesoccurinnormaltrafc,whichwillleadtoHold-Onintroducingdifferentresolverbehaviorthanoccurstoday,and(2)howmuchextradelayusersencounterduetotheuseofHold-On.
Ourevaluationshowsthatreceivingtwodifferingrepliestothesamequestionoccursonlyveryrarelyinnormaltrafc,whichestablishesthatthisconditionallowsforeffectiveanomalydetection.
Wealsopresentpreliminaryresultssuggestingthattheextradelayimposedonusersisquiteminor.
WehaveimplementedaDNSproxythatusesHold-Onandevaluateitseffectivenessagainstawidelydeployednetworkcensorshiptool.
WendthatourprototypecaneffectivelylteroutfakeDNSreplies,anddoesnotappeartointroduceanyperceptibleincreaseindelay.
II.
OVERVIEWOFTHEPROBLEMSPACEA.
TaxonomyofattacksAttackersagainstDNSfallintothreecategories:off-path,on-path,andin-path.
Anoff-pathadversarylackstheabilitytoobserveDNSqueriesandresponses.
SuchanattackerwillgenerallyemploysomemeanstotriggerspecicDNSlookups,butmustguessthetransactionID[4],[5]andanyotherentropy(suchasthesourceportand0x20encoding[6])intherequesttoforgeareplythattheresolverwillaccept.
Off-pathadversariesgenerallygeneratenumerouspacketsinhopesofmatchingtherequest.
Additionally,becauseresolversdonotissuenewqueriesforanamethatisalreadycached,off-pathadversarieshavedifcultytargetingstubresolvers,sincestubs,unlikerecursiveresolvers,donotgenerallyacceptandpromoteglueentries(thebehaviorleveragedby[5]).
Anon-pathadversaryhastheabilitytopassivelyobservetheactuallookupsrequestedbyaresolver.
On-pathadversariescandirectlyforgeDNSrepliesthatmatchthefullsetofcriteriausedbytheresolvertovalidateanswers(otherthanuseofDNSSEC).
Aslongasaforgedreplyarrivesattheresolverbeforethelegitimateone,theresolverwillaccepttheinjectedanswerandbecomepoisoned.
Absentadenial-of-serviceattackonlegitimateservers,bothoff-pathandon-pathadversarieslacktheabilitytosuppressle-gitimateresponses.
Thus,bothoftheseadversariesnecessarilycreateanobservableartifact:thevictim,ifitwaitssufcientlylong,willreceiveboththeattacker'spacketandthelegitimatereply.
(WeemployedasimilarformofthisanomalytodetectTCPresetinjectionattacks[7].
)Onlyanin-pathadversary,capableofblockingandmodifyingpackets,canpreventthelegitimatereplyfromreachingthevictim.
Althoughin-pathapproacheshavemorepower,on-pathap-proacheshaveseveraladvantages,makingtheiruseappealingforattackers.
Censorshiptoolscommonlyuseon-pathratherthanin-pathtechniquestoeasedeploymentandtomakethesystemfailureandloadtolerant,asthecensorshipsystemcanthenoperateonatrafcmirrorratherthanthelivetrafc.
1Similarly,on-pathWiFipacketinjectionworkswithoutmodifyingdrivers,butsuppressinglegitimaterepliesrequireshardware-specicaccesstothelow-levelairinterfacetodetectandsquelchabroadcastinight.
B.
VulnerabilityofcurrentimplementationsSystemsthatimplementtheDNSstandard[2],[8]arevulnerabletoon-pathspoong,despitethepresenceofthelaterlegitimatereply,becausetheresolverattemptsto"gettheanswerasquicklyaspossible"[2].
Uponreceivingareply,theresolvercheckstheIDeldintheheaderandthenwill"verifythatthequestionsectioncorrespondstotheinformationcurrentlydesired"[8].
Clearly,thesestepsdonotprovidesufcientdiligence,asthedesigngoalofquicklyreturningananswercausestheresolvertoreturntheattacker'svalue.
DNSSECaddscryptographicauthenticationtopreventtheacceptanceofinvalidDNSreplies[9],[10],[3].
Althoughattackerscannotredirectvictimsusingspoofedreplies,theycanstillperformdenial-of-serviceattack,whichwilloftensufcetosatisfyacensor'sobjective.
DOSoccursbecausetheresolverwillattempttoprocesstheattacker'spacket,determinethattheDNSSECsignatureisabsentorinvalid,andimmediatelyreturn"Bogus",deprivingtheclientfromtheabilitytoconnecttothehostcorrespondingtothename.
Becauseofthisbehavior,DNSSECdoesnotsufceasareplacementforamechanismsuchasHold-On:resolversneedtomaintainanopenportforaperiodoftimeinordertoattempttovalidateallresponsesreceivedforaquery,notjusttherst.
C.
OtherrelatedworkDNShasalonghistoryofpoisoningattacks[4],[5],[11],[12].
Besidethosementionedabove,severalpreviouseffortscounterDNSpoisoningattackbyincreasingthedifcultyofblindlyinjectingDNSanswers[13],[14],[6],[15].
Theseeffortsfocusondeterringoff-pathinjectionbyincreasingtheinformationentropyrequiredtomatchavalidDNSreply.
Ourwork,however,addressesthethreatfromattackersthatcanobservequeries,whichallowsthemtocircumventthesepreviousdefenses.
1TCPtrafccontroltoolsalsohaveusedthisvantagepoint.
Forexample,ComcastdeployedSandvine'sPolicyTrafcSwitchdevicestodisruptBitTor-renttrafcinanon-pathconguration[7],eventhoughthedevicesthemselvessupportedin-pathoperation.
Poisoningattacksbasedonon-pathinjectionarenotlimitedtoDNS.
Maliciousinjection,suchasTCPRSTandICMPunreachablemessages,havebeenusedinbothindividualattacks[7]andISP-scalecensorship[16],[17].
SimilartoDNSpoisoning,trafcsentfromtheremotepeerofthelegitimatecommunicationwillstillarriveatthevictimafterthesemaliciousinjections.
Therefore,theuseofHold-Onmechanismssimilartothoseexploredherewilllikelyhaveapplicabilitytodeterthesemaliciousinjectionsaswell.
III.
HOLD-ONANDDILIGENTVALIDATIONAsaconsequenceoftheinabilityforon-pathattackerstosuppresslegitimatereplies,weinvestigatethebenetsofstubresolversorforwarderswaitingfora"Hold-On"periodtoallowsubsequentlegitimaterepliestoarrive.
Partofthisprocedureentailsvalidatingreplieswithmorediligencewhenaresolverreceivestwoormorerepliesforthesamequestion.
ThisimprovementeffectivelyprotectsagainstDNSinjectionsinthecaseofnon-disruptiveattacks,wheretheattackerlackstheabilitytotoblockeithertheresolver'srequestortheauthority'sresponse.
A.
AssumptionsWepredicateourapproachonthefollowingassumptions,whichweviewasreasonablebasedonourexperiencewithcensorshipactivitythatemployson-pathinjectors:(1)Theuserunderattackorcensorshipisabletoaccessatrustworthyrecursiveresolveroutsideoftheattackedorcensorednetworks,suchasGooglePublicDNS[18]andOpenDNS[19],whichtheyfrequentlyuse.
Inparticular,inthecensorshipcase,weassumethatthecensordoesnotblockaccesstothisresolver,whichweargueisaplausibleassumptiongiventhelargenumber(158,364inJanuary2012)ofknownopenresolvers[20].
(2)Theattacker/censorinjectsfakeresponsesaccordingtoablacklistratherthanawhitelist.
Thatis,theuserknowssomenon-sensitivedomainnamesthatcanbeusedtomeasurenormal(non-interferedbytheattacker)communicationbe-tweentheclient(stubresolver)andtheDNSserver(recursiveresolver).
(3)Theattackerinjectsfakerepliesasquicklyaspossibleinordertoensurethattherepliesarriveearlierthanthelegitimateones.
Hence,theinjectionmechanismwilltransmitimmediatelyuponseeingtheclient'srequest.
Themechanismcannotwaitforthearrivalofthelegitimatereplyfromtheserverbecausebydoingso,theinjectionmayarriveafterit,andfailtowork.
(4)TheattackercannotconstructaproperlysignedDNSSECresponse.
Basedontheseassumptions,thestubresolvercanestimatewhenitexpectslegitimaterepliestoarrive,inordertodiscernbetweeninjectedrepliesandcorrectones.
B.
Hold-OnandValidationThestubresolverorforwarderneedstorstlearntheexpectedRTTandhop-countdistance(intermsofexpectedFig.
1.
Hold-OnwhilewaitingforalegitimateDNSreply.
TTL)associatedwithcommunicationinvolvingitsremoterecursiveresolver,whichitdoesusingactivemeasurement.
(Recallthatwepresumetheremoteresolverliesoutsideofthecensorednetwork.
)Uponstart-up,theresolverissuesaseriesofnon-sensitivequeriestomeasuretheinitialRTTandTTLseenonarrivingrepliesforentriescachedattheremoteresolverbyrepeatedlyqueryingforthesamename.
Duringthisperiod,theresolvermaintainsanopenportforanadditionalperiodtovalidatethatanon-pathadversaryhasnottamperedwiththeseinitialmeasurementsbyinjectingreplies.
Duringnormaloperation,thestubresolveralsocontinuallyupdatesthesevaluesbasedonpassivemeasurementsofitsongoingtrafc.
GivenestimatesofthelegitimateRTTandTTL,theresolverworksasshowninFigure1:(1)AfterissuingaDNSquery,theresolverstartsitsHold-Ontimer.
Anaturalsettingforthetimerwouldbe15seconds,asthisreectsthedefaulttimeoutvalueforboththeBINDresolver[21,p.
108]andMicrosoftWindows[22].
Naturally,inmostcasestheresolverwillreturnmuchsooner,unlesstheremoteresolverisunreachable.
(2)WhentheresolverexpectsaDNSSEC-protectedre-sponse,foreachreplyitperformsalocalsignaturevalidation.
Itreturnstotheclienttherstfullyvalidatedreply.
IfitndsallrepliesaseitherInsecure,Bogus,orIndeterminate[3,p.
20],andtheHold-Ontimerexpires,theresolverreturnsaDNSSECerror.
(3)WithoutDNSSEC,uponreceivingareplybeforetheHold-Ontimerexpires,theresolverperformstwoadditionalvalidations:Timing.
DoesthereplyarrivestooearlyThetestweusehereisforrepliesthatarrivesoonerthanhalfoftheexpected(measurement-derived)RTT.
Wenotethattheresolvercouldalsodeterminethisthresholdmorepreciselybymeasuringknowninjectionsintheresolver'sactualenvironmentbygeneratingqueriesforcensorednamestonon-existentresolvers.
TTL.
DoestheTTLeldintheIPheaderhavetheexpectedvalue(s)WeassumethattheroutebetweentheremoteDNSserverandtheclientisstableinatleastshortperiods(suchas5minutes),sowecangetandupdatetheexpectedTTLsbyperiodicalmeasurement.
Uponobservingeitheroftheabovemismatches,theresolverignorestheresponseandcontinuestowait.
IfontheotherhandareplyarrivesbeforetheHold-Ontimeexpiresandvalidatesbasedontheabovetests,theresolveracceptsthenewreplyandreturnsittotheclient.
IfthestubresolverreceivesnovalidreplybeforetheHold-Ontimerexpires,itreturnsthelatestnon-validatingreplyitobserved.
Doingsomeansthatinthepresenceofsignicantlychangednetworkconditions,usersexperiencedelay,butnotinadvertentblockingoftheiraccess.
Inmostcases,theresolverwillnotwaituntiltheHold-Ontimertimingout;itwillstopwaitinguponreceiptofalegitimateresponse.
Thus,generallythisapproachwillnotcauseextradelay,exceptinthecasethatnetworkconditionshavechangedsuchthatlegitimaterepliesnowreturnsoonerandwithoutDNSSECprotection.
IV.
FEASIBILITYASSESSMENTToassesstheviabilityofourapproach,weinvestigatethephenomenonofobservingmultiplerepliesforasingleDNSqueryinbothacensorednetworkandanon-censorednetwork.
Inthelatter,welookatwhethernormalDNStrafcgeneratessuchreplies;thatis,whetherHold-Onandvalidationcouldcausesignicantfalsepositives.
Inthecensorednetwork,weassesshowdifferenttheinjectedrepliesappearfromthelegitimateones,whichindicateswhethertheapproachcouldsufferfromsignicantfalsenegatives.
A.
ObservationinanuncensorednetworkWecanviewuseoftheHold-Onapproachasaformofanomalydetector,lookingforaconditionthatrepresentsanattack.
Althoughitisclearthatapacket-injectionbasedDNSattackmustcreateananomalywheretheclientreceivestwodistinctreplies,wemustensurethatnormalDNStrafcdoesnotgeneratetheseanomalies,as,insomecases,theremaybenoeffectiveresolutionbeyondsimplynotingtheattackandreturningnovalidanswerifitprovesimpossibletoheuristicallydistinguishanattacker'spacketfromalegitimatenon-DNSSECsignedreply.
Iftheresolversimplyignoresrepliesitcannotvalidate(andreturnsthelastsuch,ifnovalidrepliesarereceived),thensuchanomaliesarisinginlegitimatetrafcwillnotinfactcauseanyproblems.
If,however,theresolveragssuchrepliesasreectinganattack,thenthesefalsepositiveswillincuradegreeofcollateraldamage.
WedevelopedaBro[23]IDSpolicyscripttodirectlydetectanomaloussecondaryDNSreplies.
ThisscriptoperatesbytrackingallDNSrequestsandmatchingreplies,checkinganysubsequentreplythatarriveswithina1-minutetimeout2todeterminewhetherthenumberofrecordsinthereplyandthecontentsofeachareunchanged.
WevalidatedthatthisscriptaccuratelydetectsattackpacketsusingtracesofinjectedpacketswecapturedbysendingDNSqueryrequeststhattransitedanetworkthatusesDNS-basedpacket-injectioncensorship.
Weranthisscriptagainst6daysofnormalDNStrafccapturedatICSI'sborder,consistingof11,700,000DNSrequests.
3DuringthisperiodweobservednoDNSanomaliesthatwouldcreateafalsepositive,onlydeliberatetestingintendedtotriggeraDNScensorshipsystem.
Runningona1.
5hourtracegatheredinAugust2011attheUCBerkeleycampusborder(atotalof15.
2MDNStransactions,4bothinboundandoutbound),weobservedtwobenignauthoritiesthattriggeredthebasicanomalydetector.
Therstserver,anauthorityserverfortheBBC,returnedtwodistinctrepliesforthesamequeryforseveralnames.
Althoughdistinctinvalue,bothvalueswerewithinthesame/24subnet.
Thesecond,anauthorityforbusinessinsider.
com,returnedtwovaluesforthesamequery.
TherstreplywasaCNAMEtoanexternaldomainwiththerootauthorityinformationincludedinthereply,whilethesecondwasaSERVFAILcontainingthesameCNAMEbutnoauthorityoradditionalelds,triggeringthealert.
WealsoobservedbothmultipleincidentsofDNScensorship(causedbylocalusersconguredtouseresolversinacensoredcountry)andafewfalse-positivesduetoscriptbugsthatwouldnotdisruptaHold-Onresolver.
B.
ObservationinacensorednetworkToassesspotentialfalsenegatives,wetriggeraDNScensor-shipsystemtoinjectDNSreplieswithsensitivedomainnames(suchastwitter.
com).
Wegeneratedthesemeasurementsfromwithinthecensorednetwork,communicatingwithdestinationsoutsidethecensorednetwork.
Todifferentiatethelegitimatefromtheinjectedreplies,werstqueryanon-existentDNSserveroutsidethecensorednetworkwithsensitivenames,andwereceiveonlyinjectedreplies.
WethenqueryanopenDNS2Wechosealongertimeouttobeconservativeinthisanalysis,attemptingtodetectpotentialanomaliesthatwouldnotaffectaresolverusingHold-On.
3WeexcludedlookupsissuesbyanICSImeasurementtool.
4Excludingaknownhigh-volumeDNScrawlerusedforresearch.
Fig.
2.
Comparisonofarrivaltimesforlegitimatepackets(greencross)andpacketsinjectedbycensor(redplus)Fig.
3.
ComparisonofTTLsforlegitimatepackets(greencross)andpacketsinjectedbycensor(redplus)serverwithnon-sensitivenames(suchaswww.
mit.
edu),bywhichwereceiveonlylegitimatereplies.
Withthismethod,wecollectedadatatraceincluding≈100,000queriesandcorrespondingrepliesover9days.
Figures2and3showcomparisonsofRTTsandTTLsobservedoflegitimateDNSpacketsandinjectedpacketsbytheDNScensor.
Itappearsnotdifculttoidentifythelegitimatepacketsfrominjected.
MostinjectedpacketsarrivemuchearlierthanlegitimateonesbecausetheinjectorandtheclientresidewithinthesameISP,whiletheDNSserverresidesinanothercountry.
WefoundthevaluesofIPTTLfromthelegitimateDNSresponsesarequitestableoveraperiodof9days(either44or42),buttheTTLvalueoftheinjectedpacketsvariedintherangeof[0–255],presumablytoavoidsimpleltering.
Inanother10-hourtrace,weselectonepairof(RTT,TTL)every5minutes,andusethisastheexpectedRTTandTTLtovalidateotherpacketsinthefollowingtimewindow.
Inourexperiment,wechangethethresholdofTTLandRTTtoevaluatethefalsepositiverateandfalsenegativerate,asshowninTableI.
Forexample,ifwesetthethresholdFig.
4.
EnvironmentofDNSproxyofTTLto1(thatis,thereplyisvalidonlyifTTL∈[expectedTTL1,expectedTTL+1])andsetthethresholdofRTTto0.
5·expectedRTT(thatis,thereplyisvalidonlyifitdoesnotarrive0.
5·expectedRTTearlierthanexpected),thentheapproachdoesnotgenerateanyfalsepositivesornegatives.
TTLthresholdRTTthresholdFP(%)FN(%)0-20.
50030.
500.
0140.
500.
0650.
500.
0760.
500.
1070.
500.
1120.
15.
96020.
21.
53020.
3-0.
80020.
900.
31TABLEIFALSEPOSITIVE(FP)ANDFALSENEGATIVE(FN)RATESCORRESPONDINGTODIFFERENTTHRESHOLDSFORIPTTLANDRTTDIFFERENCES.
V.
IMPLEMENTATIONANDEVALUATIONWeimplementedaDNSproxytoexplorehowHold-Onworksinpractice.
TheproxyoperatesasaDNSforwarderthataimstoprotectagainstDNSinjectionbyon-pathadversaries,asillustratedinFigure4.
A.
DesignandimplementationofaDNSproxyToestimatetheexpectedRTTandTTLto/fromtheremoterecursiveresolver,theproxyissuesrequestsuponstart-upfornon-sensitivenames.
5ToestimatetheRTT,theresolverqueriesthesamenamemultipletimes,selectingtheminimumofRTTobserved.
Theresolverexcludestherstquery,be-causeitmightincludeadditionaltimeconsumedbytheservertoresolvethenamerecursively,ratherthanansweringfromitscache.
TheexpectedTTL(s)shouldtypicallyremainconstant,butcouldvaryduetoroutingchanges.
6WeassumethatthesetofexpectedTTLsdoesnotvaryinameasurementperiod(seebelow).
Inourcurrentimplementation,thesethasonlyonevalue.
Duringitsnormaloperation,aseparatethreadrepeats5Itcouldinsteadsimplymonitorinitialqueriesforduplicatereplies,andformulateitsestimatesfromthosethatengenderonlyasinglereply.
Doingsowouldalsohelpwithcombatinginjectionfromattackerswhohavedifferentgoalsthancensorship.
6ApotentiallypathologicalcasewouldberepliesthatvaryacrossasetofarrivingTTLvaluesduetotheuseofper-owload-balancingthatcausesdifferentrepliestotakedifferentroutes.
Algorithm1Hold-OnandValidationforDNSProxyTimeout←5whileGetDNSRequestFromClient(request)doretry←1;gotAnyReply←falserepeatForwardRequestToResolver(Resolver,request);StartHoldOnTimer(retry·Timeout);whileNOTTimeoutandGetDNSReply(replyPkt)dogotAnyReply←true{fromserverorinjector}ifValidateDNSSECOK(replyPkt)thenSendDNSReplyToClient(replyPkt.
msg)StopHoldOnTimer()returnelseifValidateTTLOK(replyPkt.
ipTTL)andValidateRTTOK(replyPkt.
RTT)thenSendDNSReplyToClient(replyPkt.
msg)StopHoldOnTimer()returnelseDropAndLog(replyPkt)endifendwhileretry←retry+1untilretry==3ifgotAnyReplythen{Novalidreply,returnthelatestnon-validatingreply}SendDNSReplyToClient(replyPkt.
msg)endifendwhilethismeasurement(see§IV-B)periodically(suchasevery5minutes)andupdatestheexpectedRTTandTTLvaluesadaptedtopotentialchangeofnetworkstatus.
Algorithm1detailshowtheproxyprocesseswithDNSrequestsandreplies.
WhentheproxyreceivesaDNSrequestfromitsclient(enduserorDNSforwarder),itforwardstherequesttotheremoterecursiveresolverandstartstheHold-Ontimer.
Wesettheinitialvalueofthetimerto5seconds;ifnolegitimatereplyafterthetimerexpires,weresetthetimerto10sforthesecondtry,andsimilarlyto15sforthethirdtry.
IftheproxyreceivesaDNSreply(fromeithertheremotere-cursiveresolver,oraninjector),itvalidatesbothTTLandRTTagainsttheexpectedvalues(theexpectedTTLscouldincludemultiplevaluesbecauseofmultiplepathstotheresolver).
IftherequestisDNSSECenabled,thecorrespondingreplyshouldalsobecheckedwithDNSSECoptions(notimple-mentedyetinourprototype).
ForDNSSEC-disabledrequests,ValidateDNSSECOKalwaysreturnsfalse.
ValidateRTTOKandValidateTTLOKreturntrueif:expectedRTTreplyPkt.
RTTOpenDNSHomepage.
"http://www.
opendns.
com/.
[20]"DNSSurvey:OpenResolvers.
"http://dns.
measurement-factory.
com/surveys/openresolvers.
html.
[21]P.
AlbitzandC.
Liu,DNSandBIND,5thEdition.
O'Reilly,2006.
[22]"DNS:Theforwardingtimeoutvalueshouldbe2to10seconds,"2010.
http://technet.
microsoft.
com/en-us/library/ff807396(WS.
10).
aspx.
[23]V.
Paxson,"Bro:asystemfordetectingnetworkintrudersinreal-time,"ComputerNetworks,vol.
31,no.
23-24,pp.
2435–2463,1999.
乌云数据主营高性价比国内外云服务器,物理机,本着机器为主服务为辅的运营理念,将客户的体验放在第一位,提供性价比最高的云服务器,帮助各位站长上云,同时我们深知新人站长的不易,特此提供永久免费虚拟主机,已提供两年之久,帮助了上万名站长从零上云官网:https://wuvps.cn迎国庆豪礼一多款机型史上最低价,续费不加价 尽在wuvps.cn香港cera机房,香港沙田机房,超低延迟CN2线路地区CPU...
舍利云怎么样?舍利云推出了6核16G超大带宽316G高性能SSD和CPU,支持全球范围,原价516,折后价200元一月。原价80美元,现价30美元,支持地区:日本,新加坡,荷兰,法国,英国,澳大利亚,加拿大,韩国,美国纽约,美国硅谷,美国洛杉矶,美国亚特兰大,美国迈阿密州,美国西雅图,美国芝加哥,美国达拉斯。舍利云是vps云服务器的销售商家,其产品主要的特色是适合seo和建站,性价比方面非常不错,...
ZJI怎么样?ZJI是一家成立于2011年的商家,原名维翔主机,主要从事独立服务器产品销售,目前主打中国香港、日本、美国独立服务器产品,是一个稳定、靠谱的老牌商家。详情如下:月付/年付优惠码:zji??下物理服务器/VDS/虚拟主机空间订单八折终身优惠(长期有效)一、ZJI官网点击直达香港葵湾特惠B型 CPU:E5-2650L核心:6核12线程内存:16GB硬盘:480GB SSD带宽:5Mbps...
opendns为你推荐
设备ipad支持ipad支持ipad步骤ios重庆网通重庆联通现在有哪些资费???win10445端口Win10系统开放端口号怎样查看?ipad上网ipad上网速度很慢怎么回事?ms17-010win1038度古贝春珍藏10价格?重庆电信宽带管家重庆电信宽带多少钱一个月win7关闭135端口如何用命令关闭135端口
虚拟主机租用 西部数码vps 域名备案批量查询 阿里云搜索 php主机 parseerror css样式大全 警告本网站 镇江联通宽带 警告本网站美国保护 网站木马检测工具 中国电信测网速 美国堪萨斯 网游服务器 工信部网站备案查询 qq金券 lamp架构 广东主机托管 架设代理服务器 server2008 更多