similaropendns

opendns  时间:2021-05-20  阅读:()
Hold-On:ProtectingAgainstOn-PathDNSPoisoningHaixinDuan,NicholasWeaver,ZongxuZhao,MengHu,JinjinLiang,JianJiang,KangLiandVernPaxson§TsinghuaUniversity,Beijing,CNduanhx@tsinghua.
edu.
cnInternationalComputerScienceInstitute,Berkeley,CA,USAUniversityofGeorgia,Athens,GA,USA§UniversityofCalifornia,Berkeley,CA,USAUniversityofCaliforniaSanDiego,CA,USAAbstract—SeveralattacksonDNSinjectforgedDNSreplieswithoutsuppressingthelegitimatereplies.
Currentimplementa-tionsofDNSresolversarevulnerabletoacceptingtheinjectedrepliesiftheattacker'sreplyarrivesbeforethelegitimateone.
InthecaseofregularDNS,thisbehaviorallowsanattackertocorruptavictim'sinterpretationofaname;forDNSSEC-protectednames,itenablesdenial-of-service.
Wearguethattheresolvershouldwaitafterreceivinganinitialreplyfora"Hold-On"periodtoallowasubsequentlegitimatereplytoalsoarrive.
Weevaluatethefeasibilityofsuchanapproachanddiscussourimplementationofaprototypestubresolver/forwarderthatvalidatesDNSrepliesusingHold-On.
ByvalidatingtheIPTTLandthetimingofthereplies,weshowthattheresolvercanidentifyDNSpacketsinjectedbyanation-statecensorshipsystem,andthatitfunctionswithoutperceptibleperformancedecreaseforundisruptedlookups.
I.
INTRODUCTIONTheDomainNameSystem(DNS)providesacriticalnet-workservice,andfacesavarietyofattacksrangingfromblindpacketinjectiontoactiveman-in-the-middleattacks.
OneattackofconcernregardsDNSpoisoningbasedonpacketinjection,whereanattackerwhocanobserveandinjecttrafcinsertsfakerepliestoqueries.
Severaltypesofadversariescanemploysuchattacks,includingattackersusingsystemsonsharedWiFinetworks,ISPsseekingtoimposecontent-basedusagepolices,andgovernmentcensorship[1].
OneparticulardesignchoiceofDNSmakestheseattackseasy.
TheDNSstandardrecommendsthataDNSresolverreturnsananswerassoonasitreceivesamatchingreply[2],inordertoprovideareplyasquicklyaspossible.
Inaddition,evenDNSSEC-validatingresolverslikelywillsufferadenial-of-serviceattackuponreceiptofaninjectedreply:thenon-validatingresponseleadstheresolvertoreturnaresponseof"Bogus"[3]unlessitcontinuestowaitforareplythatproperlyvalidates.
WeexploretheopportunityofcounteringDNSinjectionattacksbasedontheobservationthatpacketinjection(ratherthanfullman-in-the-middleattacks)cannotsuppressthere-ceiptoflegitimatereplies.
Thus,ifresolverreceivesareplysoonerthanexpected,insteadofreturningtheresultimme-diately,itcanwaitfora"Hold-On"intervaltoseewhetheradditionalresponsesarrive.
Thekeyquestionsforthisapproachare(1)towhatdegreesuchambiguousrepliesoccurinnormaltrafc,whichwillleadtoHold-Onintroducingdifferentresolverbehaviorthanoccurstoday,and(2)howmuchextradelayusersencounterduetotheuseofHold-On.
Ourevaluationshowsthatreceivingtwodifferingrepliestothesamequestionoccursonlyveryrarelyinnormaltrafc,whichestablishesthatthisconditionallowsforeffectiveanomalydetection.
Wealsopresentpreliminaryresultssuggestingthattheextradelayimposedonusersisquiteminor.
WehaveimplementedaDNSproxythatusesHold-Onandevaluateitseffectivenessagainstawidelydeployednetworkcensorshiptool.
WendthatourprototypecaneffectivelylteroutfakeDNSreplies,anddoesnotappeartointroduceanyperceptibleincreaseindelay.
II.
OVERVIEWOFTHEPROBLEMSPACEA.
TaxonomyofattacksAttackersagainstDNSfallintothreecategories:off-path,on-path,andin-path.
Anoff-pathadversarylackstheabilitytoobserveDNSqueriesandresponses.
SuchanattackerwillgenerallyemploysomemeanstotriggerspecicDNSlookups,butmustguessthetransactionID[4],[5]andanyotherentropy(suchasthesourceportand0x20encoding[6])intherequesttoforgeareplythattheresolverwillaccept.
Off-pathadversariesgenerallygeneratenumerouspacketsinhopesofmatchingtherequest.
Additionally,becauseresolversdonotissuenewqueriesforanamethatisalreadycached,off-pathadversarieshavedifcultytargetingstubresolvers,sincestubs,unlikerecursiveresolvers,donotgenerallyacceptandpromoteglueentries(thebehaviorleveragedby[5]).
Anon-pathadversaryhastheabilitytopassivelyobservetheactuallookupsrequestedbyaresolver.
On-pathadversariescandirectlyforgeDNSrepliesthatmatchthefullsetofcriteriausedbytheresolvertovalidateanswers(otherthanuseofDNSSEC).
Aslongasaforgedreplyarrivesattheresolverbeforethelegitimateone,theresolverwillaccepttheinjectedanswerandbecomepoisoned.
Absentadenial-of-serviceattackonlegitimateservers,bothoff-pathandon-pathadversarieslacktheabilitytosuppressle-gitimateresponses.
Thus,bothoftheseadversariesnecessarilycreateanobservableartifact:thevictim,ifitwaitssufcientlylong,willreceiveboththeattacker'spacketandthelegitimatereply.
(WeemployedasimilarformofthisanomalytodetectTCPresetinjectionattacks[7].
)Onlyanin-pathadversary,capableofblockingandmodifyingpackets,canpreventthelegitimatereplyfromreachingthevictim.
Althoughin-pathapproacheshavemorepower,on-pathap-proacheshaveseveraladvantages,makingtheiruseappealingforattackers.
Censorshiptoolscommonlyuseon-pathratherthanin-pathtechniquestoeasedeploymentandtomakethesystemfailureandloadtolerant,asthecensorshipsystemcanthenoperateonatrafcmirrorratherthanthelivetrafc.
1Similarly,on-pathWiFipacketinjectionworkswithoutmodifyingdrivers,butsuppressinglegitimaterepliesrequireshardware-specicaccesstothelow-levelairinterfacetodetectandsquelchabroadcastinight.
B.
VulnerabilityofcurrentimplementationsSystemsthatimplementtheDNSstandard[2],[8]arevulnerabletoon-pathspoong,despitethepresenceofthelaterlegitimatereply,becausetheresolverattemptsto"gettheanswerasquicklyaspossible"[2].
Uponreceivingareply,theresolvercheckstheIDeldintheheaderandthenwill"verifythatthequestionsectioncorrespondstotheinformationcurrentlydesired"[8].
Clearly,thesestepsdonotprovidesufcientdiligence,asthedesigngoalofquicklyreturningananswercausestheresolvertoreturntheattacker'svalue.
DNSSECaddscryptographicauthenticationtopreventtheacceptanceofinvalidDNSreplies[9],[10],[3].
Althoughattackerscannotredirectvictimsusingspoofedreplies,theycanstillperformdenial-of-serviceattack,whichwilloftensufcetosatisfyacensor'sobjective.
DOSoccursbecausetheresolverwillattempttoprocesstheattacker'spacket,determinethattheDNSSECsignatureisabsentorinvalid,andimmediatelyreturn"Bogus",deprivingtheclientfromtheabilitytoconnecttothehostcorrespondingtothename.
Becauseofthisbehavior,DNSSECdoesnotsufceasareplacementforamechanismsuchasHold-On:resolversneedtomaintainanopenportforaperiodoftimeinordertoattempttovalidateallresponsesreceivedforaquery,notjusttherst.
C.
OtherrelatedworkDNShasalonghistoryofpoisoningattacks[4],[5],[11],[12].
Besidethosementionedabove,severalpreviouseffortscounterDNSpoisoningattackbyincreasingthedifcultyofblindlyinjectingDNSanswers[13],[14],[6],[15].
Theseeffortsfocusondeterringoff-pathinjectionbyincreasingtheinformationentropyrequiredtomatchavalidDNSreply.
Ourwork,however,addressesthethreatfromattackersthatcanobservequeries,whichallowsthemtocircumventthesepreviousdefenses.
1TCPtrafccontroltoolsalsohaveusedthisvantagepoint.
Forexample,ComcastdeployedSandvine'sPolicyTrafcSwitchdevicestodisruptBitTor-renttrafcinanon-pathconguration[7],eventhoughthedevicesthemselvessupportedin-pathoperation.
Poisoningattacksbasedonon-pathinjectionarenotlimitedtoDNS.
Maliciousinjection,suchasTCPRSTandICMPunreachablemessages,havebeenusedinbothindividualattacks[7]andISP-scalecensorship[16],[17].
SimilartoDNSpoisoning,trafcsentfromtheremotepeerofthelegitimatecommunicationwillstillarriveatthevictimafterthesemaliciousinjections.
Therefore,theuseofHold-Onmechanismssimilartothoseexploredherewilllikelyhaveapplicabilitytodeterthesemaliciousinjectionsaswell.
III.
HOLD-ONANDDILIGENTVALIDATIONAsaconsequenceoftheinabilityforon-pathattackerstosuppresslegitimatereplies,weinvestigatethebenetsofstubresolversorforwarderswaitingfora"Hold-On"periodtoallowsubsequentlegitimaterepliestoarrive.
Partofthisprocedureentailsvalidatingreplieswithmorediligencewhenaresolverreceivestwoormorerepliesforthesamequestion.
ThisimprovementeffectivelyprotectsagainstDNSinjectionsinthecaseofnon-disruptiveattacks,wheretheattackerlackstheabilitytotoblockeithertheresolver'srequestortheauthority'sresponse.
A.
AssumptionsWepredicateourapproachonthefollowingassumptions,whichweviewasreasonablebasedonourexperiencewithcensorshipactivitythatemployson-pathinjectors:(1)Theuserunderattackorcensorshipisabletoaccessatrustworthyrecursiveresolveroutsideoftheattackedorcensorednetworks,suchasGooglePublicDNS[18]andOpenDNS[19],whichtheyfrequentlyuse.
Inparticular,inthecensorshipcase,weassumethatthecensordoesnotblockaccesstothisresolver,whichweargueisaplausibleassumptiongiventhelargenumber(158,364inJanuary2012)ofknownopenresolvers[20].
(2)Theattacker/censorinjectsfakeresponsesaccordingtoablacklistratherthanawhitelist.
Thatis,theuserknowssomenon-sensitivedomainnamesthatcanbeusedtomeasurenormal(non-interferedbytheattacker)communicationbe-tweentheclient(stubresolver)andtheDNSserver(recursiveresolver).
(3)Theattackerinjectsfakerepliesasquicklyaspossibleinordertoensurethattherepliesarriveearlierthanthelegitimateones.
Hence,theinjectionmechanismwilltransmitimmediatelyuponseeingtheclient'srequest.
Themechanismcannotwaitforthearrivalofthelegitimatereplyfromtheserverbecausebydoingso,theinjectionmayarriveafterit,andfailtowork.
(4)TheattackercannotconstructaproperlysignedDNSSECresponse.
Basedontheseassumptions,thestubresolvercanestimatewhenitexpectslegitimaterepliestoarrive,inordertodiscernbetweeninjectedrepliesandcorrectones.
B.
Hold-OnandValidationThestubresolverorforwarderneedstorstlearntheexpectedRTTandhop-countdistance(intermsofexpectedFig.
1.
Hold-OnwhilewaitingforalegitimateDNSreply.
TTL)associatedwithcommunicationinvolvingitsremoterecursiveresolver,whichitdoesusingactivemeasurement.
(Recallthatwepresumetheremoteresolverliesoutsideofthecensorednetwork.
)Uponstart-up,theresolverissuesaseriesofnon-sensitivequeriestomeasuretheinitialRTTandTTLseenonarrivingrepliesforentriescachedattheremoteresolverbyrepeatedlyqueryingforthesamename.
Duringthisperiod,theresolvermaintainsanopenportforanadditionalperiodtovalidatethatanon-pathadversaryhasnottamperedwiththeseinitialmeasurementsbyinjectingreplies.
Duringnormaloperation,thestubresolveralsocontinuallyupdatesthesevaluesbasedonpassivemeasurementsofitsongoingtrafc.
GivenestimatesofthelegitimateRTTandTTL,theresolverworksasshowninFigure1:(1)AfterissuingaDNSquery,theresolverstartsitsHold-Ontimer.
Anaturalsettingforthetimerwouldbe15seconds,asthisreectsthedefaulttimeoutvalueforboththeBINDresolver[21,p.
108]andMicrosoftWindows[22].
Naturally,inmostcasestheresolverwillreturnmuchsooner,unlesstheremoteresolverisunreachable.
(2)WhentheresolverexpectsaDNSSEC-protectedre-sponse,foreachreplyitperformsalocalsignaturevalidation.
Itreturnstotheclienttherstfullyvalidatedreply.
IfitndsallrepliesaseitherInsecure,Bogus,orIndeterminate[3,p.
20],andtheHold-Ontimerexpires,theresolverreturnsaDNSSECerror.
(3)WithoutDNSSEC,uponreceivingareplybeforetheHold-Ontimerexpires,theresolverperformstwoadditionalvalidations:Timing.
DoesthereplyarrivestooearlyThetestweusehereisforrepliesthatarrivesoonerthanhalfoftheexpected(measurement-derived)RTT.
Wenotethattheresolvercouldalsodeterminethisthresholdmorepreciselybymeasuringknowninjectionsintheresolver'sactualenvironmentbygeneratingqueriesforcensorednamestonon-existentresolvers.
TTL.
DoestheTTLeldintheIPheaderhavetheexpectedvalue(s)WeassumethattheroutebetweentheremoteDNSserverandtheclientisstableinatleastshortperiods(suchas5minutes),sowecangetandupdatetheexpectedTTLsbyperiodicalmeasurement.
Uponobservingeitheroftheabovemismatches,theresolverignorestheresponseandcontinuestowait.
IfontheotherhandareplyarrivesbeforetheHold-Ontimeexpiresandvalidatesbasedontheabovetests,theresolveracceptsthenewreplyandreturnsittotheclient.
IfthestubresolverreceivesnovalidreplybeforetheHold-Ontimerexpires,itreturnsthelatestnon-validatingreplyitobserved.
Doingsomeansthatinthepresenceofsignicantlychangednetworkconditions,usersexperiencedelay,butnotinadvertentblockingoftheiraccess.
Inmostcases,theresolverwillnotwaituntiltheHold-Ontimertimingout;itwillstopwaitinguponreceiptofalegitimateresponse.
Thus,generallythisapproachwillnotcauseextradelay,exceptinthecasethatnetworkconditionshavechangedsuchthatlegitimaterepliesnowreturnsoonerandwithoutDNSSECprotection.
IV.
FEASIBILITYASSESSMENTToassesstheviabilityofourapproach,weinvestigatethephenomenonofobservingmultiplerepliesforasingleDNSqueryinbothacensorednetworkandanon-censorednetwork.
Inthelatter,welookatwhethernormalDNStrafcgeneratessuchreplies;thatis,whetherHold-Onandvalidationcouldcausesignicantfalsepositives.
Inthecensorednetwork,weassesshowdifferenttheinjectedrepliesappearfromthelegitimateones,whichindicateswhethertheapproachcouldsufferfromsignicantfalsenegatives.
A.
ObservationinanuncensorednetworkWecanviewuseoftheHold-Onapproachasaformofanomalydetector,lookingforaconditionthatrepresentsanattack.
Althoughitisclearthatapacket-injectionbasedDNSattackmustcreateananomalywheretheclientreceivestwodistinctreplies,wemustensurethatnormalDNStrafcdoesnotgeneratetheseanomalies,as,insomecases,theremaybenoeffectiveresolutionbeyondsimplynotingtheattackandreturningnovalidanswerifitprovesimpossibletoheuristicallydistinguishanattacker'spacketfromalegitimatenon-DNSSECsignedreply.
Iftheresolversimplyignoresrepliesitcannotvalidate(andreturnsthelastsuch,ifnovalidrepliesarereceived),thensuchanomaliesarisinginlegitimatetrafcwillnotinfactcauseanyproblems.
If,however,theresolveragssuchrepliesasreectinganattack,thenthesefalsepositiveswillincuradegreeofcollateraldamage.
WedevelopedaBro[23]IDSpolicyscripttodirectlydetectanomaloussecondaryDNSreplies.
ThisscriptoperatesbytrackingallDNSrequestsandmatchingreplies,checkinganysubsequentreplythatarriveswithina1-minutetimeout2todeterminewhetherthenumberofrecordsinthereplyandthecontentsofeachareunchanged.
WevalidatedthatthisscriptaccuratelydetectsattackpacketsusingtracesofinjectedpacketswecapturedbysendingDNSqueryrequeststhattransitedanetworkthatusesDNS-basedpacket-injectioncensorship.
Weranthisscriptagainst6daysofnormalDNStrafccapturedatICSI'sborder,consistingof11,700,000DNSrequests.
3DuringthisperiodweobservednoDNSanomaliesthatwouldcreateafalsepositive,onlydeliberatetestingintendedtotriggeraDNScensorshipsystem.
Runningona1.
5hourtracegatheredinAugust2011attheUCBerkeleycampusborder(atotalof15.
2MDNStransactions,4bothinboundandoutbound),weobservedtwobenignauthoritiesthattriggeredthebasicanomalydetector.
Therstserver,anauthorityserverfortheBBC,returnedtwodistinctrepliesforthesamequeryforseveralnames.
Althoughdistinctinvalue,bothvalueswerewithinthesame/24subnet.
Thesecond,anauthorityforbusinessinsider.
com,returnedtwovaluesforthesamequery.
TherstreplywasaCNAMEtoanexternaldomainwiththerootauthorityinformationincludedinthereply,whilethesecondwasaSERVFAILcontainingthesameCNAMEbutnoauthorityoradditionalelds,triggeringthealert.
WealsoobservedbothmultipleincidentsofDNScensorship(causedbylocalusersconguredtouseresolversinacensoredcountry)andafewfalse-positivesduetoscriptbugsthatwouldnotdisruptaHold-Onresolver.
B.
ObservationinacensorednetworkToassesspotentialfalsenegatives,wetriggeraDNScensor-shipsystemtoinjectDNSreplieswithsensitivedomainnames(suchastwitter.
com).
Wegeneratedthesemeasurementsfromwithinthecensorednetwork,communicatingwithdestinationsoutsidethecensorednetwork.
Todifferentiatethelegitimatefromtheinjectedreplies,werstqueryanon-existentDNSserveroutsidethecensorednetworkwithsensitivenames,andwereceiveonlyinjectedreplies.
WethenqueryanopenDNS2Wechosealongertimeouttobeconservativeinthisanalysis,attemptingtodetectpotentialanomaliesthatwouldnotaffectaresolverusingHold-On.
3WeexcludedlookupsissuesbyanICSImeasurementtool.
4Excludingaknownhigh-volumeDNScrawlerusedforresearch.
Fig.
2.
Comparisonofarrivaltimesforlegitimatepackets(greencross)andpacketsinjectedbycensor(redplus)Fig.
3.
ComparisonofTTLsforlegitimatepackets(greencross)andpacketsinjectedbycensor(redplus)serverwithnon-sensitivenames(suchaswww.
mit.
edu),bywhichwereceiveonlylegitimatereplies.
Withthismethod,wecollectedadatatraceincluding≈100,000queriesandcorrespondingrepliesover9days.
Figures2and3showcomparisonsofRTTsandTTLsobservedoflegitimateDNSpacketsandinjectedpacketsbytheDNScensor.
Itappearsnotdifculttoidentifythelegitimatepacketsfrominjected.
MostinjectedpacketsarrivemuchearlierthanlegitimateonesbecausetheinjectorandtheclientresidewithinthesameISP,whiletheDNSserverresidesinanothercountry.
WefoundthevaluesofIPTTLfromthelegitimateDNSresponsesarequitestableoveraperiodof9days(either44or42),buttheTTLvalueoftheinjectedpacketsvariedintherangeof[0–255],presumablytoavoidsimpleltering.
Inanother10-hourtrace,weselectonepairof(RTT,TTL)every5minutes,andusethisastheexpectedRTTandTTLtovalidateotherpacketsinthefollowingtimewindow.
Inourexperiment,wechangethethresholdofTTLandRTTtoevaluatethefalsepositiverateandfalsenegativerate,asshowninTableI.
Forexample,ifwesetthethresholdFig.
4.
EnvironmentofDNSproxyofTTLto1(thatis,thereplyisvalidonlyifTTL∈[expectedTTL1,expectedTTL+1])andsetthethresholdofRTTto0.
5·expectedRTT(thatis,thereplyisvalidonlyifitdoesnotarrive0.
5·expectedRTTearlierthanexpected),thentheapproachdoesnotgenerateanyfalsepositivesornegatives.
TTLthresholdRTTthresholdFP(%)FN(%)0-20.
50030.
500.
0140.
500.
0650.
500.
0760.
500.
1070.
500.
1120.
15.
96020.
21.
53020.
3-0.
80020.
900.
31TABLEIFALSEPOSITIVE(FP)ANDFALSENEGATIVE(FN)RATESCORRESPONDINGTODIFFERENTTHRESHOLDSFORIPTTLANDRTTDIFFERENCES.
V.
IMPLEMENTATIONANDEVALUATIONWeimplementedaDNSproxytoexplorehowHold-Onworksinpractice.
TheproxyoperatesasaDNSforwarderthataimstoprotectagainstDNSinjectionbyon-pathadversaries,asillustratedinFigure4.
A.
DesignandimplementationofaDNSproxyToestimatetheexpectedRTTandTTLto/fromtheremoterecursiveresolver,theproxyissuesrequestsuponstart-upfornon-sensitivenames.
5ToestimatetheRTT,theresolverqueriesthesamenamemultipletimes,selectingtheminimumofRTTobserved.
Theresolverexcludestherstquery,be-causeitmightincludeadditionaltimeconsumedbytheservertoresolvethenamerecursively,ratherthanansweringfromitscache.
TheexpectedTTL(s)shouldtypicallyremainconstant,butcouldvaryduetoroutingchanges.
6WeassumethatthesetofexpectedTTLsdoesnotvaryinameasurementperiod(seebelow).
Inourcurrentimplementation,thesethasonlyonevalue.
Duringitsnormaloperation,aseparatethreadrepeats5Itcouldinsteadsimplymonitorinitialqueriesforduplicatereplies,andformulateitsestimatesfromthosethatengenderonlyasinglereply.
Doingsowouldalsohelpwithcombatinginjectionfromattackerswhohavedifferentgoalsthancensorship.
6ApotentiallypathologicalcasewouldberepliesthatvaryacrossasetofarrivingTTLvaluesduetotheuseofper-owload-balancingthatcausesdifferentrepliestotakedifferentroutes.
Algorithm1Hold-OnandValidationforDNSProxyTimeout←5whileGetDNSRequestFromClient(request)doretry←1;gotAnyReply←falserepeatForwardRequestToResolver(Resolver,request);StartHoldOnTimer(retry·Timeout);whileNOTTimeoutandGetDNSReply(replyPkt)dogotAnyReply←true{fromserverorinjector}ifValidateDNSSECOK(replyPkt)thenSendDNSReplyToClient(replyPkt.
msg)StopHoldOnTimer()returnelseifValidateTTLOK(replyPkt.
ipTTL)andValidateRTTOK(replyPkt.
RTT)thenSendDNSReplyToClient(replyPkt.
msg)StopHoldOnTimer()returnelseDropAndLog(replyPkt)endifendwhileretry←retry+1untilretry==3ifgotAnyReplythen{Novalidreply,returnthelatestnon-validatingreply}SendDNSReplyToClient(replyPkt.
msg)endifendwhilethismeasurement(see§IV-B)periodically(suchasevery5minutes)andupdatestheexpectedRTTandTTLvaluesadaptedtopotentialchangeofnetworkstatus.
Algorithm1detailshowtheproxyprocesseswithDNSrequestsandreplies.
WhentheproxyreceivesaDNSrequestfromitsclient(enduserorDNSforwarder),itforwardstherequesttotheremoterecursiveresolverandstartstheHold-Ontimer.
Wesettheinitialvalueofthetimerto5seconds;ifnolegitimatereplyafterthetimerexpires,weresetthetimerto10sforthesecondtry,andsimilarlyto15sforthethirdtry.
IftheproxyreceivesaDNSreply(fromeithertheremotere-cursiveresolver,oraninjector),itvalidatesbothTTLandRTTagainsttheexpectedvalues(theexpectedTTLscouldincludemultiplevaluesbecauseofmultiplepathstotheresolver).
IftherequestisDNSSECenabled,thecorrespondingreplyshouldalsobecheckedwithDNSSECoptions(notimple-mentedyetinourprototype).
ForDNSSEC-disabledrequests,ValidateDNSSECOKalwaysreturnsfalse.
ValidateRTTOKandValidateTTLOKreturntrueif:expectedRTTreplyPkt.
RTTOpenDNSHomepage.
"http://www.
opendns.
com/.
[20]"DNSSurvey:OpenResolvers.
"http://dns.
measurement-factory.
com/surveys/openresolvers.
html.
[21]P.
AlbitzandC.
Liu,DNSandBIND,5thEdition.
O'Reilly,2006.
[22]"DNS:Theforwardingtimeoutvalueshouldbe2to10seconds,"2010.
http://technet.
microsoft.
com/en-us/library/ff807396(WS.
10).
aspx.
[23]V.
Paxson,"Bro:asystemfordetectingnetworkintrudersinreal-time,"ComputerNetworks,vol.
31,no.
23-24,pp.
2435–2463,1999.

PacificRack(年付低至19美元),夏季促销PR-M系列和多IP站群VPS主机

这几天有几个网友询问到是否有Windows VPS主机便宜的VPS主机商。原本他们是在Linode、Vultr主机商挂载DD安装Windows系统的,有的商家支持自定义WIN镜像,但是这些操作起来特别效率低下,每次安装一个Windows系统需要一两个小时,所以如果能找到比较合适的自带Windows系统的服务器那最好不过。这不看到PacificRack商家有提供夏季促销活动,其中包括年付便宜套餐的P...

HostSailor:罗马尼亚机房,内容宽松;罗马尼亚VPS七折优惠,罗马尼亚服务器95折

hostsailor怎么样?hostsailor成立多年,是一家罗马尼亚主机商家,机房就设在罗马尼亚,具说商家对内容管理的还是比较宽松的,商家提供虚拟主机、VPS及独立服务器,今天收到商家推送的八月优惠,针对所有的产品都有相应的优惠,商家的VPS产品分为KVM和OpenVZ两种架构,OVZ的比较便宜,有这方面需要的朋友可以看看。点击进入:hostsailor商家官方网站HostSailor优惠活动...

百纵科技,美国独立服务器 E52670*1 32G 50M 200G防御 899元/月

百纵科技:美国高防服务器,洛杉矶C3机房 独家接入zenlayer清洗 带金盾硬防,CPU全系列E52670、E52680v3 DDR4内存 三星固态盘阵列!带宽接入了cn2/bgp线路,速度快,无需备案,非常适合国内外用户群体的外贸、搭建网站等用途。C3机房,双程CN2线路,默认200G高防,3+1(高防IP),不限流量,季付送带宽美国洛杉矶C3机房套餐处理器内存硬盘IP数带宽线路防御价格/月套...

opendns为你推荐
addresschrome蓝牙itunes菏泽市牡丹区实验小学配置routegeneratedgoogle三星iphone重庆网通重庆网通上网资费目前是多少? 小区宽带接入类型的ipad连不上wifiiPad mini WiFi开关成灰色无法连接,怎么办css下拉菜单html+css下拉菜单怎么制作xp关闭445端口Windows XP系统 关闭445端口后无法上网,求解?
免费云主机 香港vps主机 工信部域名备案系统 企业域名备案 l5639 idc评测网 网通代理服务器 发包服务器 ibox官网 福建天翼加速 jsp空间 softbank邮箱 idc是什么 佛山高防服务器 服务器托管什么意思 shopex主机 超级服务器 宏讯 中国电信测速器 789 更多