Question

4. DNS hijacking is a common technique that is used by censors (i.e., networks who perform censoring actions), where fake DNS responses can be injected. As a DNS request could traverse a number of routers along the path, each router along the path could inject a fake DNS response. In the paper “The Collateral Damage of Internet Censorship by DNS Injection”, authors use a technique similar to traceroute to identify the router that actually injects the fake DNS response. Authors deliberately decrease the TTL (time-to-live) value in the IP header to monitor ICMP packet and fake DNS response to decide the router that injects fake response. In this paper, DNS is built on UDP. However, DNS can also be built on top of TCP. This expands the attack surface for attackers. Specifically, the censors inject RST packets to both the client and the server in one TCP connection if a DNS query in this connection carries “sensitive” information. Different from UDP, TCP requires three-way handshake. Therefore, the packet that carries sensative information (e.g., a TCP-based DNS query) will be the packet that comes later than packets for three-way handshake. Let us make the following assumptions for this question 1. We assume that DNS over TCP is using a publicly-known port number. 2. Censors are stateless, which means that they will not consider whether a TCP packet belongs to an established connection. They make decision based on each individual packet instead of packets belonging to the same connection. In order to make the method discussed in “The Collateral Damage of Internet Censorship by DNS Injection” to be useful in this new setting, we need to make a few changes of this method. Question: Please verify whether each of the following changes is needed or not (1 Point). And please justify your answer (1 Points). a. When you select a target IP to send honey queries, this IP should never respond you with TCP RST packets if you send a TCP-based DNS query to this IP. b. When you send out a honey query (a TCP-based DNS query with a sensitive domain) to a target IP, you can directly send this TCP-based DNS query to this target IP without establishing a TCP connection with the target IP (i.e., through 3-way handshake). c. You should now expect RST packets from the censor rather than a forged DNS response.

Answer 1

the collateral damage of internet censorship by dns injection is the most popular approach involves packet injection.a censorship system observes dns requests and injects fake replies to block .first ,the dns server uses well known port 53 for all its udp activities and as its server port for tcp.it uses random port above 1023 for tcp requests.yes,dns over tcp and dns uses both tcp and udp for their reasons .dns uses tcp for zone transfer.services not intended for use by the public internet,such as most recursive name servers,should protected with ip.second,the censors are stateless,which means that they will not consider whether a tcp packet belongs to an established connection.they make decision based on each individual packet instead of packets belonging to the same connection.then the stateless firewalls also do not keep track of the status of the network as a whole or the connections made to it.packet injections popularity as a censorship mechanism arises from its ease of implementation.the censor needs to only monitor traffic and inject responses.the tcp 3 way handshake is a process which is used in a tcp/ip network to make a connection between the server and client.it is a three way step process that requires both the client and server to exchange synchronization and acknowledgement packets before the real data communication process starts. domain name server hijacking also named dns redirection is a type of dns attack in which dns queries are incorrectly resolved in order to unexpectedly redirect uusers to malicious sites.dns hijacking can be used for pharming.internet service providers also use a type of dns hijacking,to take over a users dns requests and it collect statistics and return it,whwn users access an unknown domain.route hijacking also called ip hijacking is the illegitimate takeover of groups of ip addresses by corrupting internet routing.a fake server set up by the attackers will send a fake ip and a couple of ways in which dns hijacking is used.we analyze the causes from the diversity of dns resolution paths,as well as the dynamic routing.we utilize the tool honey queries to detect affected paths.the target of the honey queries are specially selected destinations,which are hosts we knoe do not run an active server.normally no dns responses are expected for these honey queries.tcp rst packet is the remote side telling you that the connection on which previous tcp packet is sent is not recognized,may be the connection has closed,maybe the port is not open,and somethinglike these.tcp rst means that connection is not valid that is there is no associated session at remote side.yes,i expect rst packets from the censor rather than a forged dns response.