Prior Publisher
The Association of Digital Forensics, Security and Law (ADFSL)
Abstract
The Domain Name Service (DNS) is a critical core component of the global Internet and integral to the majority of corporate intranets. It provides resolution services between the human-readable name-based system addresses and the machine operable Internet Protocol (IP) based addresses required for creating network level connections. Whilst structured as a globally dispersed resilient tree data structure, from the Global and Country Code Top Level Domains (gTLD/ccTLD) down to the individual site and system leaf nodes, it is highly resilient although vulnerable to various attacks, exploits and systematic failures.
References
1. The Case for Teaching Network Protocols to computer Forensic Examiners. Kessler, Gary C. and Fasulo, Matt. Arlington : s.n., 18-20 04 2007, Proceedings of the Conference on Digital Forenscs, Security and Law, pp. 115-137.
2. On teaching TCP/IP protocol analysis to computer forensics examiners. Kessler, Gary C. 2(1), 2008, Journal of Digital Forensic Practice, pp. 43- 53.
3. Liu, Cricket and Albitz, Paul. DNS & Bind. 5th. Sebastapol : O'Reilly Media, Inc, 2006. p. 618. 978-0-596-10057-5.
4. IETF. RFC 1034 - Domain Names - Concepts and Facilities. Internet Engineering Task Force. [Online] 11 1987. http://tools.ietf.org/html/rfc1034.
5. Yasuhiro, Morishita Orange. DNS Operational Experiences in JPRS/.JP - IPv6. Japan Registry Services Co., Ltd. [Online] 22 02 2005. [Cited: 12 08 2010.] http://www.nav6tf.org/documents/arin-nav6tfapr05/4.IPv6_and_DNS_BM.pdf.
6. ICANN. New GTLD Program. Internet Corporation for Assigned Names and Numbers. [Online] 10 2009. http://www.icann.org/en/topics/newgtlds/factsheet-new-gtld-program-oct09-en.pdf.
7. Davies, Kim. There are not 13 root servers. ICANN Blog. [Online] 15 11 2007. http://blog.icann.org/2007/11/there-are-not-13-root-servers/.
8. SGNIC. SGNIC RPPG. SGNIC. [Online] 11 2009. [Cited: 18 08 2010.] http://www.nic.sg/sites/default/files/rppg.pdf.
9. Murphy, Kevin. Beckdtrom: DNS is under attack. DomainIncite.com - Domain Name News & Opinion. [Online] 03 2010. http://domainincite.com/beckstrom-dns-is-under-attack/#more-316.
10. KnujOn.com LLC. News. KnujOn.com. [Online] 01 07 2010. [Cited: 12 08 2010.] http://www.knujon.com/news.html.
11. Domain Tools. Domain Counts & Internet Statistics. Domain Tools. [Online] 12 08 2010. http://www.domaintools.com/internet-statistics/.
12. —. Daily Changes by DomainTools, Whois by DomainTools.com. Daily Changes. [Online] 12 08 2010. [Cited: 12 08 2010.] http://www.dailychanges.com/.
13. Vixie, Paul. Taking Back the DNS. CircleID - Internet Infrastructure. [Online] 30 07 2010b. [Cited: 06 08 2010.] http://www.circleid.com/posts/20100728_taking_back_the_dns/.
14. KnujOn.com LLC. KnujOn.com . [Online] 20 06 2010. [Cited: 12 08 2010.] http://www.knujon.com/knujon_audit0610.pdf.
15. ISC. Bind 9.7.1-P2. Internet Systems Corporation. [Online] 15 07 2010. [Cited: 03 08 2010.] https://www.isc.org/software/bind.
16. Infoblox. Network Service Appliances. Infoblox. [Online] 2010. [Cited: 03 08 2010.] http://www.infoblox.com/products/appliances.cfm.
17. IETF. RFC 2131 - Dynamic Host Configuration Protocol. Internet Engineering Task Force. [Online] 03 1997. http://tools.ietf.org/html/rfc2131.
18. Savill, John. Where in the registry are the entries for the DNS servers located? Windows IT Pro. [Online] 09 01 2000. [Cited: 12 08 2010.] http://www.windowsitpro.com/article/dns/where-in-the-registry-are-theentries-for-the-dns-servers-located-.aspx.
19. Honeycutt, Jerry. Microsoft Windows Registry Guide. Microsoft Windows Registry Guide. 2nd. Redmond : Microsoft PRess, 2005, Appendix B, pp. 467-483.
20. Skoudis, Ed. Episode #17: DNS Cache Snooping in a Single Command. Command Line Kung Fu. [Online] 30 03 2009. [Cited: 14 08 2010.] http://blog.commandlinekungfu.com/2009/03/episode-17-dns-cachesnooping-in-single.html.
21. Grangeia, Luis. DNS Cache Snooping. rootsecure.net. [Online] 02 2004. [Cited: 14 08 2010.] http://www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf
22. Ollmann, Gunter. The Pharming Guide (Part 2). Technical Info. [Online] 2007. [Cited: 13 08 2010. ] http://www.technicalinfo.net/papers/Pharming2.html.
23. Efficient Deployment of Honeynets for Statitical and Forensic Analysis of Attacks from the nternet. Riebach, Stephan, Rathgeb, Erwin P. and Toedtmann, Birger. [ed.] R. et al. Boutaba. s.l. : IFIP International Federation for Information Processing, 2005, Networking, pp. 756-767.
24. Understanding the Network-Level Behaviour of Spammers. Ramachandran, Anirudh and Feamster, Nick. Pisa : s.n., 11-15 09 2006, SIGCOMM, pp. 291-302. 1-59593-308-5/06/0009.
25. Detection of Denial of Service Attacks against Domain Name System UsingNeural Networks. Rastegari, Samaneh, Saripan, M. Iqbal and Rasid, Mohd Fadlee A. 1, 2009, IJCSI International Journal of Cpomputer Science Issues, Vol. 6, pp. 23-27. 1694-0814.
26. Evers, Joris. DNS servers--an Internet Achilles' heel. Cnet News. [Online] 03 08 2005. [Cited: 06 08 2010.] http://news.cnet.com/DNS-servers--anInternet-Achilles-heel/2100-7349_3-5816061.html.
27. Kornblum, Janet. Kashpureff to face federal charges. CNET News. [Online] 3 11 1997. [Cited: 13 08 2010.] http://news.cnet.com/2100-1023- 204961.html.
28. Long, Peggy and Valiquette, Joseph. Eugene E. Kashpureff Pleaded Guilty to Unleashing Software on the Internet That Interrupted Service for Tens of Thousands of Internet Users Worldwide. Department of Justice. [Online] 22 09 2003. [Cited: 12 08 2010.] http://www.justice.gov/criminal/cybercrime/kashpurepr.htm.
29. Gibson, Steve. DNS Nameserver Spoofability Test. Gibson Research Corporation. [Online] 2010. [Cited: 12 08 2010.] https://www.grc.com/dns/dns.htm.
30. DNS-based Detection of Scanning Worms in an Enterprise Network. Whyte, David, Kranakis, Evangelos and van Oorschot, P.C. San Diego : s.n., 03-04 02 2005, Proceedings of the 12th Annual Network and Distributed System Security Symposium.
31. Piscitello, Dave. Conficker Summary and Review. ICANN. [Online] 07 05 2010. [Cited: 12 08 2010.] http://icann.org/en/security/conficker-summaryreview-07may10-en.pdf.
32. Mining Spam Email to Identify Common Origina for forensic Applcation. Wei, Chun, et al. Ceara, Brazil : ACM, 16-20 03 2008, SAC, pp. 1433- 1437. 978-1-59593-753-7.
33. Ehrlich, Willa K, et al. Detection of Spam Hosts and Spam Bots Using. Usenix. [Online] 05 04 2010. [Cited: 12 08 2010.] http://www.usenix.org/events/leet10/tech/full_papers/Ehrlich.pdf.
34. Methods to identify spammers. Eggendorfer, Tobias. Adelaide : s.n., 21- 23 01 2008, e-Forensics. 978-963-9799-19-6.
35. Jackson, Ben. More Malware DNS Cache Scraping. innismir.net. [Online] 25 03 2010. [Cited: 14 08 2010.] http://www.innismir.net/article/483.
36. abuse.ch. Zues Tracker. abuse.ch. [Online] 20 06 2009. [Cited: 14 08 2010.] https://zeustracker.abuse.ch/blocklist.php.
37. GNUCitizen. dnsmap. code.google.com. [Online] 2010. [Cited: 12 08 2010.] http://code.google.com/p/dnsmap/ .
38. Domain anme forensics: a systematic approach to investigating an internet presence. Nikkel, Bruce J. 1, s.l. : Elsevier Ltd, 2004, Digital Investigation, pp. 247-255.
39. RSnake. ha.ckers Blog. ha.ckers.org. [Online] 10 06 2010. [Cited: 12 08 2010.] http://ha.ckers.org/blog/20100610/fierce-20-to-be-released/.
40. Matt. Corporate Information Discovery [Part 1]. AttackVector.org. [Online] 25 05 2010. [Cited: 12 08 2010.] http://www.attackvector.org/corporate-information-discovery-part-1/.
41. dd. Leaking private IP addresses cia DNS. Sucuri. [Online] 03 05 2010. [Cited: 12 08 2010.] http://blog.sucuri.net/2010/05/leaking-private-ipaddresses-via-dns.html.
42. Hauser, van. Attacking the IPv6 Protocol Suite. The Hackers Choice (THC). [Online] 2008. [Cited: 12 08 2010.] http://freeworld.thc.org/papers/vh_thc-ipv6_attack.pdf .
43. Grossman, Jeremiah. Top Ten Web Hacking Techniques of 2009 (Official). Jeremiah Grossman Blog. [Online] 12 01 2010. [Cited: 12 08 2010.] http://jeremiahgrossman.blogspot.com/2010/01/top-ten-webhacking-techniques-of-2009.html.
44. RSnake. Persistent Cookies and DNS Rebinding Redux. ha.ckers.org. [Online] 20 01 2009b. [Cited: 12 08 2010.] http://ha.ckers.org/blog/20090120/persistent-cookies-and-dns-rebindingredux/.
45. —. DNS Rebinding for Scraping and Spamming. ha.ckers.org. [Online] 18 11 2009a. [Cited: 14 08 2010.] http://ha.ckers.org/blog/20091118/dnsrebinding-for-scraping-and-spamming/,.
46. —. Session Fixation Via DNS Rebinding. ha.ckers.org. [Online] 16 11 2009c. [Cited: 14 08 2010.] http://ha.ckers.org/blog/20091116/sessionfixation-via-dns-rebinding/.
47. —. DNS Rebinding for Credential Brute Force. ha.ckers.org. [Online] 17 11 2009d. [Cited: 14 08 2010.] http://ha.ckers.org/blog/20091116/sessionfixation-via-dns-rebinding/.
48. Constantin, Lucian. DNS Rebinding Attack Can Be Used to Hack Home Routers. Softpedia. [Online] 14 07 2010. [Cited: 12 08 2010.] http://news.softpedia.com/news/DNS-Rebinding-Attack-Can-Be-Used-toHack-Home-Routers-147508.shtml.
49. Ross, David. Current Thoughts on DNS Rebinding. Random Dross - MSDN Blogs. [Online] 17 12 2009. [Cited: 14 08 2010.] http://blogs.msdn.com/b/dross/archive/2009/11/17/current-thoughts-ondns-rebinding.aspx.
50. Adkins, Heather. For Google, DNS log analysis essential in Aurora attack investigation. TechTarget. [Online] 15 06 2010. [Cited: 12 08 2010.] http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci15149 65,00.html.
51. Williams, Chris. BT's 'illegal' 2007 Phorm trial profiled tens of thousands. The Register. [Online] 14 04 2008. [Cited: 14 08 2010.] http://www.theregister.co.uk/2008/04/14/bt_phorm_2007/.
52. Head, Jonathan. Turkey goes into battle with Google. BBC News Europe. [Online] 02 07 2010. [Cited: 06 08 2010.] http://news.bbc.co.uk/1/hi/world/europe/10480877.stm.
53. McMillan, Robert. After DNS problem, Chinese root server is shut down. Computer World. [Online] 26 03 2010. [Cited: 06 08 2010.] http://www.computerworld.com/s/article/9174278/After_DNS_problem_C hinese_root_server_is_shut_down.
54. CZ.NIC. DNSSEC Validator . CZ.NIC Labs. [Online] 2010. [Cited: 12 08 2010.] https://labs.nic.cz/dnssec-validator/.
55. security-dns.net. Zone Signing Made Simple. security-dns.net. [Online] 2010. [Cited: 06 08 2010.] http://security-dns.net/.
56. Nichols, Shaun. OpenDNSSEC service goes live. v3.co.uk. [Online] 09 02 2010. [Cited: 02 08 2010.] http://www.v3.co.uk/v3/news/2257605/opendnssec-service-goes-live?.
57. Rolling Over DNSSEC Keys. Michaelson, George, et al. [ed.] Ole J Jacobsen. 1, s.l. : Cisco Systems, 03 2010, The Internet Protocol Journal, Vol. 13, p. 35. http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13- 1/131_dnssec.html.
58. Bruneau, Guy. DNS Sinkhole ISO Available for Download. SANS Internet Storm Center . [Online] 19 06 2010. [Cited: 01 08 2010.] http://isc.sans.edu/diary.html?n&storyid=9037.
59. Real-Time and Forensic Network Data Analysis Using Animated and Coordinated Vizualization. Krasser, Sven, et al. West Point : s.n., 06 2005, Proceedings of the 2005 IEEE Workshop on Information Assurance.
60. Makey, Jeff. Blacklists Compared - 31 July 2010. San Diego Supercomputer Center - Jeff Makey. [Online] 06 08 2010. [Cited: 12 08 2010.] http://www.sdsc.edu/~jeff/spam/cbc.html.
61. Rasmussen, Rod. The Need For A DNS Emergency Alert System. Security Week. [Online] 26 07 2010. [Cited: 02 08 2010.] http://www.securityweek.com/need-dns-emergency-alert-system.
62. Vixie, Paul. Perspectives on a DNS-CERT. Internet Systems Consortium. [Online] 12 03 2010a. [Cited: 12 08 2010.] http://www.isc.org/community/blog/201003/perspectives-dns-cert.
63. —. Towards a DNSCERT Definition. CircleID. [Online] 17 06 2010c. [Cited: 12 08 2010.] http://www.circleid.com/posts/20100617_towards_a_dnscert_definition/.
64. Nazario, Jose, Arends, Roy and Morrow, Chris. Summary of the April, 2010 DNS-CERT Operational Requirements and Collaboration Analysis Workshop. ICANN. [Online] 04 2010. [Cited: 12 08 2010.] http://icann.org/en/topics/ssr/dns-cert-collaboration-analysis-24may10- en.pdf.
65. van der Gaast, Wilmer and Contavalli, Carlo. A porposed extension to the DNS Protocol. Google Code Blog. [Online] 27 01 2010. [Cited: 12 08 2010.] http://googlecode.blogspot.com/2010/01/proposal-to-extend-dnsprotocol.html.
66. The truth about Mobile Malware. Wysopal, Chris. Oxford Belfry : SC Magazine, 2010. SC Forum.
67. Hiding Data, Forensics, and Anti-Forensics. Berghel, Hal. 4, 04 2007, Communications of the ACM, Vol. 50, pp. 15-20.
68. Team Cymru, Inc. Malware Hash Registry. Team Cymru. [Online] 15 02 2010. [Cited: 12 08 2010.] http://www.team-cymru.org/Services/MHR/.
Recommended Citation
Wright, Neil F.
(2012)
"DNS in Computer Forensics,"
Journal of Digital Forensics, Security and Law: Vol. 7
, Article 2.
DOI: https://doi.org/10.15394/jdfsl.2012.1117
Available at:
https://commons.erau.edu/jdfsl/vol7/iss2/2
Included in
Computer Engineering Commons, Computer Law Commons, Electrical and Computer Engineering Commons, Forensic Science and Technology Commons, Information Security Commons