Mingxuan Liu (Zhongguancun Laboratory; Tsinghua University), Yiming Zhang (Tsinghua University), Xiang Li (Tsinghua University), Chaoyi Lu (Tsinghua University), Baojun Liu (Tsinghua University), Haixin Duan (Tsinghua University; Zhongguancun Laboratory), Xiaofeng Zheng (Institute for Network Sciences and Cyberspace, Tsinghua University; QiAnXin Technology Research Institute & Legendsec Information Technology (Beijing) Inc.)

Domain names are often registered and abused for harmful and illegal Internet activities. To mitigate such threats, as an emerging security service, Protective DNS (PDNS) blocks access to harmful content by proactively offering rewritten DNS responses, which resolve malicious domains to controlled hosts. While it has become an effective tool against cybercrime, given their implementation divergence, little has been done from the security community in understanding the deployment, operational status and security policies of PDNS services.

In this paper, we present a large-scale measurement study of the deployment and security implications of open PDNS services. We first perform empirical analysis over 28 popular PDNS providers and summarize major formats of DNS rewriting policies. Then, powered by the derived rules, we design a methodology that identifies intentional DNS rewriting enforced by open PDNS servers in the wild. Our findings are multi-faceted. On the plus side, the deployment of PDNS is now starting to scale: we identify 17,601 DNS servers (9.1% of all probed) offering such service. For DNS clients, switching from regular DNS to PDNS induces negligible query latency, despite additional steps (e.g., checking against threat intelligence and rewriting DNS response) being required from the server side. However, we also find flaws and vulnerabilities within PDNS implementation, including evasion of blocking policies and denial of service. Through responsible vulnerability disclosure, we have received 12 audit assessment results of high-risk vulnerabilities. Our study calls for proper guidance and best practices for secure PDNS operation.

View More Papers

DeGPT: Optimizing Decompiler Output with LLM

Peiwei Hu (Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China), Ruigang Liang (Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China), Kai Chen (Institute of Information Engineering, Chinese Academy of Sciences, China)

Read More

Unus pro omnibus: Multi-Client Searchable Encryption via Access Control

Jiafan Wang (Data61, CSIRO), Sherman S. M. Chow (The Chinese University of Hong Kong)

Read More

Abusing the Ethereum Smart Contract Verification Services for Fun...

Pengxiang Ma (Huazhong University of Science and Technology), Ningyu He (Peking University), Yuhua Huang (Huazhong University of Science and Technology), Haoyu Wang (Huazhong University of Science and Technology), Xiapu Luo (The Hong Kong Polytechnic University)

Read More

Bernoulli Honeywords

Ke Coby Wang (Duke University), Michael K. Reiter (Duke University)

Read More