CAREER: Debugging the Fragmented DNS Infrastructure at Scale

Summary

Domain Name System (DNS) is one of the most critical Internet infrastructures. It underpins nearly every Internet activity, translating user-friendly names like www.google.com to computer-friendly IP addresses. Though designed as a highly reliable infrastructure in its blueprint, DNS failures are not rare, sometimes even leading to the network outage of a country. Debugging DNS failures is undoubtedly important but also challenging. Though DNS can be seen as a distributed system, it is open-ended and fragmented, containing numerous service providers and being interfered by powerful network adversaries. Though the basic logic of DNS is conceptually simple, its implementation is highly customized on the client-side devices and DNS bugs can be caused by the complex interactions between code and non-code resources. These unique settings make DNS failures and bugs complex and difficult to be diagnosed. This project is to develop novel platforms, techniques, and tools to enable holistic debugging for the DNS Infrastructure, through two research thrusts: debugging DNS failures at the network layer, and debugging client-side DNS bugs at the software layer.

Support

People

  • Zhou Li. PI on this project, project leader and professor (UCI EECS).
  • Joann Qiongna Chen. Ph.D. Student Researcher (UCI EECS).
  • Qifan Zhang. Ph.D. Student Researcher (UCI EECS).
  • Xuesong Bai. M.S. Student Researcher (UCI EECS).
  • Xiang Li. Project Specialist (UCI EECS).
  • Xianran Liao. Undergraduate Student Researcher (UCI EECS).
  • Jacob Lee. Undergraduate Student Researcher (UCI EECS, REU Supplemental).
  • David Ning. Undergraduate Student Researcher (UCI EECS, REU Supplemental).

Publications

  • [Security'24] Qifan Zhang, Xuesong Bai, Xiang Li, Haixin Duan, Qi Li and Zhou Li. ResolverFuzz: Automated Discovery of DNS Resolver Vulnerabilities with Query-Response Fuzzing. Accepted by The 33rd USENIX Security Symposium, August, 2024.
  • [S&P'24] Xiang Li, Wei Xu, Baojun Liu, Mingming Zhang, Zhou Li, Jia Zhang, Deliang Chang, Xiaofeng Zheng, Chuhan Wang, Jianjun Chen, Haixin Duan and Qi Li. TuDoor Attack: Systematically Exploring and Exploiting Logic Vulnerabilities in DNS Response Pre-processing with Malformed Packets. In Proceedings of The 45th IEEE Symposium on Security and Privacy, May, 2024.
  • [Security’23a] Xiang Li, Chaoyi Lu, Baojun Liu, Qifan Zhang, Zhou Li, Haixin Duan and Qi Li.The Maginot Line: Attacking the Boundary of DNS Caching Protection. In Proceedings of the 32nd USENIX Security Symposium, August, 2023.
  • [NDSS’23] Xiang Li, Baojun Liu, Xuesong Bai, Mingming Zhang, Qifan Zhang, Zhou Li, Haixin Duan and Qi Li.Ghost Domain Reloaded: Vulnerable Links in Domain Name Delegation and Revocation. In Proceedings of the 30th Annual Network and Distributed System Security Symposium, February, 2023.
  • [ACCESS] Xianran Liao, Jiacen Xu, Qifan Zhang and Zhou Li.A Comprehensive Study of DNS Operational Issues by Mining DNS Forums. In IEEE Access, 2022.
  • [EuroS&P'22] Deliang Chang*, Joann Qiongna Chen*, Zhou Li and Xing Li. Hide and Seek: Revisiting DNS-based User Tracking. In Proceedings of the 7th IEEE European Symposium on Security and Privacy, June, 2022.
  • [CCS'21a] Tianhao Wang, Joann Qiongna Chen, Zhikun Zhang, Dong Su, Yueqiang Cheng, Zhou Li, Ninghui Li, and Somesh Jha. Continuous Release of Data Streams under both Centralized and Local Differential Privacy. In Proceedings of the 28th ACM Conference on Computer and Communications Security, virtual, November, 2021.
  • [SRDS'21] Rebekah Houser, Shuai Hao, Zhou Li, Daiping Liu, Chase Cotton, and Haining Wang. A Comprehensive Measurement-based Investigation of DNS Hijacking. In Proceedings of the 40th International Symposium on Reliable Distributed Systems, virtual, September, 2021.

    • Talks

  • "Stateful fuzzing for DNS resolvers and beyond" at Google Fuzzing Talk, Feb. 2024
  • "Where are the DNS bugs and how to capture them" at UCR CS, Jan. 2024, Purdue CS, Oct. 2023, UCSD CS, Oct. 2023
  • "Automated Discovery of DNS Resolver Vulnerabilities with Stateful Fuzzing", DNS and Internet Naming Research Directions 2024, virtual, April 2024.
  • "ResolverFuzz: Automated Discovery of DNS Resolver Vulnerabilities with Query-Response Fuzzing", DNS-OARC 42 Workshop, Feb. 2024.
  • "TuDoor Attack: Systematically Exploring and Exploiting Logic Vulnerabilities in DNS Response Pre-processing with Malformed Packets", DNS-OARC 42 Workshop, Feb. 2024.
  • "MaginotDNS: Attacking the Boundary of DNS Caching Protection", Blackhat USA 2023, Las Vegas, August 2023.
  • "Debugging the Fragmented DNS Infrastructure at Scale" at USC CS, Mar. 2023, TAMU CSE, Feb. 2023, and UCLA ECE 209AS, Feb. 2023.
  • "Phoenix Domain Attack: Vulnerable Links in Domain Name Delegation and Revocation" at Blackhat Asia 2023, Singapore, May 2023.
  • "DNS-based User Tracking (Attacks and Defenses)" at DNS and Internet Naming Research Directions 2023, virtual, Feb. 2023.
  • "The Phoenix Domain attack" at ICANN DNS Symposium, Nov. 2022.
  • "Ghost Domain Reloaded: Vulnerable Links in Domain Name Delegation and Revocation" at OARC 39 & 47th CENTR Technical Workshop, Serbia, Oct. 2022.
  • "A Measurement-based Investigation of DNS Hijacking" at DNS and Internet Naming Research Directions 2021, virtual, Nov. 2021 and DNS-OARC 36 Workshop, virtual, Nov. 2021.

    • Software and Datasets

  • Code for [Security'24]
  • Code and dataset for [ACCESS]
  • Code and dataset for [CCS'21a], including DNS
  • Code and dataset for [EuroS&P'22]

    • Outreach

  • Content about DNS bugs was integrated into the curriculum of UCI courses: EECS 148/COMPSCI 132 (Intro to Computer Networks), EECS 121 (System Security) and EECS 231 (Advanced System Security).