New (and Newly-Changed) Fully Qualified Domain Names: A View of Worldwide Changes to the Internets DNS

Presented at Black Hat Europe 2015, Unknown date/time (Unknown duration)

The Domain Name System (DNS) is highly dynamic, and changes to it are continually taking place. For example, new base domain names get registered and used for the first time, new resource records (and new resource record types such as MX, PTR, AAAA) get created within those base domains, and resource records get set to new values. A single domain can have up to 100 resource records returned at once. Historically, all of those changes were largely overlooked in the flood of DNS traffic available to security analysts and DNS researchers from DNS-data sharing sites until now. In this presentation, Dr. Paul Vixie will discuss a ground-breaking approach that tames this information fire hose - the creation of two winnowed, real-time data streams, one consisting of newly-observed fully-qualified domain names, and another of DNS changes. These new streams make it easy to identify numerous security-relevant DNS changes. For example, if a prominent web server is subject to a DNS poisoning attack or its name servers are changed without authorization at the registrar, that hijacked web server will show up in these streams as having experienced a "DNS change." Spam sites that formerly used DNS wildcarding in an attempt to "fly under the radar" are now easily identified, since each of their new pseudo-random Fully Qualified Domain Names (FQDN)s gets tagged as being new. Similarly, operators of fast flux or double fast flux networks can no longer hide. Dr. Vixie will provide practical examples of how this innovative new approach will allow for more timely and effective approaches to combating malicious Internet behavior, including significantly improving brand protection and anti-phishing controls, and increasing situational awareness. He will also discuss limitations associated with this approach, including filtering choices, and limitations to the paradigm and his talk will include a demo with Q&A.


  • Paul Vixie - Farsight Security Inc.
    Dr. Paul Vixie is the Founder and CEO of Farsight Security, Inc. In 2014, he was inducted into the Internet Hall of Fame for his work related to DNS. He previously served as President, Chairman and Founder of Internet Systems Consortium (ISC), as President of MAPS, PAIX and MIBH, as CTO of Abovenet/MFN, and on the board of several for-profit and non-profit companies. He served on the ARIN Board of Trustees from 2005 to 2013, and as Chairman in 2008 and 2009. Dr. Vixie is a founding member of ICANN Root Server System Advisory Committee (RSSAC) and ICANN Security and Stability Advisory Committee (SSAC). Dr. Vixie has been contributing to Internet protocols and UNIX systems as a protocol designer and software architect since 1980. He is considered the primary author and technical architect of BIND 8, and he hired many of the people who wrote BIND 9 and the people now working on BIND 10. He has authored or co-authored a dozen or so RFCs, mostly on DNS and related topics, and of Sendmail: Theory and Practice (Digital Press, 1994). He earned his PhD from Keio University for work related to the Internet Domain Name System (DNS and DNSSEC).


Similar Presentations: