UC San Diego

DNS infrastructure hijacks are a class of attacks wherein the attack is theresult of an attacker controlling part or all of the DNS infrastructure for a domain. These hijacks are typically a byproduct of attackers exploiting errors and inconsistencies in how nameserver delegations are specified, or attackers gaining authority to update delegation records on behalf of the domain owner. Significantly, attacks on DNS infrastructure can impact nearly all users of a domain. Thus, understanding DNS infrastructure hijacks is of critical importance given that it undermines trust in services hosted at the hijacked domain.

In this dissertation, I directly address the challenges inherent in identifyingDNS infrastructure hijacks. In particular, I demonstrate it is feasible to infer hijacks as a third-party by leveraging large-scale measurements of the DNS ecosystem supplemented by a wide array of complementary data sources which help provide a broader context for interpreting the DNS measurements. In doing so, I show how large-scale measurements can help not only identify instances of high-value domains being hijacked, but also uncover long-standing operational practices exposing large numbers of domains unbeknownst to the domain owner. I first describe a large-scale measurement study across the Internet to comprehensively identify the extent of errors and inconsistencies in nameserver delegations and how it affects the security and efficiency of the resolution process. In the course of this first study, I discovered long-standing operational practices that exposed nearly half a million domains over nine years to the risk of hijack. In a second study, I then explored in depth the domain hijacking risk caused by these undocumented operational practices in the DNS ecosystem. While the two studies highlighted opportunistic hijacks wherein the security of the DNS infrastructure is undermined due to actions of the domain owner or registrar, in a final project, I explored targeted hijacks wherein an attacker actively takes control of DNS configuration for the domain. Overall in this dissertation, I present a qualitative and quantitative exploration of DNS infrastructure hijacks.