Achtung:

Sie haben Javascript deaktiviert!
Sie haben versucht eine Funktion zu nutzen, die nur mit Javascript möglich ist. Um sämtliche Funktionalitäten unserer Internetseite zu nutzen, aktivieren Sie bitte Javascript in Ihrem Browser.

Studierende in den Seminarräumen des O-Gebäudes, Foto: Universität Paderborn, Fotografin: Judith Kraft Bildinformationen anzeigen

Studierende in den Seminarräumen des O-Gebäudes, Foto: Universität Paderborn, Fotografin: Judith Kraft

Analyzing the DNS Ecosystem

Currently blocked by another student

DNS is widely used to translate human readable domain names to IP addresses. However, this is not the only use case for DNS, as there are more record types than just addresses (A, AAAA, MX). It is also possible to store security related information within a DNS record. This can include simple information, for example which CAs are allowed to issue certificates for this domain (CAA) but can also include whole certificates (CERT) or keys (DNSKEY, IPSECKEY, OPENPGPKEY, SSHFP). Additionally, TXT records are used for various data for which no dedicated type exists. These can be used to verify ownership of a domain name (c.f. ACME DNS Challenge) or to store further security related information (e.g. SPF, ESNI).

The goal of this thesis is to analyze which security related records are used in the DNS ecosystem. It should be analyzed whether the existing records are configured correctly and securely, as well as categorizing misconfigurations. Furthermore, it should be analyzed whether there are furhter records containing information which may not be intended for the public.

Another challenge of this work is iterating the existing domains. There exist no list of all domains and due to their arbitrary nature they cannot be simply iterated like IPv4. However, CT logs, git commits, or web crawling can be used to find domains to analyze.

Suggested DNS records to analyze:

  • RRSIG, DNSKEY, DS (dnssec)
  • CERT
  • OPENPGPKEY (requires emails)
  • SSHFP
  • IPSECKEY
  • TXT: (in general,) SPF, DKIM, ESNI

Requirements:

  • Good programming skills
  • Basic experience in analyzing large data sets
  • Basic knowledge of DNS
  • Basic knowledge of cryptography

Die Universität der Informationsgesellschaft