Auswahl der wissenschaftlichen Literatur zum Thema „Domain Name System over Quic“

Abstract Tor onion services, also known as hidden services, are anonymous servers of unknown location and ownership that can be accessed through any Torenabled client. They have gained popularity over the years, but since their introduction in 2002 still suffer from major usability challenges primarily due to their cryptographically-generated non-memorable addresses. In response to this difficulty, in this work we introduce the Onion Name System (OnioNS), a privacy-enhanced decentralized name resolution service. OnioNS allows Tor users to reference an onion service by a meaningful globally-unique verifiable domain name chosen by the onion service administrator.We construct OnioNS as an optional backwards-compatible plugin for Tor, simplify our design and threat model by embedding OnioNS within the Tor network, and provide mechanisms for authenticated denial-of-existence with minimal networking costs. We introduce a lottery-like system to reduce the threat of land rushes and domain squatting. Finally, we provide a security analysis, integrate our software with the Tor Browser, and conduct performance tests of our prototype.

As a backbone of all communications over the Internet, DNS (Domain Name System) is crucial for all entities that need to be visible and provide services outside their internal networks. Public administration is a prime example for various services that have to be provided to citizens. This manuscript presents one possible approach, implemented in the administration of the City of Nis, for improving the robustness and resilience of external domain space, as well as securing it with DNSSEC (DNS Security Extensions).

Abstract The Internet’s Domain Name System (DNS) responds to client hostname queries with corresponding IP addresses and records. Traditional DNS is unencrypted and leaks user information to on-lookers. Recent efforts to secure DNS using DNS over TLS (DoT) and DNS over HTTPS (DoH) have been gaining traction, ostensibly protecting DNS messages from third parties. However, the small number of available public large-scale DoT and DoH resolvers has reinforced DNS privacy concerns, specifically that DNS operators could use query contents and client IP addresses to link activities with identities. Oblivious DNS over HTTPS (ODoH) safeguards against these problems. In this paper we implement and deploy interoperable instantiations of the protocol, construct a corresponding formal model and analysis, and evaluate the protocols’ performance with wide-scale measurements. Results suggest that ODoH is a practical privacy-enhancing replacement for DNS.

Security and privacy of the Internet Domain Name System (DNS) have been longstanding concerns. Recently, there is a trend to protect DNS traffic using Transport Layer Security (TLS). However, at least two major issues remain: (1) How do clients authenticate DNS-over-TLS endpoints in a scalable and extensible manner? and (2) How can clients trust endpoints to behave as expected? In this article, we propose a novel Private DNS-over-TLS (PDoT) architecture. PDoT includes a DNS Recursive Resolver (RecRes) that operates within a Trusted Execution Environment. Using Remote Attestation , DNS clients can authenticate and receive strong assurance of trustworthiness of PDoT RecRes. We provide an open source proof-of-concept implementation of PDoT and experimentally demonstrate that its latency and throughput match that of the popular Unbound DNS-over-TLS resolver.

IoT devices provide real-time data to a rich ecosystem of services and applications. The volume of data and the involved subscribe/notify signaling will likely become a challenge also for access and core networks. To alleviate the core of the network, other technologies like fog computing can be used. On the security side, designers of IoT low-cost devices and applications often reuse old versions of development frameworks and software components that contain vulnerabilities. Many server applications today are designed using microservice architectures where components are easier to update. Thus, IoT can benefit from deploying microservices in the fog as it offers the required flexibility for the main players of ubiquitous computing: nomadic users. In such deployments, IoT devices need the dynamic instantiation of microservices. IoT microservices require certificates so they can be accessed securely. Thus, every microservice instance may require a newly-created domain name and a certificate. The DNS-based Authentication of Named Entities (DANE) extension to Domain Name System Security Extensions (DNSSEC) allows linking a certificate to a given domain name. Thus, the combination of DNSSEC and DANE provides microservices’ clients with secure information regarding the domain name, IP address, and server certificate of a given microservice. However, IoT microservices may be short-lived since devices can move from one local fog to another, forcing DNSSEC servers to sign zones whenever new changes occur. Considering DNSSEC and DANE were designed to cope with static services, coping with IoT dynamic microservice instantiation can throttle the scalability in the fog. To overcome this limitation, this article proposes a solution that modifies the DNSSEC/DANE signature mechanism using chameleon signatures and defining a new soft delegation scheme. Chameleon signatures are signatures computed over a chameleon hash, which have a property: a secret trapdoor function can be used to compute collisions to the hash. Since the hash is maintained, the signature does not have to be computed again. In the soft delegation schema, DNS servers obtain a trapdoor that allows performing changes in a constrained zone without affecting normal DNS operation. In this way, a server can receive this soft delegation and modify the DNS zone to cope with frequent changes such as microservice dynamic instantiation. Changes in the soft delegated zone are much faster and do not require the intervention of the DNS primary servers of the zone.

<strong>Abstract</strong>— The widespread use of smart phones nowadays makes them vulnerable to phishing. Phishing is the process of trying to steal user information over the Internet by claiming they are a trusted entity and thus access and steal the victim's data(user name, password and credit card details). Consequently, the need for mobile phishing detection system has become an urgent need. And this is what we are attempting to introduce in this paper, where we introduce a system to detect phishing websites on Android phones. That predicts and prevents phishing websites from deceiving users, utilizing data mining techniques to predict whether a website is phishing or not, relying on a set of factors (URL based features, HTML based features and Domain based features). The results shows system effectiveness in predicting phishing websites with 97% as prediction accuracy.

The –ex string found in English product and company names (e.g., Kleenex, Timex and Virex), is investigated to discover whether this ending has consistent meaning across coined words and to observe any constraints on its attachment and interpretation. Seven hundred and ninety-three –exbrand name types were collected and examined, derived from American English texts in the Brown and Frown corpora as well as over 600 submissions to the US Patent and Trademark Office's Trademark Electronic Search System database (TESS); American native English speakers were also surveyed to assess interpretations of –ex meaning in brands. Analysis of these coined terms reveals that –ex meaning is contingent, reflecting assumptions by a given speaker of a referent's domain in a given time, region and culture. Yet, despite ambiguities in its interpretation, the –ex form shows increasing use.

In recent times, secure communication protocols over web such as HTTPS (Hypertext Transfer Protocol Secure) are being widely used instead of plain web communication protocols like HTTP (Hypertext Transfer Protocol). HTTPS provides end-to-end encryption between the user and service. Nowadays, organizations use network firewalls and/or intrusion detection and prevention systems (IDPS) to analyze the network traffic to detect and protect against attacks and vulnerabilities. Depending on the size of organization, these devices may differ in their capabilities. Simple network intrusion detection system (NIDS) and firewalls generally have no feature to inspect HTTPS or encrypted traffic, so they rely on unencrypted traffic to manage the encrypted payload of the network. Recent and powerful next-generation firewalls have Secure Sockets Layer (SSL) inspection feature which are expensive and may not be suitable for every organizations. A virtual private network (VPN) is a service which hides real traffic by creating SSL-protected channel between the user and server. Every Internet activity is then performed under the established SSL tunnel. The user inside the network with malicious intent or to hide his activity from the network security administration of the organization may use VPN services. Any VPN service may be used by users to bypass the filters or signatures applied on network security devices. These services may be the source of new virus or worm injected inside the network or a gateway to facilitate information leakage. In this paper, we have proposed a novel approach to detect VPN activity inside the network. The proposed system analyzes the communication between user and the server to analyze and extract features from network, transport, and application layer which are not encrypted and classify the incoming traffic as malicious, i.e., VPN traffic or standard traffic. Network traffic is analyzed and classified using DNS (Domain Name System) packets and HTTPS- (Hypertext Transfer Protocol Secure-) based traffic. Once traffic is classified, the connection based on the server’s IP, TCP port connected, domain name, and server name inside the HTTPS connection is analyzed. This helps in verifying legitimate connection and flags the VPN-based traffic. We worked on top five freely available VPN services and analyzed their traffic patterns; the results show successful detection of the VPN activity performed by the user. We analyzed the activity of five users, using some sort of VPN service in their Internet activity, inside the network. Out of total 729 connections made by different users, 329 connections were classified as legitimate activity, marking 400 remaining connections as VPN-based connections. The proposed system is lightweight enough to keep minimal overhead, both in network and resource utilization and requires no specialized hardware.

Summary This paper continues formalization in the Mizar system [2, 1] of basic notions of the composition-nominative approach to program semantics [14] which was started in [8, 12, 10]. The composition-nominative approach studies mathematical models of computer programs and data on various levels of abstraction and generality and provides tools for reasoning about their properties. In particular, data in computer systems are modeled as nominative data [15]. Besides formalization of semantics of programs, certain elements of the composition-nominative approach were applied to abstract systems in a mathematical systems theory [4, 6, 7, 5, 3]. In the paper we give a formal definition of the notions of a binominative function over given sets of names and values (i.e. a partial function which maps simple-named complex-valued nominative data to such data) and a nominative predicate (a partial predicate on simple-named complex-valued nominative data). The sets of such binominative functions and nominative predicates form the carrier of the generalized Glushkov algorithmic algebra for simple-named complex-valued nominative data [15]. This algebra can be used to formalize algorithms which operate on various data structures (such as multidimensional arrays, lists, etc.) and reason about their properties. In particular, we formalize the operations of this algebra which require a specification of a data domain and which include the existential quantifier, the assignment composition, the composition of superposition into a predicate, the composition of superposition into a binominative function, the name checking predicate. The details on formalization of nominative data and the operations of the algorithmic algebra over them are described in [11, 13, 9].

The goal of the Master thesis on the topic of the Client application of DNS protocol with graphical interface for teaching purposes is to create a program with the features of sending, receiving DNS, MDNS and LLMNR protocols with optional parameters. Additionally, compare the created application with available tools such as Nslookup, Dig and create examples of application for teaching.

This chapter examines the mechanism of the United States's internet control over the Domain Name System (DNS). The mechanism of U.S. internet control over the DNS was formalized after President Bill Clinton directed the Commerce Department to privatize the DNS in 1997. Legal contracts were drawn up, binding the Department to a for-profit corporation called VeriSign and to a private, not-for-profit corporation, the Internet Corporation for Assigned Names and Numbers (ICANN). The chapter considers the Commerce Department's DNS initiative as an example of the geopolitics of today's internet, an extraterritorial projection of U.S. policymaking that was extraordinary for transforming into a venue where other countries mounted a concerted diplomatic challenge to U.S. power. The chapter also discusses the multi-stakeholderism in U.S.-centric internet and Edward Snowden's revelations regarding the National Security Agency's surveillance of global internet traffic.

“All science is either physics or stamp collecting.” So claimed Ernest Rutherford, the British physicist who discovered the atomic nucleus in 1910, touting the explanatory power of physics over the busywork of classifying elements or planets or animals. One hundred years later, the endless variety of matter postulated by physics—within the nucleus and throughout the universe—has far surpassed the inventories of the periodic table and solar system, leading particle physicists to refer to their domain as a bestiary and one textbook to be aptly titled A Tour of the Subatomic Zoo. There are electrons and protons and neutrons, as well as quarks and positrons and neutrinos. There are also gluons and muons—the unexpected discovery of which, in 1936, led the physicist Isidor Rabi to quip, “Who ordered that?”—and potentially axions and saxions and saxinos. In this menagerie it’s not easy for a new particle, especially a hypothetical one, to get attention. The unparticle, first proposed by American physicist Howard Georgi in 2007, is therefore remarkable for garnering worldwide media attention and spurring more than a hundred scholarly papers, especially considering that there’s no experimental evidence for it, nor is it called for mathematically by any prior theory. What an unparticle is, exactly, remains vague. The strange form of matter first arose on paper when Georgi asked himself what properties a “scale-invariant” particle might have and how it might interact with the observable universe. Scale invariance is a quality of fractals, such as snowflakes and fern leaves, that makes them look essentially the same at any magnification. Georgi’s analogous idea was to imagine particles that would interact with the same force regardless of the distance between them. What he found was that such particles would have no definite mass, which would, for example, exempt them from obeying special relativity. “It’s very difficult to even find the words to describe what unparticles are,” Georgi confessed to the magazine New Scientist in 2008, “because they are so unlike what we are familiar with.” For those unprepared to follow his mathematics, the name evokes their essential foreignness.

This chapter examines the secondary liability of internet intermediaries for trade mark infringement and passing off occurring online. The internet intrinsically relies upon a functioning system of domain names, keyword-based search tools, and advertising. These arenas present ample opportunities for conflict over protected signs. At one extreme are territorial conflicts between legitimate traders who happen to possess parallel rights in different jurisdictions; at the other extreme lie cases of opportunistic squatting on a rivalrous keyword resource, such as a domain name, for commercial gain, or outright counterfeiting. Within the contested space that lies between, the line between honest and unfair competition is becoming increasingly blurred, as traders seek to exploit rivals’ names in keyword advertising, practise aggressive search engine optimisation, and compete for traffic, reputation, and attention. The zone of accepted commercial practices is fluid and extremely nebulous.