% This data is distributed under the terms of the Open Data Commons Attribution License (ODC-By) v1.0 - See more at: http://opendatacommons.org/licenses/by/1-0/ @Article{OJWT_2018v5i1n02_Thomassen, title = {Hijacking DNS Subdomains via Subzone Registration: A Case for Signed Zones}, author = {Peter Thomassen and Jan Benninger and Marian Margraf}, journal = {Open Journal of Web Technologies (OJWT)}, issn = {2199-188X}, year = {2018}, volume = {5}, number = {1}, pages = {6--13}, note = {Special Issue: Proceedings of the International Workshop on Web Data Processing \& Reasoning (WDPAR 2018) in conjunction with the 41st German Conference on Artificial Intelligence (KI) in Berlin, Germany.}, url = {http://nbn-resolving.de/urn:nbn:de:101:1-2018093019300979542360}, urn = {urn:nbn:de:101:1-2018093019300979542360}, publisher = {RonPub}, bibsource = {RonPub}, abstract = {We investigate how the widespread absence of signatures in DNS (Domain Name System) delegations, in combination with a common misunderstanding with regards to the DNS specification, has led to insecure deployments of authoritative DNS servers which allow for hijacking of subdomains without the domain owner's consent. This, in turn, enables the attacker to perform effective man-in-the-middle attacks on the victim's online services, including TLS (Transport Layer Security) secured connections, without having to touch the victim's DNS zone or leaving a trace on the machine providing the compromised service, such as the web or mail server. Following the practice of responsible disclosure, we present examples of such insecure deployments and suggest remedies for the problem. Most prominently, DNSSEC (Domain Name System Security Extensions) can be used to turn the problem from an integrity breach into a denial-of-service issue, while more thorough user management resolves the issue completely.} }