**Apr. 2019 - May. 2019**
Analysed 500 DNS servers’ responses towards 20 different domain names with traceroute, nslookup and wireshark.
**Brief introduction:**
* This research tests 500 DNS servers provided by Hunan university, google, and different ISPs in China. The 20 tested domain names include 15 common domain names in China, 3 domain names of google and 2 inexistent domain names. By analysing these DNS servers’ reply, a series of DNS security problems has been found.
**Conclusion:**
* Different ISPs in China have different strategies toward inexistent domain names. DNS server provided by China Mobile will direct user to its ads page if requested domain name doesn’t exist while other ISPs will not.
* ISPs used to use DNS hijack to direct users to a new website with iframe that contains the original page to feed ads, which has become rare, possibly due to the wide use of content security policy and X-Frame-Options.
* A small amount(3 out of 28) of DNS servers provided by China railway telcom and DNS servers provided by Hunan university can resolve all domain names correctly, while all DNS servers provided by other ISPs will give false replies toward domain names of google.
* When users assign ”8.8.8.8” as their DNS server and query domain names of google, ISPs will analyse their requests and reply a false IP before the real DNS server
* Though DoH(DNS over Https) can stop ISPs from analysing users' queries, due to the small amount of DNS servers that accept DoH, it is still easy for ISPs to ban or substitute these DNS servers.
**Apr. 2019 - May. 2019**
Simulated different methods of DNS attacks and evaluated some approaches that could mitigate these attacks.
**Attack analysed:**
* Local DNS server cache poison
* DNS hijack based on arp spoofing
**Evaluated approaches:**
* If local DNS server uses random UDP ports for DNS queries, attackers only have slightly chance(1/(2^48)) to figure out the correct DNS query id and UDP port at the same time, and thus the possibility that the local DNS server will receive false responses from attackers is very small.
* Instead of using UDP to have DNS queries, DoT(DNS over TLS) and DoH(DNS over Https) can both encrypt DNS queries and the encrypted traffic is mixed with other normal traffic, which makes it difficult for attackers to figure out and analyse users' DNS queries.
**Mar. 2019 - Apr. 2019** Effectuated a switch with basic traffic forwarding function and ARP table updating function with Verilog. By evaluating the traffic (frequency and quantity of ARP packets and conflicts with original arp table) the switch could also detect potential ARP attacks.
**Feb. 2019 - Mar. 2019** Analysed suspicious traffic of common attacks and found out their features. **Suspicious traffic analysed:** * Traffic of DNS amplification attack * Traffic of SYN flood attack * Traffic of slow Dos attack