Kyle Schomp
ABSTRACT
The Domain Name System (DNS) is a critical component of the Internet infrastructure that has many security vulnerabilities. In particular, shared DNS resolvers are a notorious security weak spot in the system. We propose an unorthodox approach for tackling vulnerabilities in shared DNS resolvers: removing shared DNS resolvers entirely and leaving recursive resolution to the clients. We show that the two primary costs of this approach---loss of performance and an increase in system load---are modest and therefore conclude that this approach is beneficial for strengthening the DNS by reducing the attack surface.
- Case Connection Zone. http://www.caseconnectionzone.org/.Google Scholar
- Open Resolver Project. http://openresolverproject.org/.Google Scholar
- The Bro Network Security Monitor. https://www.bro.org/.Google Scholar
- H. A. Alzoubi, M. Rabinovich, and O. Spatscheck. The Anatomy of LDNS Clusters: Findings and Implications for Web Content Delivery. In International Conference on World Wide Web, 2013. Google ScholarDigital Library
- M. Antonakakis, D. Dagon, X. Luo, R. Perdisci, W. Lee, and J. Bellmor. A Centralized Monitoring Infrastructure for Improving DNS Security. In Recent Advances in Intrusion Detection, 2010. Google ScholarDigital Library
- R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. RFC 4033, 2005.Google Scholar
- S. Ariyapperuma and C. Mitchell. Security Vulnerabilities in DNS and DNSSEC. In IEEE International Conference on Availability, Reliability and Security, 2007. Google ScholarDigital Library
- D. Bernstein. Introduction to DNSCurve. http://dnscurve.org/, 2008.Google Scholar
- C. Contavalli, W. van der Gaast, S. Leach, and D. Rodden. Client IP Information in DNS Requests. IETF draft, work in progress, 2010.Google Scholar
- D. Dagon, M. Antonakakis, K. Day, X. Luo, C. Lee, and W. Lee. Recursive dns architectures and vulnerability implications. In Network and Distributed System Security Symposium, 2009.Google Scholar
- K. Fujiwara. Number of Possible DNSSEC Validators Seen at jp. In DNS-OARC Workshop, 2012.Google Scholar
- A. Gerber and R. Doverspike. Traffic Types and Growth in Backbone Networks. In Optical Fiber Communication Conference, 2011.Google Scholar
- O. Gudmundsson and S. Crocker. Observing DNSSEC Validation in the Wild. In Workshop on Securing and Trusting Internet Names, 2011.Google Scholar
- A. Herzberg and H. Shulman. Fragmentation Considered Poisonous, or: One-domain-to-rule-them-all.org. In IEEE Communications and Network Security, 2013.Google Scholar
- C. Huang, I. Batanov, and J. Li. A Practical Solution to the Client-LDNS Mismatch Problem. ACM SIGCOMM Computer Communication Review, 42(2), 2012. Google ScholarDigital Library
- C. Huang, D. A. Maltz, J. Li, and A. Greenberg. Public DNS system and Global Traffic Management. In IEEE International Conference on Computer Communications, 2011.Google ScholarCross Ref
- D. Kaminsky. Black Ops 2008: It's the End of the Cache As We Know It. Black Hat USA, 2008.Google Scholar
- Z. M. Mao, C. D. Cranor, F. Douglis, M. Rabinovich, O. Spatscheck, and J. Wang. A Precise and Efficient Evaluation of the Proximity Between Web Clients and Their Local DNS Servers. In USENIX Annual Technical Conference, General Track, 2002. Google ScholarDigital Library
- J. S. Otto, M. A. Sánchez, J. P. Rula, and F. E. Bustamante. Content Delivery and the Natural Evolution of DNS: Remote DNS Trends, Performance Issues and Alternative Solutions. In ACM Internet Measurement Conference, 2012. Google ScholarDigital Library
- V. Pappas and E. Osterweil. Improving DNS service availability by using long TTL values. IETF Draft. http://tools.ietf.org/id/draft-pappas-dnsop-long-ttl-04.txt, 2012.Google Scholar
- H. Qian, E. Miller, W. Zhang, M. Rabinovich, and C. E. Wills. Agility in Virtualized Utility Computing. In IEEE Workshop on Virtualization Technology in Distributed Computing, 2007. Google ScholarDigital Library
- M. Sargent, B. Stack, T. Dooner, and M. Allman. A First Look at 1 Gbps Fiber-To-The-Home Traffic (TR-12-009). Technical report, 2012.Google Scholar
- K. Schomp, T. Callahan, M. Rabinovich, and M. Allman. On Measuring the Client-Side DNS Infrastructure. In ACM Internet Measurement Conference, 2013. Google ScholarDigital Library
- K. Schomp, T. Callahan, M. Rabinovich, and M. Allman. Assessing DNS Vulnerability to Record Injection. In Passive and Active Measurement Conference, 2014. Google ScholarDigital Library
- C. Schuba. Addressing Weaknesses in the Domain Name System Protocol. PhD thesis, Purdue University, 1993.Google Scholar
- A. Shaikh, R. Tewari, and M. Agrawal. On the Effectiveness of DNS-based Server Selection. In IEEE International Conference on Computer Communications, 2001.Google Scholar
- S. Tzur-David, K. Lashchiver, D. Dolev, and T. Anker. Delay Fast Packets (DFP): Prevention of DNS Cache Poisoning. Security and Privacy in Communication Networks, 2012.Google ScholarCross Ref
- P. Vixie and V. Schryver. DNS Response Rate Limiting (DNS RRL). Technical Report ISC-TN-2012-1, Internet Systems Consortium, Apr. 2012.Google Scholar
- L. Yuan, K. Kant, P. Mohapatra, and C. Chuah. DoX: A Peer-to-Peer Antidote for DNS Cache Poisoning Attacks. In IEEE International Conference on Communications, 2006.Google Scholar
- M. Zalewski. p0f: Passive OS Fingerprinting tool. http://lcamtuf.coredump.cx/p0f.shtml.Google Scholar
Index Terms
- DNS Resolvers Considered Harmful
Recommendations
Comparing DNS resolvers in the wild
IMC '10: Proceedings of the 10th ACM SIGCOMM conference on Internet measurementThe Domain Name System (DNS) is a fundamental building block of the Internet. Today, the performance of more and more applications depend not only on the responsiveness of DNS, but also the exact answer returned by the queried DNS resolver, e.g., for ...
Pollution resilience for DNS resolvers
ICC'09: Proceedings of the 2009 IEEE international conference on CommunicationsThe DNS is a cornerstone of the Internet. Unfortunately, no matter how securely an organization provisions and guards its own DNS infrastructure, it is at the mercy of others' provisioning when it comes to resolutions its resolvers perform on behalf of ...
Resolvers Revealed: Characterizing DNS Resolvers and their Clients
The Domain Name System (DNS) allows clients to use resolvers, sometimes called caches, to query a set of authoritative servers to translate host names into IP addresses. Prior work has proposed using the interaction between these DNS resolvers and the ...
Comments