skip to main content
10.1145/2670518.2673881acmconferencesArticle/Chapter ViewAbstractPublication PagescommConference Proceedingsconference-collections
tutorial

DNS Resolvers Considered Harmful

Published: 27 October 2014 Publication History

Abstract

The Domain Name System (DNS) is a critical component of the Internet infrastructure that has many security vulnerabilities. In particular, shared DNS resolvers are a notorious security weak spot in the system. We propose an unorthodox approach for tackling vulnerabilities in shared DNS resolvers: removing shared DNS resolvers entirely and leaving recursive resolution to the clients. We show that the two primary costs of this approach---loss of performance and an increase in system load---are modest and therefore conclude that this approach is beneficial for strengthening the DNS by reducing the attack surface.

References

[1]
Case Connection Zone. http://www.caseconnectionzone.org/.
[2]
Open Resolver Project. http://openresolverproject.org/.
[3]
The Bro Network Security Monitor. https://www.bro.org/.
[4]
H. A. Alzoubi, M. Rabinovich, and O. Spatscheck. The Anatomy of LDNS Clusters: Findings and Implications for Web Content Delivery. In International Conference on World Wide Web, 2013.
[5]
M. Antonakakis, D. Dagon, X. Luo, R. Perdisci, W. Lee, and J. Bellmor. A Centralized Monitoring Infrastructure for Improving DNS Security. In Recent Advances in Intrusion Detection, 2010.
[6]
R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. RFC 4033, 2005.
[7]
S. Ariyapperuma and C. Mitchell. Security Vulnerabilities in DNS and DNSSEC. In IEEE International Conference on Availability, Reliability and Security, 2007.
[8]
D. Bernstein. Introduction to DNSCurve. http://dnscurve.org/, 2008.
[9]
C. Contavalli, W. van der Gaast, S. Leach, and D. Rodden. Client IP Information in DNS Requests. IETF draft, work in progress, 2010.
[10]
D. Dagon, M. Antonakakis, K. Day, X. Luo, C. Lee, and W. Lee. Recursive dns architectures and vulnerability implications. In Network and Distributed System Security Symposium, 2009.
[11]
K. Fujiwara. Number of Possible DNSSEC Validators Seen at jp. In DNS-OARC Workshop, 2012.
[12]
A. Gerber and R. Doverspike. Traffic Types and Growth in Backbone Networks. In Optical Fiber Communication Conference, 2011.
[13]
O. Gudmundsson and S. Crocker. Observing DNSSEC Validation in the Wild. In Workshop on Securing and Trusting Internet Names, 2011.
[14]
A. Herzberg and H. Shulman. Fragmentation Considered Poisonous, or: One-domain-to-rule-them-all.org. In IEEE Communications and Network Security, 2013.
[15]
C. Huang, I. Batanov, and J. Li. A Practical Solution to the Client-LDNS Mismatch Problem. ACM SIGCOMM Computer Communication Review, 42(2), 2012.
[16]
C. Huang, D. A. Maltz, J. Li, and A. Greenberg. Public DNS system and Global Traffic Management. In IEEE International Conference on Computer Communications, 2011.
[17]
D. Kaminsky. Black Ops 2008: It's the End of the Cache As We Know It. Black Hat USA, 2008.
[18]
Z. M. Mao, C. D. Cranor, F. Douglis, M. Rabinovich, O. Spatscheck, and J. Wang. A Precise and Efficient Evaluation of the Proximity Between Web Clients and Their Local DNS Servers. In USENIX Annual Technical Conference, General Track, 2002.
[19]
J. S. Otto, M. A. Sánchez, J. P. Rula, and F. E. Bustamante. Content Delivery and the Natural Evolution of DNS: Remote DNS Trends, Performance Issues and Alternative Solutions. In ACM Internet Measurement Conference, 2012.
[20]
V. Pappas and E. Osterweil. Improving DNS service availability by using long TTL values. IETF Draft. http://tools.ietf.org/id/draft-pappas-dnsop-long-ttl-04.txt, 2012.
[21]
H. Qian, E. Miller, W. Zhang, M. Rabinovich, and C. E. Wills. Agility in Virtualized Utility Computing. In IEEE Workshop on Virtualization Technology in Distributed Computing, 2007.
[22]
M. Sargent, B. Stack, T. Dooner, and M. Allman. A First Look at 1 Gbps Fiber-To-The-Home Traffic (TR-12-009). Technical report, 2012.
[23]
K. Schomp, T. Callahan, M. Rabinovich, and M. Allman. On Measuring the Client-Side DNS Infrastructure. In ACM Internet Measurement Conference, 2013.
[24]
K. Schomp, T. Callahan, M. Rabinovich, and M. Allman. Assessing DNS Vulnerability to Record Injection. In Passive and Active Measurement Conference, 2014.
[25]
C. Schuba. Addressing Weaknesses in the Domain Name System Protocol. PhD thesis, Purdue University, 1993.
[26]
A. Shaikh, R. Tewari, and M. Agrawal. On the Effectiveness of DNS-based Server Selection. In IEEE International Conference on Computer Communications, 2001.
[27]
S. Tzur-David, K. Lashchiver, D. Dolev, and T. Anker. Delay Fast Packets (DFP): Prevention of DNS Cache Poisoning. Security and Privacy in Communication Networks, 2012.
[28]
P. Vixie and V. Schryver. DNS Response Rate Limiting (DNS RRL). Technical Report ISC-TN-2012-1, Internet Systems Consortium, Apr. 2012.
[29]
L. Yuan, K. Kant, P. Mohapatra, and C. Chuah. DoX: A Peer-to-Peer Antidote for DNS Cache Poisoning Attacks. In IEEE International Conference on Communications, 2006.
[30]
M. Zalewski. p0f: Passive OS Fingerprinting tool. http://lcamtuf.coredump.cx/p0f.shtml.

Cited By

View all
  • (2024)Protocol Fixes for KeyTrap VulnerabilitiesProceedings of the 2024 Applied Networking Research Workshop10.1145/3673422.3674902(74-80)Online publication date: 23-Jul-2024
  • (2024)ActiveDNS: Is There Room for DNS Optimization Beyond CDNs?2024 IEEE 49th Conference on Local Computer Networks (LCN)10.1109/LCN60385.2024.10639696(1-9)Online publication date: 8-Oct-2024
  • (2022)Local and Public DNS Resolvers: do you trade off performance against security?2022 IFIP Networking Conference (IFIP Networking)10.23919/IFIPNetworking55013.2022.9829756(1-9)Online publication date: 13-Jun-2022
  • Show More Cited By

Index Terms

  1. DNS Resolvers Considered Harmful

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    HotNets-XIII: Proceedings of the 13th ACM Workshop on Hot Topics in Networks
    October 2014
    189 pages
    ISBN:9781450332569
    DOI:10.1145/2670518
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

    Sponsors

    In-Cooperation

    • CISCO

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 27 October 2014

    Permissions

    Request permissions for this article.

    Check for updates

    Qualifiers

    • Tutorial
    • Research
    • Refereed limited

    Funding Sources

    Conference

    HotNets-XIII
    Sponsor:
    HotNets-XIII: The 13th ACM Workshop on Hot Topics in Networks
    October 27 - 28, 2014
    CA, Los Angeles, USA

    Acceptance Rates

    HotNets-XIII Paper Acceptance Rate 26 of 118 submissions, 22%;
    Overall Acceptance Rate 110 of 460 submissions, 24%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)14
    • Downloads (Last 6 weeks)3
    Reflects downloads up to 25 Jan 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)Protocol Fixes for KeyTrap VulnerabilitiesProceedings of the 2024 Applied Networking Research Workshop10.1145/3673422.3674902(74-80)Online publication date: 23-Jul-2024
    • (2024)ActiveDNS: Is There Room for DNS Optimization Beyond CDNs?2024 IEEE 49th Conference on Local Computer Networks (LCN)10.1109/LCN60385.2024.10639696(1-9)Online publication date: 8-Oct-2024
    • (2022)Local and Public DNS Resolvers: do you trade off performance against security?2022 IFIP Networking Conference (IFIP Networking)10.23919/IFIPNetworking55013.2022.9829756(1-9)Online publication date: 13-Jun-2022
    • (2022)DNS Poisoning of Operating System Caches: Attacks and MitigationsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.314233119:4(2851-2863)Online publication date: 1-Jul-2022
    • (2022)Addressing the challenges of modern DNS a comprehensive tutorialComputer Science Review10.1016/j.cosrev.2022.10046945(100469)Online publication date: Aug-2022
    • (2021)Domain name system security and privacy: A contemporary surveyComputer Networks10.1016/j.comnet.2020.107699185(107699)Online publication date: Feb-2021
    • (2020)Akamai DNSProceedings of the Annual conference of the ACM Special Interest Group on Data Communication on the applications, technologies, architectures, and protocols for computer communication10.1145/3387514.3405881(465-478)Online publication date: 30-Jul-2020
    • (2020)A secure domain name resolution and management architecture based on blockchain2020 IEEE Symposium on Computers and Communications (ISCC)10.1109/ISCC50000.2020.9219632(1-7)Online publication date: Jul-2020
    • (2019)Cache Effect of Shared DNS ResolverIEICE Transactions on Communications10.1587/transcom.2018EBP3184E102.B:6(1170-1179)Online publication date: 1-Jun-2019
    • (2019)On Eliminating Root Nameservers from the DNSProceedings of the 18th ACM Workshop on Hot Topics in Networks10.1145/3365609.3365863(1-8)Online publication date: 13-Nov-2019
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media