ABSTRACT
We study the operational characteristics of the DNS infrastructure: transitive-trust, coresidence and servers placement. We discuss how these factors impact resilience, stability and security of the DNS services. As our study indicates, common configuration choices, that domain operators make, result in a fragile DNS infrastructure, susceptible to malicious attacks and benign failures. We provide recommendations for improving robustness of DNS.
- A. Herzberg and H. Shulman. DNSSEC: Security and Availability Challenges. In Communications and Network Security (CNS), 2013 IEEE Conference on, pages 365--366. IEEE, 2013.Google ScholarCross Ref
- A. Herzberg and H. Shulman. Fragmentation Considered Poisonous: or one-domain-to-rule-them-all.org. In CNS 2013. The Conference on Communications and Network Security. IEEE. IEEE, 2013.Google ScholarCross Ref
- A. Herzberg and H. Shulman. Retrofitting Security into Network Protocols: The Case of DNSSEC. Internet Computing, IEEE, 18(1):66--71, 2014. Google ScholarDigital Library
- V. Ramasubramanian and E. Sirer. Perils of transitive trust in the domain name system. In Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement, pages 35--35. USENIX Association, 2005. Google ScholarDigital Library
Index Terms
- POSTER: On the Resilience of DNS Infrastructure
Recommendations
Silence is not Golden: Disrupting the Load Balancing of Authoritative DNS Servers
CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications SecurityAuthoritative nameservers are delegated to provide the final resource record. Since the security and robustness of DNS are critical to the general operation of the Internet, domain name owners are required to deploy multiple candidate nameservers for ...
A Selective Re-Query Case Sensitive Encoding Scheme Against DNS Cache Poisoning Attacks
A domain name system (DNS) with a hierarchical domain name resolution scheme plays an important role in today's Internet surfing. To protect DNS against cache poisoning attacks is a key issue to achieve Internet security. A lot of defense schemes have ...
Antidotes for DNS Poisoning by Off-Path Adversaries
ARES '12: Proceedings of the 2012 Seventh International Conference on Availability, Reliability and SecurityFollowing to Kaminsky's attack (2008), cachingresolvers were patched with defenses against poisoning. So far, the main improvements were non-cryptographic and easy todeploy (requiring changes only in resolvers). Some of theseimprovements are widely ...
Comments