- Attacks on DNS
- Attackers frequently target the DNS. It is relatively
easy to launch attacks against DNS servers, and 0wning the Internet is a
- Peter G. Neumann. DNS roots attacked, Risks Digest Volume 24: Issue 57, Feb 6, 2007.
- Ten Percent of DNS Servers Still Vulnerable, Slashdot, August 4, 2005.
- Even with the uproar caused by the recent DNS attacks, a recent study shows that roughly 10% of 2.5 million DNS servers show that they are still vulnerable to DNS cache poisoning.
- DNS servers--an Internet Achilles' heel, news.com, August 4, 2005.
- Hundreds of thousands of Internet servers are at risk of an attack that would redirect unknowing Web surfers from legitimate sites to malicious ones.
- DNS Cache Poisoning Update, Slashdot, April 15, 2005.
- SANS internet storm handler has put up an excellent update of the DNS poisoning vulnerability currently doing the rounds.
- R. Naraine. Massive DDoS Attack Hit DNS Root Servers. www.internetnews.com/dev-news/article.php/1486981, Oct 2002.
- Massive denial of service attack targets DNS root servers.
- P. Thurrott. Microsoft Suffers Another DoS Attack. www.winnetmag.com/WindowsSecurity/Article/ArticleID/19770/WindowsSecurity_19770.html, Jan 2001.
- Denial of service attack against Microsoft's DNS servers knock Microsoft services off the Internet.
- M. J. Edwards. Something Old, Something New: DNS Hijacking. www.winnetmag.com/Article/ArticleID/8170/8170.html, Feb 2000.
- DNS spoofing attack misdirects clients seeking to contact RSA, Inc. to a fake website instead.
- DNS standards and RFCs:
- The following RFCs define the common protocols for name resolution
on the Internet.
- P. Mockapetris. Domain Names: Concepts and Facilities. RFC 1034, Nov 1987.
- P. Mockapetris. Domain Names: Implementation and Specification. RFC 1035, Nov 1987.
- A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation Errors and Suggested Fixes. RFC 1536, Oct 1993.
- T. Brisco. DNS Support for Load Balancing. RFC 1794, Apr 1995.
- P. Vixie, S. Thomson, Y. Rekhter, J. Bound. Dynamic Updates in the Domain Name System. RFC 2136, April 1997.
- R. Elz and R. Bush. Clarifications to the DNS Specification. RFC 2181, July 1997.
- M. Andrews. Negative Caching of DNS Queries. RFC 2308, Mar 1998.
- D. Eastlake. Domain Name System Security Extensions. RFC 2535, Mar 1999.
- Namedroppers Archive
- Structured Peer to Peer Systems
- Beehive and Planetlab are based on a structured peer-to-peer infrastructure.
These systems provide automatic, self-managing overlay networks that can
heal around failures, though may incur high lookup latencies. Beehive
complements their self-organization with low-latency lookups.
- O(log N) and O(d sqrt(N)) Lookup:
- O(1) Space: These systems are optimized for space instead of lookup time.
- Single and Double Hop Lookup Systems: These systems achieve 1 or 2-hop lookups for any query distribution, though they may perform excessive replication. Beehive can achieve less than 1-hop
performance optimally for Zipf-like query distributions.
- DNS Measurement Studies
- The following papers find that DNS resolution latency is a significant (10-30%) component of whole page download and display latency.
- C. Huitema and S. Weerahandi. Internet Measurements: the Rising Tide and the DNS Snag., ITC Specialist Seminar on Internet Traffic Measurement and Modeling, Monterey CA, Sep 2000.
- C. Wills and H. Shang. The Contribution of DNS Lookup Costs to Web Object Retrieval. Worcester Polytechnic Institute Technical Report TR-00-12, Jul 2000.
- L. Bent and G. M. Voelker. Whole Page Performance. Workshop on Web Content Caching and Distribution, Boulder CO, August 2002.
- The following papers show that the DNS root servers are subjected to high loads.
- N. Brownlee, kc Claffy, and E. Nemeth. DNS Measurements at a Root Server. GlobeCom, San Antonio, TX, Nov 2001.
- N. Brownlee, kc Claffy, and E. Nemeth. DNS Root/gTLD Performance Measurements. Systems Administration Conference, San Diego CA, Dec 2001.
- P. Danzig, K. Obraczka, and A. Kumar. An Analysis of Wide-Area Nameserver Traffic: A study of the Internet Domain Name System. SIGCOMM, Baltimore MD, 1992.
- Configuration errors are common and impact DNS robustness:
- V. Pappas, Z. Xu, S. Lu, D. Massey, A. Terzis, and L. Zhang. Impact of Configuration Errors on DNS Robustness. SIGCOMM, Portland OR, Aug 2004.
- P. Mockapetris and K. Dunlop. Development of the Domain Name System. SIGCOMM, Stanford CA, 1988.
- Power Laws
- Power laws are surprisingly common in practice - DNS query distributions
follow a power law. A side-effect of power law distributions is that
ordinary caching does not work well, due to the heavy tail of the distribution.
The following paper examines power-law distributions and their ramifications:
- L. Breslau, P. Cao, L. Fan, G. Phillips, and S. Shenker. Web Caching and Zipf-like Distributions: Evidence and Implications. International Conference on Computer Communications, New York NY, Mar 1999.
- J. Jung, E. Sit, H. Balakrishnan, and R. Morris. DNS Performance and Effectiveness of Caching. SIGCOMM Internet Measurement Workshop, San Francisco CA, Nov 2001.
- This work examines a way to periodically refresh caches to improve hit
rates. But the Zipf distribution of DNS queries make it really difficult
for heuristics to be effective, while they can exert undue load on
the infrastructure. In contrast, Beehive uses an analytical
solution that is guaranteed to achieve a targeted level of performance
- E. Cohen and H. Kaplan. Proactive Caching of DNS Records: Addressing a Performance Bottleneck. Symposium on Applications and the Internet, San Diego-Mission Valley CA, Jan 2001.
- DNS Security
- There are many known vulnerabilities in many widely-deployed DNS
servers. In our survey in June 2004, we found that ~17% of all nameservers
had vulnerabilities identified as critical by the Internet Systems Consortium.
- Name Services
- CoDNS. CoDNS is a thin wrapper for name lookup which redirects lookup queries to a healthy peer node when the local nameserver starts to reveal failures. This masks off the long latency in name lookups.
- Intentional Naming System. INS enables clients to query for services based on complex predicates that capture the intentions of the users.
- Overlook. Overlook is part of the Herald project, which is building a publish/subscribe event notification service deployed as a self-configuring federation of peers designed to scale to Internet size and to provide timely delivery of notifications.
- DNS Implementations
- These servers implement legacy DNS services. CoDoNS is compatible
with all RFC-compliant implementations and can work in conjunction
with them. Some of them have known security/functionality problems;
read the associated caveats before installing.
- BIND: The most
commonly used DNS server.
- DJBDNS: A robust
DNS server and resolver implementation.
- NSD: Name server daemon, for authoritative nameservers only.
- LBNAMED: A load-balancing DNS server written in Perl.
- Eddie: A load-balancing DNS server written in Erlang.
- OAK: A DNS server written in Python.
- MaraDNS: A general-purpose DNS server.
- We are grateful to the PlanetLab infrastructure for enabling us to
deploy our initial prototype of CoDoNS across the planet.