A Simple Approach to DNS DoS Mitigation

We consider DoS attacks on DNS where attackers flood the nameservers of a zone to disrupt resolution of resource records belonging to the zone and consequently, any of its sub-zones. We argue that a minor change in the caching behavior of DNS resolvers can significantly mitigate the impact of such attacks. In our proposal, DNS resolvers do not completely evict cached records whose TTL has expired; rather, such records are stored in a separate “stale cache”. If, during the resolution of a query, a resolver does not receive any response from the nameservers that are responsible for authoritatively answering the query, it can use the information stored in the stale cache to answer the query. This, in effect, implies that DNS resolvers store the part of the global DNS database that has been accessed by them but use it only when the relevant DNS servers are unavailable. While such a change to DNS resolvers also changes DNS semantics, we show that it does not adversely impact any of the fundamental DNS characteristics such as the autonomy of zone operators and hence, is a very simple and practical candidate for alleviating the impact of DoS attacks on DNS.

[1]  Emin Gün Sirer,et al.  Perils of transitive trust in the domain name system , 2005, IMC '05.

[2]  Robert Tappan Morris,et al.  Serving DNS Using a Peer-to-Peer Lookup Service , 2002, IPTPS.

[3]  Ted Hardie,et al.  Distributing Authoritative Name Servers via Shared Unicast Addresses , 2002, RFC.

[4]  Michael B. Jones,et al.  Overlook: scalable name service on an overlay network , 2002, Proceedings 22nd International Conference on Distributed Computing Systems.

[5]  Jon Crowcroft,et al.  The main name system: an exercise in centralized computing , 2005, CCRV.

[6]  Emin Gün Sirer,et al.  The design and implementation of a next generation name service for the internet , 2004, SIGCOMM.

[7]  David E. Culler,et al.  PlanetLab: an overlay testbed for broad-coverage services , 2003, CCRV.

[8]  Jussi Kangasharju,et al.  A replicated architecture for the Domain Name System , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[9]  Edith Cohen,et al.  Proactive caching of DNS records: addressing a performance bottleneck , 2001, Proceedings 2001 Symposium on Applications and the Internet.

[10]  Mark Handley,et al.  The Case for Pushing DNS , 2005 .

[11]  Zhe Wang,et al.  CoDNS: Improving DNS Performance and Reliability via Cooperative Lookups , 2004, OSDI.

[12]  Robert Tappan Morris,et al.  DNS performance and the effectiveness of caching , 2002, TNET.

[13]  Michael Walfish,et al.  A layered naming architecture for the internet , 2004, SIGCOMM 2004.