Measures for Making DNS More Resilient against Forged Answers

The current Internet climate poses serious threats to the Domain Name System. In the interim period before the DNS protocol can be secured more fully, measures can already be taken to harden the DNS to make 'spoofing' a recursing nameserver many orders of magnitude harder. Even a cryptographically secured DNS benefits from having the ability to discard bogus responses quickly, as this potentially saves large amounts of computation. By describing certain behaviour that has previously not been standardised, this document sets out how to make the DNS more resilient against accepting incorrect responses. This document updates RFC 2181.

[1]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[2]  Scott Rose,et al.  DNS Security Introduction and Requirements , 2005, RFC.

[3]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[4]  Donald E. Eastlake,et al.  Randomness Requirements for Security , 2005, RFC.

[5]  Scott O. Bradner,et al.  Key words for use in RFCs to Indicate Requirement Levels , 1997, RFC.

[6]  Derek Atkins,et al.  Threat Analysis of the Domain Name System (DNS) , 2004, RFC.

[7]  Robert T. Braden,et al.  Requirements for Internet Hosts - Application and Support , 1989, RFC.

[8]  Cullen Jennings,et al.  Network Address Translation (NAT) Behavioral Requirements for Unicast UDP , 2007, RFC.

[9]  Scott Rose,et al.  DNS Security Introduction and Requirements, RFC 4033 | NIST , 2005 .

[10]  John C. Klensin,et al.  Simple Mail Transfer Protocol , 2001, RFC.

[11]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[12]  Randy Bush,et al.  Clarifications to the DNS Specification , 1997, RFC.

[13]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[14]  Recommended Internet Service Provider Security Services and Procedures , 2000, RFC.

[15]  Brian Wellington,et al.  Secret Key Transaction Authentication for DNS (TSIG) , 2000, RFC.

[16]  Paul V. Mockapetris,et al.  Domain names: Concepts and facilities , 1983, RFC.

[17]  João Damas,et al.  Preventing Use of Recursive Nameservers in Reflector Attacks , 2008, RFC.