Providing high availability using lazy replication
ACM Transactions on Computer Systems (TOCS)
DNS performance and the effectiveness of caching
IEEE/ACM Transactions on Networking (TON)
Serving DNS Using a Peer-to-Peer Lookup Service
IPTPS '01 Revised Papers from the First International Workshop on Peer-to-Peer Systems
Proactive Caching of DNS Records: Addressing a Performance Bottleneck
SAINT '01 Proceedings of the 2001 Symposium on Applications and the Internet (SAINT 2001)
Overlook: Scalable Name Service on an Overlay Network
ICDCS '02 Proceedings of the 22 nd International Conference on Distributed Computing Systems (ICDCS'02)
Using lightweight checkpoint/recovery to improve the availability and designability of shared memory multiprocessors
PlanetLab: an overlay testbed for broad-coverage services
ACM SIGCOMM Computer Communication Review
The design and implementation of a next generation name service for the internet
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
A layered naming architecture for the internet
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Availability, usage, and deployment characteristics of the domain name system
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
The main name system: an exercise in centralized computing
ACM SIGCOMM Computer Communication Review
Spread-Identity mechanisms for DOS resilience and Security.
SECURECOMM '05 Proceedings of the First International Conference on Security and Privacy for Emerging Areas in Communications Networks
CoDNS: improving DNS performance and reliability via cooperative lookups
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Enhancing DNS Resilience against Denial of Service Attacks
DSN '07 Proceedings of the 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks
ConfiDNS: leveraging scale and history to improve DNS security
WORLDS'06 Proceedings of the 3rd conference on USENIX Workshop on Real, Large Distributed Systems - Volume 3
Service placement in a shared wide-area platform
ATEC '06 Proceedings of the annual conference on USENIX '06 Annual Technical Conference
DepenDNS: Dependable Mechanism against DNS Cache Poisoning
CANS '09 Proceedings of the 8th International Conference on Cryptology and Network Security
Hi-index | 0.00 |
This paper considers DoS attacks on DNS wherein attackers flood the nameservers of a zone to disrupt resolution of resource records belonging to the zone and consequently, any of its sub-zones. We propose a minor change in the caching behavior of DNS resolvers that can significantly alleviate the impact of such attacks. In our proposal, DNS resolvers do not completely evict cached resource records whose TTL has expired; rather, such resource records are stored in a separate "stale cache". If, during the resolution of a query, a resolver does not receive any response from the nameservers that are responsible for authoritatively answering the query, it can use the information stored in the stale cache to answer the query. In effect, the stale cache is the part of the global DNS database that has been accessed by the resolver and represents an insurance policy that the resolver uses only when the relevant DNS servers are unavailable. We analyze a 65-day DNS trace to quantify the benefits of a stale cache under different attack scenarios. Further, while the proposed change to DNS resolvers also changes DNS semantics, we argue that it does not adversely impact any of the fundamental DNS characteristics such as the autonomy of zone operators and hence, is a very simple and practical candidate for mitigating the impact of DoS attacks on DNS.