Cited By
View all- Al-Dalky RRabinovich MAllman M(2018)Practical challenge-response for DNSACM SIGCOMM Computer Communication Review10.1145/3276799.327680248:3(20-28)Online publication date: 7-Sep-2018
Practical Challenge-Response for DNS
Page 74
Abstract
Authoritative DNS nameservers are vulnerable to being used in denial of service attacks whereby an attacker sends DNS queries while masquerading as a victim---hence coaxing the DNS server to send the responses to the victim. Reflecting off innocent DNS servers both hides the attackers identity and often amplifies the attackers traffic by turning small DNS requests sent to the nameserver into large DNS answers sent to the victim. In this poster we discuss a practical challenge-response technique that establishes a requester's identity before sending a full answer. Unlike previous schemes, our work deals with so-called "resolver pools"---or groups of DNS resolvers that work together to lookup records in the DNS. In these cases a challenge transmitted to a resolver N1 may be dealt with by a different resolver N2, thus leaving an authoritative DNS server wondering whether N2 is another resolver in the pool or a victim. We propose a technique called "challenge chains" to establish identity in the face of resolver pools. We show that the cost of our scheme in terms of added delay is small. This work appears in [1].
[1] Rami Al-Dalky, Michael Rabinovich, Mark Allman. Practical Challenge-Response for DNS. ACM Computer Communication Review, 48(3), July 2018.
Index Terms
- Practical Challenge-Response for DNS
Recommendations
Practical challenge-response for DNS
Authoritative DNS servers are susceptible to being leveraged in denial of service attacks in which the attacker sends DNS queries while masquerading as a victim---and hence causing the DNS server to send the responses to the victim. This reflection off ...
Securing DNS: Extending DNS Servers with a DNSSEC Validator
DNS Security Extensions (DNSSEC) is a proposed standard for securely authenticating information in the Domain Name System. DNSSEC validators check the digital signatures on DNS data. However, designing a validator worth the operational costs is a ...
Comparing DNS resolvers in the wild
IMC '10: Proceedings of the 10th ACM SIGCOMM conference on Internet measurementThe Domain Name System (DNS) is a fundamental building block of the Internet. Today, the performance of more and more applications depend not only on the responsiveness of DNS, but also the exact answer returned by the queried DNS resolver, e.g., for ...
Comments
Information & Contributors
Information
Published In
July 2018
102 pages
ISBN:9781450355858
DOI:10.1145/3232755
Copyright © 2018 Owner/Author.
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
- IRTF: Internet Research Task Force
- Internet Society: Internet Society
- SIGCOMM: ACM Special Interest Group on Data Communication
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 16 July 2018
Check for updates
Author Tags
Qualifiers
- Abstract
- Research
- Refereed limited
Conference
ANRW '18
Sponsor:
- IRTF
- Internet Society
- SIGCOMM
Acceptance Rates
Overall Acceptance Rate 34 of 58 submissions, 59%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 109Total Downloads
- Downloads (Last 12 months)10
- Downloads (Last 6 weeks)6
Reflects downloads up to 30 Aug 2024
Other Metrics
Citations
Cited By
View all- Al-Dalky RRabinovich MAllman M(2018)Practical challenge-response for DNSACM SIGCOMM Computer Communication Review10.1145/3276799.327680248:3(20-28)Online publication date: 7-Sep-2018
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in