1. DNS Resolvers Considered Harmful

Kyle Schomp:

「共用リゾルバーをやめよう」 検討の価値がある。 -- ToshinoriMaeno 2014-10-23 11:37:23

1.1. Abstract

The Domain Name System (DNS) is a critical component of the Internet infrastructure that has many security vulnerabilities.
In particular, shared DNS resolvers are a notorious security weak spot in the system. 

We propose an unorthodox approach for tackling vulnerabilities in shared DNS resolvers: 
    removing shared DNS resolvers entirely and leaving recursive resolution to the clients.
We show that the two primary costs of this approach—
 loss of performance and an increase in system load—
are modest and therefore conclude that this approach is beneficial
for strengthening the DNS by reducing the attack surface.

共用のリゾルバーは廃止して、

1.2. 7. CONCLUSION

Traditionally, our community’s response to security problems is to harden a protocol or its implementation. In this paper we take an alternate approach to DNS security, suggesting a different factorization of the work that eliminates shared DNS resolvers.

The benefit of this approach is to reduce DNS’ attack surface. Through an initial study of a single network, we show that while there are costs, those costs are modest and manageable.

For instance, less than 10% of TCP connections will be delayed by direct client resolution. Further, the 99.9th percentile load does not increase at all for 90% of the ADNS servers and by a factor of two at the .com TLD server–with no effort to mitigate the additional load. There are policy and privacy concerns, as well, but we believe this initial investigation shows that leaning on clients to do their own lookups deserves serious consideration.

Further, we believe this effort illustrates that revisiting the fundamental way we arrange networks in the context of modern network realities may well be useful across other components of the system, as well.


ルータなどのおまけのDNSが危険という話だったか。

2. Assessing DNS Vulnerability to Record Injection

https://www.icsi.berkeley.edu/pubs/networking/assessingDNS14.pdf

9 Conclusion

In this study, we assess the susceptibility of the client-side DNS infrastructure to record
injection attacks. We find that many open resolvers are still vulnerable to record injec-
tion. Further, these devices provide a back door to attack shared DNS infrastructure.
Through active probing, we assess the extent of known record injection threats and the
deployment of known protective techniques. We further uncover and measure a new
attack vector—the preplay attack. We find 7–9% of the open DNS resolvers are vul-
nerable to the preplay attack and 16% of recursive DNS servers are vulnerable to the
Kaminsky attack. Therefore, we conclude that the client-side DNS ecosystem is non-
trivially vulnerable to record injection attacks.