Abstract
The Domain Name System (DNS) is an essential component of the critical infrastructure of the Internet. The role of DNS is vital, as it is involved in virtually every Internet transaction. It is sometimes remarked that DNS works well as it is now and any changes to it may disrupt its functionality and add complexity. However, due to its importance, an insecure DNS is unacceptable for current and future networks. The astonishing simplicity of mounting an attack against the DNS and the damaging potential of such an attack should convince practitioners and system administrators to employ a secure version of DNS. However, security comes with a cost. In this paper, we examine the performance of two proposals for secure DNS and we discuss the advantages and disadvantages of both. In particular, we analyze the impact that security measures have on the performance of DNS. While it is clear that adding security will lower DNS performance, our results show that the impact of security can be mitigated by deploying different security extensions at different levels in the DNS tree.
We also describe the first implementation of the SK-DNSSEC [1] protocol. The code is freely downloadable and released under an open-source license.
The full version of the paper is available on the authors’ website.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Ateniese, G., Mangard, S.: A new approach to DNS security (DNSSEC). In: 8th ACM Conference on Computer and Communications Security, pp. 86–95. ACM Press, New York (2001)
Bellovin, S.M.: Using the Domain Name System for system break-ins. In: Proceedings of the Fifth USENIX UNIX Security Symposium, June 1995, pp. 199–208 (1995)
Atkins, D., Austein, R.: Threat Analysis of The Domain Name System, IETF - Network Working Group, RFC 3833 (August 2004)
Vixie, P.: DNS and BIND security issues. In: Proceedings of the Fifth USENIX UNIX Security Symposium, June 1995, pp. 209–216 (1995)
de Raadt, T., Provos, N., Miller, T., Briggs, A.: Bind vulnerabilities and solutions (April 1997), http://niels.xtdnet.nl/papers/secnet-bind.txt
Eastlake, D.: Domain Name System Security Extensions. RFC 2535 (March 1999)
Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)
Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-Hashing for Message Authentication. IETF - Network Working Group, RFC 2104 (February 1997)
Davis, D., Swick, R.: Network security via private-key certificates. In: Proceedings of the Third USENIX UNIX Security Symposium, September 1992, pp. 239–242 (1992); Also in ACM Operating Systems Review 24(4) (October 1990)
Neuman, B.C., Ts’o, T.: Kerberos: An authentication system for computer networks. IEEE Communications 32(9), 33–38 (1994)
Kohl, J., Neuman, C.: The Kerberos Network Authentication System (V5). IETF - Network Working Group, RFC1510 (September 1993)
Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)
Lenstra, A., de Weger, B.: On the possibility of constructing meaningful hash collisions for public keys. In: Boyd, C., González Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 267–279. Springer, Heidelberg (2005)
Whiting, D., Schneier, B., Bellovin, S.: AES key agility issues in high-speed IPsec implementations
Arends, R., Larson, M., Austein, R., Massey, D., Rose, S.: Protocol modifications for the DNS security extensions, Internet draft 09, IETF - DNS Extensions (October 2004)
Arends, R., Larson, M., Austein, R., Massey, D., Rose, S.: Resource records for the DNS security extensions, Internet Draft 11, IETF - DNS Extensions (October 2004)
Vixie, P.: Extension Mechanisms for DNS (EDNS0), RFC2671 (August 1999)
NOMINUM, How to Measure the Performance of a Caching DNS Server (2002), http://www.nominum.com/content/documents/CNS_WP.pdf
Dean, D., Stubblefield, A.: Using client puzzles to protect TLS. In: Proceedings of the Tenth USENIX Security Symposium (August 2001)
Juels, A., Brainard, J.: Client puzzles: A cryptographic defense against connection depletion attacks. In: Kent, S. (ed.) Proceedings of NDSS 1999, pp. 151–165 (1999)
Waters, B., Juels, A., Halderman, J.A., Felten, E.W.: New client puzzle outsourcing techniques for DoS resistance. In: 11th ACM CCS 2004. ACM, New York (2004)
Wessels, D., Fomenkov, M.: Wow, that’s a lot of packets. In: PAM 2003 (April 2003)
Jung, J., Sit, E., Balakrishnan, H., Morris, R.: DNS performance and the effectiveness of caching. In: ACM SIGCOM Internet Measurement Workshop 2001 (November 2001)
Black, J., Halevi, S., Krawczyk, H., Krovetz, T., Rogaway, P.: UMAC: Fast and secure message authentication. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 216–233. Springer, Heidelberg (1999)
Vixie, P., Thomson, S., Rekhter, Y., Bound, J.: Dynamic Updates in the Domain Name System (DNS UPDATE). IETF - Network Working Group, RFC 2136 (April 1997)
Ostrovsky, R., Yung, M.: How to withstand mobile virus attacks. In: 10th ACM Symposium on Principles of Distributed Computing, pp. 51–59. ACM Press, New York (1991)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Curtmola, R., Del Sorbo, A., Ateniese, G. (2005). On the Performance and Analysis of DNS Security Extensions. In: Desmedt, Y.G., Wang, H., Mu, Y., Li, Y. (eds) Cryptology and Network Security. CANS 2005. Lecture Notes in Computer Science, vol 3810. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11599371_24
Download citation
DOI: https://doi.org/10.1007/11599371_24
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-30849-2
Online ISBN: 978-3-540-32298-6
eBook Packages: Computer ScienceComputer Science (R0)