Domain Name System (DNS) cache poisoning is a stepping stone towards advanced (cyber) attacks. DNS cache poisoning can be used to monitor users’ activities for censorship, to distribute malware and spam and to subvert correctness and availability of Internet clients and services. Currently, the DNS infrastructure relies on challengeresponse defences against attacks by (the common) off-path adve...

In this paper, we present a novel approach to exploit the relationships among domain names to improve the cache hit rate for a local DNS server. Using these relationships, an authoritative DNS server (ADNS) can piggyback resolutions for future queries as part of the response message for an initial query. The approach improves the cache hit rate as well as reducing the total queries and response...

We study and document an important development in how attackers are using Internet resources: the creation of malicious DNS resolution paths. In this growing form of attack, victims are forced to use rogue DNS servers for all resolution. To document the rise of this “second secret authority” on the Internet, we studied instances of aberrant DNS resolution on a university campus. We found dozens...

Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Summary To remain a global network, the Internet requires the existence of a globally unique public name space. The DNS name space is a hierarchical name space derived from a single, globally unique root. This is a technical...

Researchers have recently noted [14, 27] the potential of fast poisoning attacks against DNS servers, which allows attackers to easily manipulate records in open recursive DNS resolvers. A vendor-wide upgrade mitigated but did not eliminate this attack. Further, existing DNS protection systems, including bailiwick-checking [12] and IDS-style filtration, do not stop this type of DNS poisoning. W...

This document specifies IPv6 Router Advertisement options to allow IPv6 routers to advertise a list of DNS recursive server addresses and a DNS Search List to IPv6 hosts.

The Domain Name System Security Extensions (DNSSEC) architecture is based on public-key cryptography. A secure DNS zone has one or more keys and signs its resource records with these keys in order to provide two security services: data integrity and authentication. These services allow to protect DNS transactions and permit the detection of attempted attacks on DNS. The DNSSEC validation proces...

DNS Tunnels are built through proper tools that allow embedding data on DNS queries and response. Each tool has its own approach to the building tunnels in DNS that differently affects the network performance. In this paper, we propose a brief architectural analysis of the current state-of-the-art of DNS Tunneling tools. Then, wepropose the first comparative analysis of such tools in term of pe...

Abstract The advent of inexpensive data storage has resulted in larger and datasets as the cost pruning becomes more expensive then storing it for future insights. This decreasing also led to practice multiple locations redundancy. However, without any uniform method determining link costs different sites, a dataset is not always retrieved from most effective site. Distributed DNS, or DDD, solv...

The Domain Name System (DNS) [1] [2] has been recently improved by the addition of DNS security extensions (DNSSEC) [3] [4] [5]. These improvements secure DNS against information forgery, modification and other attacks [6]. The DNS infrastructure needs to be upgraded to take advantage of the benefits offered by DNSSEC. Servers will need to serve DNSSEC enabled records and applications will need...