IRONSIDES: DNS with No Single-Packet Denial of Service or Remote Code Execution Vulnerabilities

The Internet domain name system, or DNS, is an essential component of internet infrastructure. Responsible for turning names into IP addresses, its protocols are running on hundreds of thousands of computers all over the world. Designed originally to solve a problem of scalability during the early days and rapid growth of the ARPAnet, it has by any standard been an incredible success. The authors describe the development of IRONSIDES, an implementation of DNS that is provably invulnerable to remote code execution exploits and single-packet denial of service attacks. Their experimental results show it to be over three times as fast as BIND, the most common implementation of DNS.