Recursive DNS Architectures and Vulnerability Implications
Source: Georgia Institute of Technology
DNS implementers face numerous choices in architecting DNS resolvers, each with profound implications for security. Absent the use of DNSSEC, there are numerous interim techniques to improve DNS forgery resistance. The authors explore how different resolver architectures can affect the risk of DNS poisoning. The contributions of this work include: they create a comprehensive, accurate model of DNS poisoning. They show how this model is more sensitive than other previous explanations of DNS poisoning. They further catalog the major architectural choices DNS implementers can make in query management. They note real-world instances where these choices have weakened the security of resolvers, and measure the impact on security using their model.