"A Comparative Study of Current DNS with DHT-Based Alternatives" (original) (raw)
Related papers
A comparative study of the DNS design with DHT-based alternatives
2006
Abstract���The current Domain Name System (DNS) follows a hierarchical tree structure. Several recent efforts proposed to re-implement DNS as a peer-to-peer network with a flat structure that uses Distributed Hash Tables (DHT) to improve the system availability. In this paper we compare the performance and availability of these two designs, enabled by caching and redundancy in both cases. We show that the caching and redundancy mechanisms in each design are closely bound to its system structure.
2005
We present the case for using a peer-to-peer infrastructure to push DNS name server records to thousands of name servers world wide. We show that such an infrastructure increases the robustness of the DNS in an increasingly hostile Internet. We further show that the overheads of a peer-to-peer DNS infrastructure are both manageable and scalable.
DoX: A Peer-to-Peer Antidote for DNS Cache Poisoning Attacks
2006 IEEE International Conference on Communications, 2006
The mapping service provided by the Domain Name System (DNS) is fundamental not only to the health of the Internet but also to the protection and integrity of the data. Recently, the DNS infrastructure has suffered several malicious attacks including DNS cache poisoning, which causes the DNS to return false name-to-IP mappings and can be used as a foothold for more insidious attacks. This paper proposes DoX, a peer-to-peer based scheme, to detect and correct inaccurate DNS records caused by cache poisoning attacks. DoX also helps DNS servers to improve cache consistency by detecting and removing obsolete records. DoX does not require modifications to the current infrastructure and can be deployed quickly. It does not use cryptographic techniques and thus does not suffer from the key management and processing overhead issues of those techniques.
TrickleDNS: A Safety Net for the Domain Name System
2007
This paper presents TrickleDNS, a practical and decentralized system for disseminating DNS data securely. Unlike prior solutions, which depend on the as-yetundeployed DNSSEC standard to preserve data integrity, TrickleDNS uses a novel security framework that provides resilience from data corruption by compromised servers and denial of service attacks. It is based on the key design principle of randomization: First, Trick-leDNS organizes participating nameservers into a wellconnected peer-to-peer network with random yet constrained links to form a Secure Network of Nameservers (SNN). Nameservers in the SNN reliably broadcast their public-keys to other nameservers without relying a centralized PKI. Second, TrickleDNS reliably binds domains to their authoritative name servers through independent verification by multiple, randomly chosen peers within the SNN. Finally, TrickleDNS servers proactively disseminate self-certified versions of DNS records to provide faster performance, better availability, and improved security. This paper validates TrickleDNS through simulations and experiments on a prototype implementation.
CR-Chord: Improving lookup availability in the presence of malicious DHT nodes
Computer Networks, 2011
Distributed Hash Tables (DHTs) provide a useful key-to-value lookup service for many Internet applications. However, without additional mechanisms DHTs are vulnerable to attacks. In particular, previous research showed that Chord is not well resistant to malicious nodes that joined the DHT. We introduce the cyclic routing algorithm as an extension of Chord (CR-Chord). Using simulations we compare the lookup availability of Chord and CR-Chord. The results suggest that CR-Chord improves the lookup availability on the average by 1.4 times. When the number of malicious nodes is small, such as 5%, CR-Chord has almost twice lower lookup failure rate.
"Enhancing DNS Resilience against Denial of Service Attacks"
The Domain Name System (DNS) is a critical Internet infrastructure that provides name to address mapping services. In the past few years, distributed denial of service (DDoS) attacks have targeted the DNS infrastructure and threaten to disrupt this critical service. In this paper we show that the existing DNS can gain significant resilience against DDoS attacks through a simple change to the current DNS operations, by setting longer time-to-live values for a special class of DNS resource records, the infrastructure records. These records are used to navigate the DNS hierarchy and change infrequently. Furthermore, in combination with a set of simple and incrementally deployable record renewal policies, the DNS service availability can be improved by one order of magnitude. Our approach requires neither additional physical resources nor any change to the existing DNS design. We evaluate the effectiveness of our proposed enhancement by using DNS traces collected from multiple locations.
T/TCP for DNS: A performance and security analysis
2003
DNS (Domain Name System) is a mandatory subsystem of the Internet. DNS, however, has many vulnerabilities due to the complex structure. Major security incidents, such as a DDoS (Distributed Denial-of-Service) attack to the Root Servers, have been continuously and repeatedly hampering the Internet operation.
An IP address based caching scheme for peer-to-peer networks
GLOBECOM '03. IEEE Global Telecommunications Conference (IEEE Cat. No.03CH37489), 2003
Distributed hash tables (DHTs), used in a number of current peer-to-peer systems, provide efficient mechanisms for resource location. Systems such as Chord, Pastry, CAN, and Tapestry provide strong guarantees that queries in the overlay network can be resolved in a bounded number of overlay hops, while preserving load balance among the peers. A key distinction in these systems is the way they handle locality in the underlying network. Topology-based node identifier assignment, proximity routing, and proximity neighbor selection are examples of heuristics used to minimize message delays in the underlying network. In this paper, we investigate the use of source IP addresses to enhance locality in overlay networks based on DHTs. We first show that a naive use of source IP address potentially leads to severe resource imbalance due to nonuniformity of peers over the IP space. We then present an effective caching scheme that combines a segment of the source IP with the queried hash-code to effectively localize access and affect replication. Using detailed experiments, we show that this scheme achieves performance gains of up to 41%, when compared to Pastry in combination with the proximity neighbor selection heuristic.
International Conference on Dependable Systems and Networks, 2004, 2004
A correctly working Domain Name System (DNS) is essential for the Internet. Due to its significance and because of deficiencies in its current design, the DNS is vulnerable to a wide range of attacks. This paper presents the design and implementation of a secure distributed name service. Our service is able provide fault tolerance and security even in the presence of a fraction of corrupted servers, avoiding any single point of failure. It further solves the problem of storing zone secrets online in a way that does not leak them to a corrupted server, while still supporting secure dynamic updates. Our service uses state-machine replication and threshold cryptography. We present results from experiments performed using a prototype implementation on the Internet in realistic setups. The results show that our design achieves the required assurances while servicing most frequent requests in reasonable time.
2007
Structured Peer to Peer overlays have shown to be a very good solution for building very large scale distributed information systems. Most of them are based on Distributed Hash Tables (DHTs) that provide an easy way to manage replicas, thus facilitating high availability of data as well as fault tolerance. However, DHTs can also be affected by some well known Distributed Denial of Services attacks that can lead to almost complete unavailability of the stored objects.