[dns-operations] resolvers considered harmful

Florian Weimer fw at deneb.enyo.de
Wed Oct 22 17:27:20 UTC 2014

* Mark Allman:

>   The Domain Name System (DNS) is a critical component of the Internet
>   infrastructure that has many security vulnerabilities.  In particular,
>   shared DNS resolvers are a notorious security weak spot in the system.
>   We propose an unorthodox approach for tackling vulnerabilities in
>   shared DNS resolvers: removing shared DNS resolvers entirely and
>   leaving recursive resolution to the clients.

This is a bit over the top.  I've suggested multiple times that one
possible way to make DNS cache poisoning less attractive is to cache
only records which are stable over multiple upstream responses, and
limit the time-to-live not just in seconds, but also in client
responses.  Expiry in terms of client responses does not cause a cache
expiration, but a new upstream query once the record is needed again.
If it the new response matches what is currently in the cache, double
the new client response time-to-live count from the previous starting
value.  If not, start again at the default low value (perhaps even 1).

Doing this for infrastructure records is a bit tricky, but I'm sure
something can be worked out.

More information about the dns-operations mailing list