Everything in Its Right Place: Improving DNS resilience
In 2023, the Domain Name System (DNS) will celebrate 40 years since its creation. Despite the passing of four decades, the DNS continues to play a fundamental role in today's Internet. Specifically, the DNS provides the essential service of translating human-readable domain names (e.g., example.org) to IP addresses (e.g., 188.8.131.52).
Over the years, the Internet has become increasingly vital to our modern society. The continuous flow of information that takes place on the Internet every day cannot be stopped without catastrophic consequences. In addition, services of crucial importance for people's everyday lives, such as government services, are increasingly transitioning to digital infrastructure.
Given the importance of the DNS for the functioning of the Internet and modern society, any issues that the DNS encounters nowadays would have far-reaching consequences. However, over the past 40 years, weaknesses in the DNS system have emerged.
One of the most significant cybersecurity threats facing the DNS today are Distributed Denial of Service (DDoS) attacks, which can have a severe impact on the availability of the DNS ecosystem.
Recent events show that targeted attacks on even a small portion of the DNS infrastructure can impact millions of services and users.
In this scenario, a comprehensive characterization of the resilience mechanisms of the DNS authoritative infrastructure, along with an analysis of threats against this resilience, is missing. This gap has led us to the main goal and contribution of this thesis.
To achieve this goal, we use a mixed measurement and analytical approach, which has focused on different detractors of DNS resilience. Specifically, throughout the course of this thesis, we analyze misconfigurations and vulnerabilities resulting from miscommunication between operators, assess the choices made by these operators in creating more robust and stable deployments in the face of existing best practices, and evaluate the effectiveness of the deployed techniques in overcoming DDoS attacks.
Focusing on our contributions, we show that while the distributed nature of the DNS has enabled its scalability and success, it also presents risks to its resilience. Inconsistency in the DNS hierarchy resulting from miscommunications between stakeholders increases the attack surface and affects resilience, enabling lame delegations and hijacking with potentially severe consequences.
Later, we characterize the large-scale adoption of well-defined best practices as defined by several RFCs, Internet standards, and recent self-regulatory frameworks and legislation. In the wild, we show that DNS is a robust system with good resilience properties, mainly due to choices made by large operators. However, DDoS attacks are still affecting the DNS ecosystem.
To overcome them, we show that combining traditional DNS resilience techniques with newer technologies such as IP Anycast is one of the key success strategies.
For this reason, we entitle our thesis Everything in Its Right Place: Improving DNS Resilience. Through this work, readers will understand that our choice of title reflects our aim to demonstrate that only a well-configured and provisioned DNS infrastructure, addressing all possible facets of DNS resilience and operating with Everything in Its Right Place, can withstand modern threats and continuously provide the fundamental service for the modern Internet and society.
To conclude this work, we leverage the accumulated knowledge from this thesis as well as insights from previous research efforts to provide a series of actionable best practices for network operators when configuring authoritative nameservers. With this final contribution, our aim is to enhance both the overall understanding of the effectiveness of resilience mechanisms for DNS and the overall health of the DNS ecosystem.