A Proxy View of Quality of Domain Name Service, Poisoning Attacks and Survival Strategies

Abstract

The Domain Name System (DNS) provides a critical service for the Internet -- mapping of user-friendly domain names to their respective IP addresses. Yet, there is no standard set of metrics quantifying the Quality of Domain Name Service (QoDNS), let alone a thorough evaluation of it. This article attempts to fill this gap from the perspective of a DNS proxy/cache, which is the bridge between clients and authoritative servers. We present an analytical model of DNS proxy operations that offers insights into the design trade-offs of DNS infrastructure and the selection of critical DNS parameters. Due to the critical role DNS proxies play in QoDNS, they are the focus of attacks including cache poisoning attack. We extend the analytical model to study DNS cache poisoning attacks and their impact on QoDNS metrics. This analytical study prompts us to present Domain Name Cross-Referencing (DoX), a peer-to-peer systems for DNS proxies to cooperatively defend cache poisoning attacks. Based on QoDNS, we compare DoX with the cryptography-based DNS Security Extension (DNSSEC) to understand their relative merits.