Improving DNS security: a measurement-based approach

Roland van Rijswijk-Deij

    Research output: ThesisPhD Thesis - Research external, graduation UT

    1136 Downloads (Pure)

    Abstract

    The Domain Name System (DNS) is a vital part of the core infrastructure of the Internet. It maps human readable names (such as www.example.com) to machine readable information (such as 93.184.216.34). This thesis studies two aspects of the DNS. First, it studies problems in the DNS Security Extensions. DNSSEC was developed to address security problems in the DNS. As we show in this thesis, however, while the deployment of DNSSEC does improve DNS security, it also introduces new problems. Two problems in particular stand out: unreachability problems due to IP fragmentation and abuse of DNSSEC-signed domains in so-called amplification DDoS attacks. The thesis shows that the default cryptographic algorithm used in DNSSEC, RSA, is at the root of these problems. Based on real-world measurements, the thesis shows that alternative cryptographic algorithms based on Elliptic Curve Cryptography (ECC) are much more suited for DNSSEC and solve the two problems discussed before. The thesis also shows that ECC performance in terms of speed is sufficient for DNSSEC, something that was uncertain before.

    The second main contribution of this thesis is that it introduces a unique large-scale long-term active measurement infrastructure for the DNS. This infrastructure currently measures 60% of all domains in the global DNS name space once every 24 hours. Using five case studies, this thesis illustrates how the data collected by this infrastructure (currently spanning more than two years) enables novel research into the security, stability and evolution of the Internet.
    Original languageEnglish
    Awarding Institution
    • University of Twente
    Supervisors/Advisors
    • Pras, Aiko , Supervisor
    • Sperotto, Anna , Supervisor
    Award date28 Jun 2017
    Place of PublicationEnschede
    Publisher
    Print ISBNs978-90-365-4329-3
    DOIs
    Publication statusPublished - 28 Jun 2017

    Fingerprint Dive into the research topics of 'Improving DNS security: a measurement-based approach'. Together they form a unique fingerprint.

    Cite this