Improving DNS security: a measurement-based approach

Research output: ThesisPhD Thesis - Research external, graduation UT

2677 Downloads (Pure)


The Domain Name System (DNS) is a vital part of the core infrastructure of the Internet. It maps human readable names (such as to machine readable information (such as This thesis studies two aspects of the DNS. First, it studies problems in the DNS Security Extensions. DNSSEC was developed to address security problems in the DNS. As we show in this thesis, however, while the deployment of DNSSEC does improve DNS security, it also introduces new problems. Two problems in particular stand out: unreachability problems due to IP fragmentation and abuse of DNSSEC-signed domains in so-called amplification DDoS attacks. The thesis shows that the default cryptographic algorithm used in DNSSEC, RSA, is at the root of these problems. Based on real-world measurements, the thesis shows that alternative cryptographic algorithms based on Elliptic Curve Cryptography (ECC) are much more suited for DNSSEC and solve the two problems discussed before. The thesis also shows that ECC performance in terms of speed is sufficient for DNSSEC, something that was uncertain before.

The second main contribution of this thesis is that it introduces a unique large-scale long-term active measurement infrastructure for the DNS. This infrastructure currently measures 60% of all domains in the global DNS name space once every 24 hours. Using five case studies, this thesis illustrates how the data collected by this infrastructure (currently spanning more than two years) enables novel research into the security, stability and evolution of the Internet.
Original languageEnglish
QualificationDoctor of Philosophy
Awarding Institution
  • University of Twente
  • Pras, A., Supervisor
  • Sperotto, Anna, Supervisor
Award date28 Jun 2017
Place of PublicationEnschede
Print ISBNs978-90-365-4329-3
Publication statusPublished - 28 Jun 2017
Externally publishedYes


Dive into the research topics of 'Improving DNS security: a measurement-based approach'. Together they form a unique fingerprint.

Cite this