DNS Resolvers Considered Harmful

TitleDNS Resolvers Considered Harmful
Publication TypeConference Paper
Year of Publication2014
AuthorsSchomp, K., Allman M., & Rabinovich M.
Other Numbers3755

The Domain Name System (DNS) is a criticalcomponent of the Internet infrastructure that has many security vulnerabilities. In particular, shared DNS resolvers are anotorious security weak spot in the system. We propose anunorthodox approach for tackling vulnerabilities in sharedDNS resolvers: removing shared DNS resolvers entirely andleaving recursive resolution to the clients. We show that thetwo primary costs of this approach—loss of performanceand an increase in system load—are modest and thereforeconclude that this approach is beneficial for strengtheningthe DNS by reducing the attack surface.


This work was partially supported by funding provided to ICSI through National Science Foundation grants CNS : 1237265 (“Beyond Technical Security: Developing an Empirical Basis for Socio-Economic Perspectives”) and CNS: 0831535 ("Comprehensive Application Analysis and Control"). Additional funding was provided through National Science Foundation grants CNS : 0831821 ("Relationship-Oriented Networking"). Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the National Science Foundation.

Bibliographic Notes

Proceedings of the 13th ACM SIGCOMM Workshop on Hot Topics in Networks (HotNets 2014), Los Angeles, California

Abbreviated Authors

K. Schomp, M. Allman, and M. Rabinovich

ICSI Research Group

Networking and Security

ICSI Publication Type

Article in conference proceedings