DNS Resolvers Considered Harmful

The Domain Name System (DNS) is a criticalcomponent of the Internet infrastructure that has many security vulnerabilities. In particular, shared DNS resolvers are anotorious security weak spot in the system. We propose anunorthodox approach for tackling vulnerabilities in sharedDNS resolvers: removing shared DNS resolvers entirely andleaving recursive resolution to the clients. We show that thetwo primary costs of this approach—loss of performanceand an increase in system load—are modest and thereforeconclude that this approach is beneficial for strengtheningthe DNS by reducing the attack surface.


