The use of distributed computing to address performance and reliability problems in the Domain Name System (DNS) (4) has recently received much research attention, and has spawned two widely-deployed distributed systems, CoDNS (5) and CoDoNS (7). Both of these systems provide clients with improved reliability when performing DNS lookups by distributing the queries across nodes in the system. These systems fetch name-to-IP translations from the existing legacy DNS infrastructure as needed to provide an upgrade path for users.
These systems can be less secure than traditional local DNS resolvers when interacting with vulnerable legacy DNS infrastructure. If any node performs a DNS resolution and receives an incorrect answer, that answer can be propagated to other nodes, especially if the incorrect answer is returned quickly. The incorrect answer can occur because of a failure or compromise at a local DNS resolver, UDP packet spoofing when the node tries to communicate with an external DNS server, local site filtering policies, etc. CoDNS was designed to mitigate the impact of poisoned DNS responses by disallowing multi-hop request brokering, and by intentionally performing no caching. However, it was assumed that the security of such systems could never beat that of a local resolver, since content distribution networks (CDNs) and load balancers will return different DNS lookup results at different locations, making it difficult to compare lookup results.
Rather than being a fundamental tradeoff in supporting legacy DNS while achieving better reliability, worse security is not integral to cooperative DNS systems. We show that the scale of cooperative DNS systems can provide better security than legacy DNS resolvers for the vast majority of lookups. Where scale cannot be used, observing the history of DNS lookups can provide some assurance that DNS replies have not been modified. Between these two options, fewer than 1% of unique DNS lookups need to trade security for reliability or performance.
Using CoDNS traffic, we gather information on DNS usage, and perform a month-long study of name lookup behavior using multiple vantage points. We observe how DNS is used by various content providers, how name-to-IP mappings change over time, and how some sites' DNS resolvers can poison global DNS caches. Using the stability over time of name-to-IP mappings and/or the agreement of name lookup results at multiple DNS resolvers, we devise a range of security policies for our new DNS lookup system, ConfiDNS. For each policy, we show its performance and what fraction of names it can satisfy. In its weakest configuration, ConfiDNS provides better security than local DNS resolvers alone for 99.8% of unique lookups, and 92% can meet significantly stronger requirements. Lookup times are comparable to CoDNS, and are much better than local DNS resolvers.
ConfiDNS is incrementally deployable, using the same approaches as CoDNS, and requires no change to the existing global DNS infrastructure to reap its benefits. It can be installed as a simple proxy on the client or on the local resolver, requiring no changes to applications.