ConfiDNS is designed to protect against attacks or failures at the client-side DNS infrastructure, including cache poisoning as well as the compromise, spoofing, or non-failstop failure of the local DNS infrastructure (3). Since client-side DNS infrastructure is also used in cooperative DNS lookup services, protecting the client-side infrastructure also reduces avenues for polluting the global lookups in cooperative DNS systems. We have seen several client-side resolver behaviors that could pollute a cooperative DNS service. In one scenario, we saw a site administrator pollute CoDNS by configuring a resolver to reply instantly to all requests with the IP address of a local webserver that served a page saying that the resolver was being replaced. Unfortunately, if the browser expected an image and received this error message, the web page displayed broken image icons, causing problems. We also measured three other instances of pollution, which are further described in Section 3.1. In all of these cases, the results were returned quickly, so any peer using the resolvers at these sites could find its own lookups poisoned in the process.
We ignore server-side attacks for several reasons, including self-interest - as the developers of a CDN and a name lookup service that is used by the CDN, our most pressing concern is ensuring the CDN does not weaken security. Another practical issue is that protecting against takeover of the server-side infrastructure requires modifying the global DNS infrastructure (2), and is beyond our control. We also believe that server-side takeovers are easier to detect than client-side problems - if an attacker compromises a bank's DNS servers and redirects all traffic to a spoofed Web site, the bank's Web site will see a sharp and easily-detectable drop in activity. However, an attacker who wants to draw less attention could compromise an ISP's resolver, and redirect only lookups for one bank - the resulting drop in traffic may go unnoticed. By using a client-side solution that requires agreement from multiple client sites, this kind of attack would be ineffective unless conducted at scale. However, by attacking at scale, it is also more likely to be caught.