Tutorial on DNS Security

Haya Shulman, Fachbereich Informatik, TU Darmstadt

Most caching DNS resolvers rely for their security, against poisoning, on challenge-response defenses, whereby the resolvers validate that the DNS responses contain some ‘unpredictable’ values, copied from the request. These mechanisms include the 16 bit identifier, source port, and other fields, randomised and validated by different ‘patches’ to DNS. We investigate the proposed and widely deployed patches, and show how off-path attackers can often circumvent all of them, exposing the resolvers to cache poisoning attacks.
We discuss DNSSEC, which provides the best defense for DNS, as well as some short-term countermeasures.

Haya Shulman is a PhD candidate at the Department of Computer Science, Bar Ilan University, Israel. Her Ph.D. was carried out under the supervision of Prof. Dr. Amir Herzberg and is on Network security. In 2009 Haya graduated her M.Sc. studies, also in the Dept. of Computer Science, with thesis on Secure Execution of Software in Remote, Hostile Environment.

Her research interests are network security and protocols, mainly DNS and routing, focusing on attacks on performance and correctness. Prior to her graduate studies Haya worked as a software developer at Aladdin knowledge systems. In 2011 she received a Checkpoint CPIIS award and in 2013 she received a Feder prize for her research in communication technologies.