Improving DNS Resilience against Denial of Service Attacks Abstract The Domain Name System (DNS) is a critical Internet infrastructure that provides name-to-address mapping services. In recent years, distributed denial of service (DDoS) attacks have targeted DNS infrastructure and threaten to disrupt this critical service. In this article we show that existing DNS can gain significant resilience against DDoS attacks through a simple modification to current DNS operations by setting longer time-to-live values ​​for a special class of DNS resource records, infrastructure records. . These records are used to navigate the DNS hierarchy and rarely change. Furthermore, when combined with a set of simple, incrementally deployable record renewal policies, DNS service availability can be improved by an order of magnitude. Our approach requires no additional physical resources or any changes to the existing DNS design. We evaluate the effectiveness of the proposed improvement using DNS traces collected from multiple locations. Keywords: DDoS, DNS, resilience, caching1 Introduction The Domain Name System (DNS) [16] provides naming services for the Internet. It maps hostnames to IP addresses and also provides services for a growing number of other applications, such as mapping IP addresses to geographic locations or directory services for legacy telephony applications. Additionally, protocols such as SMTP and SIP depend on DNS to route messages through the appropriate application layer. gateway. As a result, DNS availability can affect the availability of a large number of Internet applications. Ensuring the availability of DNS data is an essential part of the proof... half of the article ......weil, D. Massey, and L. Zhang. Improved DNS service availability using long TTL values. InternetDraft, 2006.[19] K. Parka, V. Pai, L. Peterson, and Z. Wang. CoDNS: Improving DNS performance and reliability through cooperative lookups. In OSDI Proceedings, 2004.[20] V. Ramasubramanian and E. Sirer. The design and implementation of a next-generation naming service for the Internet. In Proceedingsof SIGCOMM, pages 331–342, 2004.[21] H. Yang, H. Luo, Y. Yang, S. Lu, and L. Zhang. ORE: Achieving DoS resilience in an open service hierarchy. In Proceedings of DSN, pages 83–93, 2004.37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07)0-7695-2855-4/07 $20.00 © 2007Authorized use limited to: WICHITA STATE UNIVERSITY LIBRARIES. Downloaded Mar 1, 2010 12:23:24 EST from IEEE Xplore. Restrictions apply.