Resiliency Trade-Offs of DNSSEC Configurations to DDoS Attacks
摘要
First this paper measures and analyzes various trade-offs between different DNSSEC configurations, such as, NSEC, NSEC3, aggressive caching, and online vs. offline signing. These measurements expose a trade-off between (1) aggressive caching DNSSEC configuration that provides excellent performance (higher robustness to DDoS attacks) but is vulnerable to zone enumeration attacks in addition to offline signing disadvantages, and (2) online signing DNSSEC configuration, that prevent zone enumeration but is more susceptible to DDoS attacks due to lower maximum throughput. Second, following these, we suggest and evaluate an alternative, Adaptive DNS over QUIC, (AdaDoQ), an adaptive, efficient and secure communication layer between a DNS resolver and the authoritative servers, that offers a better trade-off between DDoS resiliency and security. Under normal load conditions the resolver communicates with each authoritative server with standard DNSSEC however, when the traffic load increases, AdaDoQ switches to a QUIC connection with heavily communicating authoritative server(s), for as long as the traffic load is high. The public key of the authoritative ZSK (which is verifiable through the DNSSEC chain of trust) is integrated into the symmetric key creation in QUIC to provide a DNSSEC level of authenticity and security. AdaDoQ ensures DNS authenticity, good throughput, and disables zone walking attacks, DNS hijacking, and cache poisoning.