This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Protecting the DNS from Routing Attacks: Two Alternative Anycast Implementations
September/October 2009 (vol. 7 no. 5)
pp. 14-20
Ioannis Avramopoulos, Deutsche Telekom Laboratories
Martin Suchara, Princeton University
The Domain Name System is a critical piece of the Internet and supports most Internet applications. Because it's organized in a hierarchy, its correct operation depends on the availability of just a few servers at the hierarchy's upper levels. These backbone servers are vulnerable to routing attacks in which adversaries controlling part of the routing system try to hijack the server address space. Using routing attacks in this way, an adversary can compromise the Internet's availability and integrity at a global scale. In this article, the authors evaluate the relative resilience to routing attacks of two alternative anycast DNS implementations. The first operates at the network layer and the second at the application layer. The evaluation informs fundamental DNS design decisions and an important debate on the routing architecture of the Internet.

1. Y. Rekhter, T. Li, and S. Hares, A Border Gateway Protocol 4 (BGP-4), IETF RFC 4271, Jan. 2006; www.ietf.org/rfc/rfc4271.txt.
2. S. Kent, C. Lynn, and K. Seo, "Secure Border Gateway Protocol (Secure-BGP)," IEEE J. Selected Areas in Communications, vol. 18, no. 4, 2000, pp. 582–592.
3. L. Wang et al., "Protecting BGP Routes to Top-Level DNS Servers," IEEE Trans. Parallel and Distributed Systems, vol. 14, no. 9, 2003, pp. 851–860.
4. C. Partridge, T. Mendez, and W. Milliken, Host Anycasting Service, IETF RFC 1546, Nov. 1993; www.ietf.org/rfc/rfc1546.txt.
5. E. Zegura et al., "Application-Layer Anycasting: A Server Selection Architecture and Use in a Replicated Web Service," IEEE/ACM Trans. Networking, vol. 8, no. 4, 2000, pp. 455–466.
6. M. Suchara and I. Avramopoulos, Comparing the Security Performance of Network-Layer and Application-Layer Anycast, tech. report TR-849-09, Computer Science Dept., Princeton Univ., Apr. 2009.
7. R. Chandramouli and S. Rose, "Challenges in Securing the Domain Name System," IEEE Security &Privacy, vol. 4, no. 1, 2006, pp. 84–87.
8. I. Avramopoulos, M. Suchara, and J. Rexford, How Small Groups Can Secure Interdomain Routing, tech. report TR-808-07, Computer Science Dept., Princeton Univ., Dec. 2007.
9. H. Ballani and P. Francis, "Towards a Global IP Anycast Service," ACM SIGCOMM Computer Communication Rev., vol. 35, no. 4, 2005, pp. 301–312.

Index Terms:
Domain Name System, DNS, anycast, secure routing
Citation:
Ioannis Avramopoulos, Martin Suchara, "Protecting the DNS from Routing Attacks: Two Alternative Anycast Implementations," IEEE Security & Privacy, vol. 7, no. 5, pp. 14-20, Sept.-Oct. 2009, doi:10.1109/MSP.2009.131
Usage of this product signifies your acceptance of the Terms of Use.