- Full text PDF available (8)
- This year (0)
- Last 5 years (5)
- Last 10 years (9)
Journals and Conferences
We describe a novel, practical and simple technique to make DNS queries more resistant to poisoning attacks: mix the upper and lower case spelling of the domain name in the query. Fortuitously, almost all DNS authority servers preserve the mixed case encoding of the query in answer messages. Attackers hoping to poison a DNS cache must therefore guess the… (More)
DNS is many things to many people - perhaps too many things to too many people.
Adversary-resistant communication bootstrapping is a fundamental problem faced by many circumvention (anti-censorship) systems such as Tor. Censoring regimes actively harvest and block published Tor entry points and bridge nodes. More recently, some countries have resorted to reactive (follow-up) probing of the destination hosts of outbound encrypted… (More)
The edge of the Internet is an unruly place.
DNS (domain name system) is a distributed, coherent, reliable, autonomous, hierarchical database, the first and only one of its kind. Created in the 1980s when the Internet was still young but overrunning its original system for translating host names into IP addresses, DNS is one of the foundation technologies that made the worldwide Internet (and the… (More)
Suboptimal performance of the ISC BIND9 DNS server with multiple threads is a well known problem. This paper explores practical approaches addressing this longstanding issue. First, intensive profiling identifies major bottlenecks occurring due to overheads for thread synchronization. These bottlenecks are then eliminated by giving separate work areas with… (More)
The DNSSECbis data model has key introduction follow the delegation chain, thus requiring a zone’s parent to become secure before a zone itself can be secured. Ultimately this leads to non-deployability since the root zone will probably not be secured any time soon. We describe an early deployment aid for DNSSECbis whereby key introduction can be done via… (More)
There has never been a greater need for comprehensive Internet metrics than now. Even basic security-critical facts about the Internet, such as "How many systems are botted?" or "What networks still don't do Source Address Validation?" remain murky and poorly quantified. Likewise, traffic characterization and summary inter-AS flow data typically remain… (More)
Authority zones in the Domain Name System must be declared to have one or more authoritative name servers, usually consisting of one primary name server and several secondary name servers. These name servers are expected to synchronize zone data using DNS’s zone transfer protocols, but the configuration of these synchronization relationships depends upon… (More)