The DNS Bake Sale: Advertising DNS Cookie Support For DDoS Protection

March 18, 2021

Friday, March 26th at 11am

Advisor: Casey Deccio

MS thesis defense for Jacob Davis

The Domain Name System (DNS) has been frequently abused for Distributed Denial of Service (DDoS) attacks and cache poisoning because it relies on the User Datagram Protocol (UDP). Since UDP is connection-less, it is trivial for an attacker to spoof the source of a DNS query or response. DNS Cookies, a protocol standardized in 2016, add pseudo-random values to DNS packets to provide identity management and prevent spoofing attacks. This work finds that 30% of popular authoritative servers and open recursive resolvers fully support cookies and that 10% of recursive clients send cookies. Despite this, DNS cookie use is rarely enforced as it is non-trivial to ascertain whether a given client intends to fully support cookies. We also show that 80% of clients and 99% of servers do not change their behavior when encountering a missing or illegitimate cookie. This paper presents a new protocol to allow cookie enforcement: DNS Protocol Advertisement Records (DPAR). Advertisement records allow DNS clients intending to use cookies to post a public record in the reverse DNS zone stating their intent. DNS servers may then lookup this record and require a client to use cookies as directed, in turn preventing an attacker from sending spoofed messages without a cookie. In this paper, we define the specification for DNS Protocol Advertisement Records, considerations that were made, and comparisons to alternative approaches. We additionally estimate the effectiveness of advertisements in preventing DDoS attacks and the expected burden to DNS servers. Advertisement records are designed as the next step to strengthen the existing support of DNS Cookies by enabling strict enforcement of client cookies.