Mark Allman / ICSI @mallman_icsi

Kyle Schomp, Mark Allman, Michael Rabinovich. DNS Resolvers Considered Harmful, ACM SIGCOMM Workshop on Hot Topics in Networks (HotNets), October 2014.
PDF | Kyle's Slides


The Domain Name System (DNS) is a critical component of the Internet infrastructure that has many security vulnerabilities. In particular, shared DNS resolvers are a notorious security weak spot in the system. We propose an unorthodox approach for tackling vulnerabilities in shared DNS resolvers: removing shared DNS resolvers entirely and leaving recursive resolution to the clients. We show that the two primary costs of this approach---loss of performance and an increase in system load---are modest and therefore conclude that this approach is beneficial for strengthening the DNS by reducing the attack surface.


    author    =        "Kyle Schomp and Mark Allman and Michael Rabinovich",
    title     =        "{DNS Resolvers Considered Harmful}",
    booktitle =        "ACM SIGCOMM HotNets",
    year      =        2014,
    month     =        oct,

Scribe notes from HotNets talk are here.

Devon Warshaw and Jake McKinnon reappraised our study as part of Stanford's CS 244 course. Their report is available here.
"We are what we repeatedly do. Excellence, then, is not an act, but a habit." --Aristotle