Adaptive DNSSEC Performance Optimization

Adaptive DNSSEC Performance Optimization
Slide Note
Embed
Share

DNSSEC significantly impacts DNS performance, particularly under attack scenarios like NXDomain and DDoS amplification. Learn how adaptive DNSSEC strategies can address these challenges and improve overall system efficiency.

  • adaptive DNSSEC
  • performance optimization
  • security
  • networking
hollomon_l
hollomon_l Follow

Uploaded on Mar 03, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Adaptive DNSSEC Anat Bremler-Barr Reichman University Daniel Dubnikov Tel-Aviv University Yehuda Afek Tel-Aviv University Supported By:

  2. Motivation (1) DNSSEC significantly degrades DNS performances Max Queries Per Second Plain DNS 23,524 DNSSEC: NSEC 9,510 DNSSEC: NSEC3 8,989

  3. NXDomain NXDomain Attack RANDOM RANDOM DNS Request Flood Rxy1xhggsgVCER.sony.com XVBY$&HGDRxy2.sony.com FJH*^DHGAKRxy3.sony.com RxUYQVMNLKAy4.sony.com Resolvers www.cs.cs.tau.ac.il .com RzHW$RE43CBJs$7.sony.com ns.sony.com 3

  4. Motivation (1) DNSSEC significantly degrades DNS performances DDoS amplification Max Queries Per Second Plain DNS 23,524 DNSSEC: NSEC 9,510 DNSSEC: NSEC3 8,989 * All measurements are under NX queries flood attack Attacker Resolver NS

  5. Motivation (1) Non Existent in DNSSEC?

  6. Motivation (1) Non Existent in DNSSEC? NSEC Record: ABC.NAME.COM - LMN.NAME.COM

  7. Motivation (1) Non Existent in DNSSEC? NSEC Record: ABC.NAME.COM - LMN.NAME.COM Everything in between does not exist!

  8. Motivation (2) Aggressive Caching (RFC 8198) stops NX Attack Max Queries Per Second Plain DNS 23,524 DNSSEC: NSEC 9,510 DNSSEC: NSEC3 8,989 Aggressive Caching Max Queries Per Second 96,226 DNSSEC: NSEC DNSSEC: NSEC3 93,756

  9. Motivation (2) Aggressive Caching (RFC 8198) stops NX Attack Max Queries Per Second Plain DNS 23,524 DNSSEC: NSEC 9,510 DNSSEC: NSEC3 8,989 Aggressive Caching Max Queries Per Second 96,226 DNSSEC: NSEC Only Knot DNSSEC: NSEC3 93,756

  10. Motivation (2) Aggressive Caching (RFC 8198) stops NX Attack BUT: Enables Zone Walking ABC.NAME.COM - LMN.NAME.COM Max Queries Per Second Plain DNS 23,524 DNSSEC: NSEC 9,510 DNSSEC: NSEC3 8,989 Aggressive Caching Max Queries Per Second 96,226 DNSSEC: NSEC Only Knot DNSSEC: NSEC3 93,756

  11. Motivation (2) Aggressive Caching (RFC 8198) stops NX Attack BUT: Enables Zone Walking Scalability Issues: Need to quickly find NSEC record Max Queries Per Second Plain DNS 23,524 DNSSEC: NSEC 9,510 DNSSEC: NSEC3 8,989 Aggressive Caching Max Queries Per Second 96,226 DNSSEC: NSEC Only Knot DNSSEC: NSEC3 93,756

  12. Motivation (2) How to stop Zone Walking?

  13. Motivation (2) How to stop Zone Walking? You can t (without online signing*, Goldberg et al.) * Goldberg et al. Nsec5: Provably preventing dnssec zone enumeration

  14. Motivation (2) How to stop Zone Walking? You can t (without online signing*, Goldberg et al.) Black Lies, White Lies, NSEC5 * Goldberg et al. Nsec5: Provably preventing dnssec zone enumeration

  15. Motivation (2) How to stop Zone Walking? You can t (without online signing*, Goldberg et al.) Black Lies, White Lies, NSEC5 NX.NAME.COM - NX.NAME.COM * Goldberg et al. Nsec5: Provably preventing dnssec zone enumeration

  16. Motivation (2) How to stop Zone Walking? You can t (without online signing*, Goldberg et al.) Black Lies, White Lies, NSEC5 Must sign the record on the fly NX.NAME.COM - NX.NAME.COM * Goldberg et al. Nsec5: Provably preventing dnssec zone enumeration

  17. Motivation (3) Online Signing Algorithms NX Attacks Amplified Max Queries Per Second % of Plain DNS Plain DNS 23,524 100% DNSSEC: NSEC 9,510 40% DNSSEC: NSEC3 8,989 38% DNSSEC: White Lies 5,863 25% DNSSEC: Black Lies 7,206 30% DNSSEC: NSEC5 6,324 27%

  18. Motivation (3) Online Signing Algorithms NX Attacks Amplified For security and scalability reasons online signing might be the only option Max Queries Per Second % of Plain DNS Plain DNS 23,524 100% DNSSEC: NSEC 9,510 40% DNSSEC: NSEC3 8,989 38% DNSSEC: White Lies 5,863 25% DNSSEC: Black Lies 7,206 30% DNSSEC: NSEC5 6,324 27%

  19. DNSSEC Increase packet size Increase response count Add CPU load -> DoS Amplification NSEC/3 Aggressive Caching Zone Walking Scalability (for CDNs) Disposable Domains W/B Lies + NSEC5

  20. Proposed Solution Remove all DNSSEC overheads Packet Size + Count CPU Load

  21. Proposed Solution Remove all DNSSEC overheads Packet Size + Count CPU Load Use TLS Authoritative identifies once Traffic sent with Plain DNS

  22. Proposed Solution - Hybrid High Traffic DNS over Secure TLS Authoritative Nameserver Resolver Low Traffic DNSSEC over UDP

  23. Proposed Solution PoC (1) Problem1: Can t easily integrate with known resolver/auth implementations (Bind, Unbound, Knot, etc.) Solution: proxy interface resolver - authoritative servers Resolver Machine Authoritative Machine

  24. Proposed Solution PoC (2) Problem2: TLS overheads are high TLS suffers from Head-of-Line blocking

  25. Proposed Solution PoC (2) Problem2: TLS overheads are high TLS suffers from Head-of-Line blocking Solution: Use QUIC (similar to HTTP3) UDP Multiplexing (virtual connections) 0-RTT: resume the connection with 0 round trip time No need for TCP integration (firewalls/IPS)

  26. Proposed Solution PoC (3) Problem3: Teardown and restart QUIC connections

  27. Proposed Solution PoC (3) Problem3: Teardown and restart QUIC connections Solution: Keep connections alive QUIC has low overhead long lived connections QUIC can resume quickly

  28. Proposed Solution PoC (4) Problem4: Resource limit

  29. Proposed Solution PoC (4) Problem4: Resource limit Solution: Score connection throughput with ??= ? ?? 1+ 1 ? ?? Terminate lowest scored connection (LRU)

  30. Measurements Knot Max Queries Per Second % of Plain DNS Plain DNS 23,524 100% DNSSEC: NSEC 9,510 40% DNSSEC: NSEC3 8,989 38% DNSSEC: White Lies 5,863 25% DNSSEC: Black Lies 7,206 30% DNSSEC: NSEC5 6,324 27%

  31. Measurements With QUIC, using the same experiment (NX flood), throughput is 87% of the plain DNS Knot Max Queries Per Second % of Plain DNS Plain DNS 23,524 100% DNSSEC: NSEC 9,510 40% DNSSEC: NSEC3 8,989 38% DNSSEC: White Lies 5,863 25% DNSSEC: Black Lies 7,206 30% DNSSEC: NSEC5 6,324 27% AdaDoQ (Our Solution) 20,558 87%

  32. Conclusions DNSSEC degrades DNS performance Make NXDOMAIN attacks worse (DDoS amplification) AdaDoQ Hybrid Solution Light and fast connections One time encryption overheads Close to Plain DNS throughput No Security Compromises Zone Walking No Scalability Issues

  33. Questions? Questions?

Related


Swarm Intelligence: Concepts and Applications

Swarm Intelligence: Concepts and Applications

syeda
DNN Inference Optimization Challenge Overview

DNN Inference Optimization Challenge Overview

buddy
Discrete Optimization in Mathematical Modeling

Discrete Optimization in Mathematical Modeling

heloise
Generalization of Empirical Risk Minimization in Stochastic Convex Optimization by Vitaly Feldman

Generalization of Empirical Risk Minimization in Stochastic Convex Optimization by Vitaly Feldman

layton
Web Performance Optimization

Web Performance Optimization

legacy
Challenges Faced in DNSSEC Deployment by Geoff Huston at APNIC June 2016

Challenges Faced in DNSSEC Deployment by Geoff Huston at APNIC June 2016

seraphine
DANE, DNSSEC, and TLS in Go6Lab

DANE, DNSSEC, and TLS in Go6Lab

kasz640
Insights into Recent Progress on Sampling Problems in Convex Optimization

Insights into Recent Progress on Sampling Problems in Convex Optimization

lilyroseh
Enhancing WHOIS Updates with DNSSEC, ASPLAIN, and Abuse Contact Implementation

Enhancing WHOIS Updates with DNSSEC, ASPLAIN, and Abuse Contact Implementation

lash_9
Approximation Algorithms for Stochastic Optimization: An Overview

Approximation Algorithms for Stochastic Optimization: An Overview

hule_mus
Adaptive Resilient Routing via Preorders in SDN

Adaptive Resilient Routing via Preorders in SDN

ryad
Evolution of DNSSEC Implementation at Nominet

Evolution of DNSSEC Implementation at Nominet

hieu_7
Horticulture and Agriculture: Adaptive Strategies in Human History

Horticulture and Agriculture: Adaptive Strategies in Human History

kheringt
SaudiNIC's Experience in Deploying DNSSEC

SaudiNIC's Experience in Deploying DNSSEC

pray
DNSSEC: Adding Digital Signatures to DNS Responses

DNSSEC: Adding Digital Signatures to DNS Responses

sdaco
Evaluation of Ed25519 Cryptography Performance in DNSSEC Validation

Evaluation of Ed25519 Cryptography Performance in DNSSEC Validation

lresc
Flower Pollination Algorithm: Nature-Inspired Optimization

Flower Pollination Algorithm: Nature-Inspired Optimization

weak_ssa
Machine Learning Applications for EBIS Beam Intensity and RHIC Luminosity Maximization

Machine Learning Applications for EBIS Beam Intensity and RHIC Luminosity Maximization

drub
Multivariate Adaptive Regression Splines (MARS) in Machine Learning

Multivariate Adaptive Regression Splines (MARS) in Machine Learning

pgent
Evolution of ARIN: RPKI and DNSSEC Implementation

Evolution of ARIN: RPKI and DNSSEC Implementation

rboye
Fast Bayesian Optimization for Machine Learning Hyperparameters on Large Datasets

Fast Bayesian Optimization for Machine Learning Hyperparameters on Large Datasets

kryste
Adaptive Bitrate Streaming in Live Game Streaming Platforms

Adaptive Bitrate Streaming in Live Game Streaming Platforms

forgue_d

More Related Content