TrickleDNS: A Safety Net for the Domain Name System Sriram Sankararaman * Venugopalan Ramasubramanian † Lakshminarayanan Subramanian ‡ and Ion Stoica * * University of California Berkeley, Berkeley, CA 53706 † Microsoft Research Silicon Valley, Mountain View, CA 94043 † New York University, New York, NY 10003 October 9, 2007 Abstract This paper presents TrickleDNS, a practical and decen- tralized system for disseminating DNS data securely. Unlike prior solutions, which depend on the as-yet- undeployed DNSSEC standard to preserve data integrity, TrickleDNS uses a novel security framework that pro- vides resilience from data corruption by compromised servers and denial of service attacks. It is based on the key design principle of randomization: First, Trick- leDNS organizes participating nameservers into a well- connected peer-to-peer network with random yet con- strained links to form a Secure Network of Nameservers (SNN). Nameservers in the SNN reliably broadcast their public-keys to other nameservers without relying a cen- tralized PKI. Second, TrickleDNS reliably binds do- mains to their authoritative name servers through inde- pendent verification by multiple, randomly chosen peers within the SNN. Finally, TrickleDNS servers proactively disseminate self-certified versions of DNS records to pro- vide faster performance, better availability, and improved security. This paper validates TrickleDNS through simu- lations and experiments on a prototype implementation. 1 Introduction The Domain Name System (DNS) forms a critical com- ponent of the Internet infrastructure by providing the es- sential service of host name to IP address resolution. In- ternet users and providers of web-based services implic- itly assume and rely on the correct operation of DNS. However, DNS as operated today is susceptible to a wide range of attacks that enable malicious elements to hijack domain traffic by propagating bogus address mappings and to make the domain unavailable by dis- rupting name resolution. These vulnerabilities primar- ily stem from limited redundancy in DNS; recent stud- ies show that 80% of domain names are served by just two name servers, while 32% of domain names have all name servers behind the same network gateway [24, 26]. And the risks are further exacerbated because of the trust placed unwittingly by many domain operators on name servers outside the domain’s control [27]. The prevalent solution to tolerate malicious attacks and achieve strong data integrity in DNS is DNSSEC [2]. It enables clients to verify the authenticity of a domain’s data with the help of a chain of certificates signed by the domain and each of its parent domain, eventually attested by the public key of a single, globally-known root do- main. However, this dependency of DNSSEC on a cen- tralized Public Key Infrastructure (PKI) has significantly limited the acceptance of DNSSEC despite many years of efforts. Meanwhile, individual domains are unable to secure themselves until all their parent domains adopt DNSSEC. Furthermore, DNSSEC does not improve the resilience of DNS against Denial of Service (DoS) at- tacks. This paper presents TrickleDNS, a completely decentral- ized approach for securing the DNS against threats to data integrity and availability. Unlike DNSSEC, Trick- leDNS does not rely on a PKI or a trusted central author- ity. Instead, it acquires its security through the following key concepts: Secure Network of Nameservers: TrickleDNS estab- lishes secure distribution of domain public keys through a random, well-connected network of name servers. This network provides a sufficient number of redundant paths between any two name servers so that they can exchange public keys reliably even in the presence of a sizeable number of compromised servers. Two techniques enable TrickleDNS to achieve high resilience to attacks: First, servers are forced to choose their neighbors in an “explic- itly constrained” manner in order to restrict the freedom of malicious agents. These constraints allow the Trick- leDNS overlay with O(log n) neighbors per server to tol- erate O( n log n ) number of compromised servers. Second, adversaries with large number of identities are restricted from launching Sybil attacks [14] by forcing them to pick