Protecting BGP routes to top-level DNS servers | IEEE Journals & Magazine | IEEE Xplore
Subscribe
ADVANCED SEARCH
Journals & Magazines >IEEE Transactions on Parallel... >Volume: 14 Issue: 9

Protecting BGP routes to top-level DNS servers

PDF
Lan Wang; Xiaoliang Zhao; Dan Pei; R. Bush; D. Massey; Lixia Zhang
All Authors

Abstract:

The Domain Name System (DNS) is an essential part of the Internet infrastructure and provides fundamental services, such as translating host names into IP addresses for I...Show More

Metadata

Abstract:

The Domain Name System (DNS) is an essential part of the Internet infrastructure and provides fundamental services, such as translating host names into IP addresses for Internet communication. The DNS is vulnerable to a number of potential faults and attacks. In particular, false routing announcements can deny access to the DNS service or redirect DNS queries to a malicious impostor. Due to the hierarchical DNS design, a single fault or attack against the routes to any of the top-level DNS servers can disrupt Internet services to millions of users. We propose a path-filtering approach to protect the routes to the critical top-level DNS servers. Our approach exploits both the high degree of redundancy in top-level DNS servers and the observation that popular destinations, including top-level DNS servers, are well-connected via stable routes. Our path-filter restricts the potential top-level DNS server route changes to be within a set of established paths. Heuristics derived from routing operations are used to adjust the potential routes over time. We tested our path-filtering design against BGP routing logs and the results show that the design can effectively ensure correct routes to top-level DNS servers without impacting DNS service availability.
Published in: IEEE Transactions on Parallel and Distributed Systems ( Volume: 14, Issue: 9, September 2003)
Page(s): 851 - 860
Date of Publication: 30 September 2003

ISSN Information:

DOI: 10.1109/TPDS.2003.1233708
Author image of Lan Wang
Computer Science Department, University of California, Los Angeles, CA, USA
Lan Wang received the BS degree (1997) and the MS degree (1999) in computer science from Peking University, Beijing, China, and the University of California, Los Angeles, respectively. Currently, she is a PhD candidate in the Computer Science Department at UCLA. Her research interests include fault-tolerance in network protocol design, network measurement techniques, and scalable network simulator design.
Lan Wang received the BS degree (1997) and the MS degree (1999) in computer science from Peking University, Beijing, China, and the University of California, Los Angeles, respectively. Currently, she is a PhD candidate in the Computer Science Department at UCLA. Her research interests include fault-tolerance in network protocol design, network measurement techniques, and scalable network simulator design.View more
Author image of Xiaoliang Zhao
Information Science Institute, University of Southern California, Arlington, VA, USA
Xiaoliang Zhao received the PhD degree in computer science from North Carolina State University (2002). He primarily focuses on network security research, especially on Internet critical infrastructure protection and intrusion detection techniques. Currently, he is a research associate at USC/ISI. He is a member of the IEEE.
Xiaoliang Zhao received the PhD degree in computer science from North Carolina State University (2002). He primarily focuses on network security research, especially on Internet critical infrastructure protection and intrusion detection techniques. Currently, he is a research associate at USC/ISI. He is a member of the IEEE.View more
Author image of Dan Pei
Computer Science Department, University of California, Los Angeles, CA, USA
Dan Pei received the bachelor's and master's degree in computer science, both from the Computer Science Department, Tsinghua University, China. He is a PhD candidate in Computer Science Department at UCLA. His current research interests include Internet routing and fault tolerance in large-scale distributed systems.
Dan Pei received the bachelor's and master's degree in computer science, both from the Computer Science Department, Tsinghua University, China. He is a PhD candidate in Computer Science Department at UCLA. His current research interests include Internet routing and fault tolerance in large-scale distributed systems.View more
IIJ, Crystal Springs, WA, USA
Randy Bush is an excompiler, real-time kernel hack, and a software engineering manager with more than 35 years in the computer industry. He has been a user and occasional implementor of networking in the US from the ARPANET to the current day Internet. He is principal scientist at Internet Initiative Japan. He spent a little more than a year at AT&T doing research and network architecture. Some network operational experie...Show More
Randy Bush is an excompiler, real-time kernel hack, and a software engineering manager with more than 35 years in the computer industry. He has been a user and occasional implementor of networking in the US from the ARPANET to the current day Internet. He is principal scientist at Internet Initiative Japan. He spent a little more than a year at AT&T doing research and network architecture. Some network operational experie...View more
Author image of D. Massey
Information Science Institute, University of Southern California, Arlington, VA, USA
Daniel Massey received the PhD in computer science from UCLA. In June 2000, he joined USC/ISI, and is currently a research assistant professor. He is the PI on DARPA and US National Science Foundation funded research projects, investigating techniques for improving the Internet DNS and BGP infrastructures. Dr. Massey is a member of the IEEE and IEEE Communications and Computer Societies. His research interests include fau...Show More
Daniel Massey received the PhD in computer science from UCLA. In June 2000, he joined USC/ISI, and is currently a research assistant professor. He is the PI on DARPA and US National Science Foundation funded research projects, investigating techniques for improving the Internet DNS and BGP infrastructures. Dr. Massey is a member of the IEEE and IEEE Communications and Computer Societies. His research interests include fau...View more
Computer Science Department, University of California, Los Angeles, CA, USA
Lixia Zhang received the PhD degree in computer science from the Massachusetts Institute of Technology. She was a member of the research staff at the Xerox Palo Alto Research Center before joining the faculty of UCLA Computer Science Department in 1995. In the past, she has served on the Internet Architecture Board, cochair of IEEE Communication Society Internet Technical Committee, and the editorial board for the IEEE/AC...Show More
Lixia Zhang received the PhD degree in computer science from the Massachusetts Institute of Technology. She was a member of the research staff at the Xerox Palo Alto Research Center before joining the faculty of UCLA Computer Science Department in 1995. In the past, she has served on the Internet Architecture Board, cochair of IEEE Communication Society Internet Technical Committee, and the editorial board for the IEEE/AC...View more
Contents

1 Introduction

TheDomain Name System (DNS) [1] is an essential part of the Internet infrastructure. It provides the service of translating host names, such as www.cs.ucla.edu, into IP addresses that are used for data delivery. If an application fails to receive a reply for its DNS query, it is denied service. Worse still, if an application receives a reply that contains a wrong IP address, it will send data either to a black hole or to a machine selected by an attacker. Due to its hierarchical design, failure to reach all the 13 DNS root servers would cripple the entire DNS service and make all destinations unreachable by most applications. This potential vulnerability of the root servers is well-known and has even been described in popular press articles [2]. In addition to the root servers, there are also 13 DNS servers for the generic top-level domains (gTLDs) including com, net, and org. The loss of reachability to these gTLD servers would also deny access to millions of destinations in com, net, and org name domains. In today's Internet, announcing a false route to DNS servers can easily lead to such faults or attacks.

Author image of Lan Wang
Computer Science Department, University of California, Los Angeles, CA, USA
Lan Wang received the BS degree (1997) and the MS degree (1999) in computer science from Peking University, Beijing, China, and the University of California, Los Angeles, respectively. Currently, she is a PhD candidate in the Computer Science Department at UCLA. Her research interests include fault-tolerance in network protocol design, network measurement techniques, and scalable network simulator design.
Lan Wang received the BS degree (1997) and the MS degree (1999) in computer science from Peking University, Beijing, China, and the University of California, Los Angeles, respectively. Currently, she is a PhD candidate in the Computer Science Department at UCLA. Her research interests include fault-tolerance in network protocol design, network measurement techniques, and scalable network simulator design.View more
Author image of Xiaoliang Zhao
Information Science Institute, University of Southern California, Arlington, VA, USA
Xiaoliang Zhao received the PhD degree in computer science from North Carolina State University (2002). He primarily focuses on network security research, especially on Internet critical infrastructure protection and intrusion detection techniques. Currently, he is a research associate at USC/ISI. He is a member of the IEEE.
Xiaoliang Zhao received the PhD degree in computer science from North Carolina State University (2002). He primarily focuses on network security research, especially on Internet critical infrastructure protection and intrusion detection techniques. Currently, he is a research associate at USC/ISI. He is a member of the IEEE.View more
Author image of Dan Pei
Computer Science Department, University of California, Los Angeles, CA, USA
Dan Pei received the bachelor's and master's degree in computer science, both from the Computer Science Department, Tsinghua University, China. He is a PhD candidate in Computer Science Department at UCLA. His current research interests include Internet routing and fault tolerance in large-scale distributed systems.
Dan Pei received the bachelor's and master's degree in computer science, both from the Computer Science Department, Tsinghua University, China. He is a PhD candidate in Computer Science Department at UCLA. His current research interests include Internet routing and fault tolerance in large-scale distributed systems.View more
IIJ, Crystal Springs, WA, USA
Randy Bush is an excompiler, real-time kernel hack, and a software engineering manager with more than 35 years in the computer industry. He has been a user and occasional implementor of networking in the US from the ARPANET to the current day Internet. He is principal scientist at Internet Initiative Japan. He spent a little more than a year at AT&T doing research and network architecture. Some network operational experience came from his being on the founding team at Verio, a backbone provider, from which he graduated as vice president of IP Networking after five years. As PI for the Network Startup Resource Center, a US National Science Foundation supported pro bono effort, he has been involved for some years with the deployment and integration of appropriate networking technology in the developing world. He is cochair of IETF WG on the DNS, dnsext (nee dnsind). He is currently a member of the IESG, serving as cochair of the IETF Operations and Management Area, mainly covering the operation area.
Randy Bush is an excompiler, real-time kernel hack, and a software engineering manager with more than 35 years in the computer industry. He has been a user and occasional implementor of networking in the US from the ARPANET to the current day Internet. He is principal scientist at Internet Initiative Japan. He spent a little more than a year at AT&T doing research and network architecture. Some network operational experience came from his being on the founding team at Verio, a backbone provider, from which he graduated as vice president of IP Networking after five years. As PI for the Network Startup Resource Center, a US National Science Foundation supported pro bono effort, he has been involved for some years with the deployment and integration of appropriate networking technology in the developing world. He is cochair of IETF WG on the DNS, dnsext (nee dnsind). He is currently a member of the IESG, serving as cochair of the IETF Operations and Management Area, mainly covering the operation area.View more
Author image of D. Massey
Information Science Institute, University of Southern California, Arlington, VA, USA
Daniel Massey received the PhD in computer science from UCLA. In June 2000, he joined USC/ISI, and is currently a research assistant professor. He is the PI on DARPA and US National Science Foundation funded research projects, investigating techniques for improving the Internet DNS and BGP infrastructures. Dr. Massey is a member of the IEEE and IEEE Communications and Computer Societies. His research interests include fault-tolerance and security for large scale network infrastructures.
Daniel Massey received the PhD in computer science from UCLA. In June 2000, he joined USC/ISI, and is currently a research assistant professor. He is the PI on DARPA and US National Science Foundation funded research projects, investigating techniques for improving the Internet DNS and BGP infrastructures. Dr. Massey is a member of the IEEE and IEEE Communications and Computer Societies. His research interests include fault-tolerance and security for large scale network infrastructures.View more
Computer Science Department, University of California, Los Angeles, CA, USA
Lixia Zhang received the PhD degree in computer science from the Massachusetts Institute of Technology. She was a member of the research staff at the Xerox Palo Alto Research Center before joining the faculty of UCLA Computer Science Department in 1995. In the past, she has served on the Internet Architecture Board, cochair of IEEE Communication Society Internet Technical Committee, and the editorial board for the IEEE/ACM Transactions on Networking. Zhang is currently serving as the vice chair of ACM SIGCOMM. One of her current research interests is the complexity and resiliency in large scale systems such as the Internet. She is a senior member of the IEEE.
Lixia Zhang received the PhD degree in computer science from the Massachusetts Institute of Technology. She was a member of the research staff at the Xerox Palo Alto Research Center before joining the faculty of UCLA Computer Science Department in 1995. In the past, she has served on the Internet Architecture Board, cochair of IEEE Communication Society Internet Technical Committee, and the editorial board for the IEEE/ACM Transactions on Networking. Zhang is currently serving as the vice chair of ACM SIGCOMM. One of her current research interests is the complexity and resiliency in large scale systems such as the Internet. She is a senior member of the IEEE.View more

Contact IEEE to Subscribe

References

References is not available for this document.

IEEE Account

Purchase Details

Profile Information

Need Help?

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity.
© Copyright 2025 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.