Related papers: ss2DNS: A Secure DNS Scheme in Stage 2

ss2DNS: A Secure DNS Scheme in Stage 2

URL: http://arxiv.org/abs/2408.00968v3
Date: Thu, 26 Jun 2025 03:14:28 GMT
Title: ss2DNS: A Secure DNS Scheme in Stage 2
Authors: Ali Sadeghi Jahromi, AbdelRahman Abdou, Paul C. van Oorschot,
Abstract summary: We introduce ss2DNS, a novel DNS scheme designed to mitigate the security and privacy vulnerabilities in the resolution process between resolvers and authoritative nameservers.<n>We show that for server-side processing latency, resolution time, and CPU usage, ss2DNS is comparable to less-secure schemes but significantly outperforms DNS-over-TLS.
Score: 1.8379423176822356
License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
Abstract: The absence of security and privacy measures between DNS recursive resolvers and authoritative nameservers has been exploited by both on-path and off-path attackers. Although numerous security proposals have been introduced in practice and in the literature, they often face deployability barriers and/or lack a compelling set of security and privacy properties, resulting in limited adoption. We introduce ss2DNS, a novel DNS scheme designed to mitigate the security and privacy vulnerabilities in the resolution process between resolvers and authoritative nameservers, while preserving efficiency by maintaining a single round-trip. ss2DNS takes advantage of a hierarchical trust model that does not rely on entities external to DNS zones, and delegates nameserver replicas within each zone to serve zone data securely for short, renewable time intervals. This design enables real-time security properties for DNS messages without requiring the duplication of long-term private keys on replicas, thereby minimizing exposure to compromise. We implement a proof of concept of ss2DNS for evaluation and show that for server-side processing latency, resolution time, and CPU usage, ss2DNS is comparable to less-secure schemes but significantly outperforms DNS-over-TLS.

Related papers

Collusion Resistant DNS With Private Information Retrieval [42.34183823376613]
We propose PDNS, a DNS extension leveraging single-server Private Information Retrieval to strengthen privacy guarantees.<n>PDNS achieves acceptable performance (2x faster than DoH over Tor with similar privacy guarantees) and strong privacy guarantees today.
arXiv Detail & Related papers (2025-07-28T13:17:25Z)
Transparent Attested DNS for Confidential Computing Services [2.6667047594113096]
ADNS is a name service that binds attested implementation of confidential services to their domain names. ADNS builds on standards such as DNSSEC, DANE, ACME and Certificate Transparency. We implement aDNS as a confidential service using a fault-tolerant network of TEEs.
arXiv Detail & Related papers (2025-03-18T18:07:09Z)
Shh, don't say that! Domain Certification in LLMs [124.61851324874627]
Large language models (LLMs) are often deployed to perform constrained tasks, with narrow domains. We introduce domain certification; a guarantee that accurately characterizes the out-of-domain behavior of language models. We then propose a simple yet effective approach, which we call VALID that provides adversarial bounds as a certificate.
arXiv Detail & Related papers (2025-02-26T17:13:19Z)
Analysis of Robust and Secure DNS Protocols for IoT Devices [8.574167373120648]
We investigate different DNS security approaches using an edge DNS resolver implemented as a Virtual Network Function (VNF) We present our results for cache-based and non-cached responses and evaluate the corresponding security benefits.
arXiv Detail & Related papers (2025-02-13T19:16:39Z)
MTDNS: Moving Target Defense for Resilient DNS Infrastructure [2.8721132391618256]
DNS (Domain Name System) is one of the most critical components of the Internet. Researchers have been constantly developing methods to detect and defend against the attacks against DNS. Most solutions discard packets for defensive approaches, which can cause legitimate packets to be dropped. We propose MTDNS, a resilient MTD-based approach that employs Moving Target Defense techniques.
arXiv Detail & Related papers (2024-10-03T06:47:16Z)
Federated Instruction Tuning of LLMs with Domain Coverage Augmentation [87.49293964617128]
Federated Domain-specific Instruction Tuning (FedDIT) utilizes limited cross-client private data together with various strategies of instruction augmentation. We propose FedDCA, which optimize domain coverage through greedy client center selection and retrieval-based augmentation. For client-side computational efficiency and system scalability, FedDCA$*$, the variant of FedDCA, utilizes heterogeneous encoders with server-side feature alignment.
arXiv Detail & Related papers (2024-09-30T09:34:31Z)
Knowledge-to-Jailbreak: One Knowledge Point Worth One Attack [86.6931690001357]
Knowledge-to-jailbreak aims to generate jailbreaks from domain knowledge to evaluate the safety of large language models on specialized domains. We collect a large-scale dataset with 12,974 knowledge-jailbreak pairs and fine-tune a large language model as jailbreak-generator.
arXiv Detail & Related papers (2024-06-17T15:59:59Z)
The Harder You Try, The Harder You Fail: The KeyTrap Denial-of-Service Algorithmic Complexity Attacks on DNSSEC [19.568025360483702]
We develop a new class of DNSSEC-based algorithmic complexity attacks on DNS, we dub KeyTrap attacks. With just a single DNS packet, the KeyTrap attacks lead to a 2.0x spike in CPU count in vulnerable DNS resolvers, stalling some for as long as 16 hours. Exploiting KeyTrap, an attacker could effectively disable Internet access in any system utilizing a DNSSEC-validating resolver.
arXiv Detail & Related papers (2024-06-05T10:33:04Z)
Don't Get Hijacked: Prevalence, Mitigation, and Impact of Non-Secure DNS Dynamic Updates [1.135267457536642]
DNS dynamic updates represent an inherently vulnerable mechanism. Non-secure DNS updates leave domains susceptible to a novel form of attack termed zone poisoning. We undertook a comprehensive campaign involving the notification of Computer Security Incident Response Teams.
arXiv Detail & Related papers (2024-05-30T09:23:53Z)
Guardians of DNS Integrity: A Remote Method for Identifying DNSSEC Validators Across the Internet [0.9319432628663636]
We propose a novel technique for identifying DNSSEC-validating resolvers. We find that while most open resolvers are DNSSEC-enabled, less than 18% in IPv4 (38% in IPv6) validate received responses.
arXiv Detail & Related papers (2024-05-30T08:58:18Z)
Secure Aggregation is Not Private Against Membership Inference Attacks [66.59892736942953]
We investigate the privacy implications of SecAgg in federated learning. We show that SecAgg offers weak privacy against membership inference attacks even in a single training round. Our findings underscore the imperative for additional privacy-enhancing mechanisms, such as noise injection.
arXiv Detail & Related papers (2024-03-26T15:07:58Z)
The Power of Bamboo: On the Post-Compromise Security for Searchable Symmetric Encryption [43.669192188610964]
Dynamic searchable symmetric encryption (DSSE) enables users to delegate the keyword search over dynamically updated databases to an honest-but-curious server. This paper studies a new and practical security risk to DSSE, namely, secret key compromise. We introduce the notion of searchable encryption with key-update (SEKU) that provides users with the option of non-interactive key updates.
arXiv Detail & Related papers (2024-03-22T09:21:47Z)
TI-DNS: A Trusted and Incentive DNS Resolution Architecture based on Blockchain [8.38094558878305]
Domain Name System (DNS) is vulnerable to some malicious attacks, including DNS cache poisoning. This paper presents TI-DNS, a blockchain-based DNS resolution architecture designed to detect and correct the forged DNS records. TI-DNS is easy to be adopted as it only requires modifications to the resolver side of current DNS infrastructure.
arXiv Detail & Related papers (2023-12-07T08:03:10Z)
The Evolution of DNS Security and Privacy [1.0603824305049263]
DNS is one of the fundamental protocols of the TCP/IP stack to protect against threats and attacks. This study examines the risks associated with DNS and explores recent advancements that contribute towards making the DNS ecosystem resilient against various attacks while safeguarding user privacy.
arXiv Detail & Related papers (2023-12-01T06:14:25Z)
Model Barrier: A Compact Un-Transferable Isolation Domain for Model Intellectual Property Protection [52.08301776698373]
We propose a novel approach called Compact Un-Transferable Isolation Domain (CUTI-domain) CUTI-domain acts as a barrier to block illegal transfers from authorized to unauthorized domains. We show that CUTI-domain can be easily implemented as a plug-and-play module with different backbones.
arXiv Detail & Related papers (2023-03-20T13:07:11Z)
Randomized Message-Interception Smoothing: Gray-box Certificates for Graph Neural Networks [95.89825298412016]
We propose novel gray-box certificates for Graph Neural Networks (GNNs) We randomly intercept messages and analyze the probability that messages from adversarially controlled nodes reach their target nodes. Our certificates provide stronger guarantees for attacks at larger distances.
arXiv Detail & Related papers (2023-01-05T12:21:48Z)
Towards Bidirectional Protection in Federated Learning [70.36925233356335]
F2ED-LEARNING offers bidirectional defense against malicious centralized server and Byzantine malicious clients. F2ED-LEARNING securely aggregates each shard's update and launches FilterL2 on updates from different shards. evaluation shows that F2ED-LEARNING consistently achieves optimal or close-to-optimal performance.
arXiv Detail & Related papers (2020-10-02T19:37:02Z)
CryptoSPN: Privacy-preserving Sum-Product Network Inference [84.88362774693914]
We present a framework for privacy-preserving inference of sum-product networks (SPNs) CryptoSPN achieves highly efficient and accurate inference in the order of seconds for medium-sized SPNs.
arXiv Detail & Related papers (2020-02-03T14:49:18Z)

This list is automatically generated from the titles and abstracts of the papers in this site.