Is Protective DNS Blocking the Wild West?

• URL: http://arxiv.org/abs/2510.25352v1
• Date: Wed, 29 Oct 2025 10:11:08 GMT
• Title: Is Protective DNS Blocking the Wild West?
• Authors: David Plonka, Branden Palacio, Debbie Perouli,
• Abstract summary: We investigate how a Protective DNS service might perform in a Research & Education Network serving hundreds of member institutions.<n>We test hundreds of millions of users' real DNS queries, observed over a week's time, to find which answers would be blocked because they involve domain names that are potential threats.
• Score: 0.0
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: We perform a passive measurement study investigating how a Protective DNS service might perform in a Research & Education Network serving hundreds of member institutions. Utilizing freely-available DNS blocklists consisting of domain names deemed to be threats, we test hundreds of millions of users' real DNS queries, observed over a week's time, to find which answers would be blocked because they involve domain names that are potential threats. We find the blocklists disorderly regarding their names, goals, transparency, and provenance making them quite difficult to compare. Consequently, these Protective DNS underpinnings lack organized oversight, presenting challenges and risks in operation at scale.

Related papers

• Forward to Hell? On the Potentials of Misusing Transparent DNS Forwarders in Reflective Amplification Attacks [2.1232547053555826]
  We show how transparent forwarders raise severe threats to the Internet infrastructure.<n>They easily circumvent rate limiting and achieve an additional, scalable impact via the DNS anycast infrastructure.
  arXiv  Detail & Related papers  (2025-10-21T12:28:11Z)
• DNS in the Time of Curiosity: A Tale of Collaborative User Privacy Protection [0.764671395172401]
  Public DNS resolvers offer low-latency resolution, high reliability, privacy-preserving policies, and support for encrypted DNS queries.<n> client-resolver traffic encryption, increasingly deployed to protect users from eavesdroppers, does not protect users against curious resolvers.<n>We will discuss key ideas of the proposal, which aims to achieve a high level of privacy without sacrificing performance.
  arXiv  Detail & Related papers  (2025-09-29T01:09:09Z)
• ChamaleoNet: Programmable Passive Probe for Enhanced Visibility on Erroneous Traffic [48.87214752144106]
  ChamaleoNet transforms any production network into a transparent monitor to let administrators collect unsolicited and erroneous traffic directed to hosts.<n>ChamaleoNet is programmed to ignore well-formed traffic and collect only erroneous packets.<n>Simple analytics unveil internal and infected hosts, identify temporary failures, and enhance visibility on external radiation produced by attackers looking for vulnerable services.
  arXiv  Detail & Related papers  (2025-08-17T20:54:41Z)
• Collusion Resistant DNS With Private Information Retrieval [42.34183823376613]
  We propose PDNS, a DNS extension leveraging single-server Private Information Retrieval to strengthen privacy guarantees.<n>PDNS achieves acceptable performance (2x faster than DoH over Tor with similar privacy guarantees) and strong privacy guarantees today.
  arXiv  Detail & Related papers  (2025-07-28T13:17:25Z)
• ss2DNS: A Secure DNS Scheme in Stage 2 [1.8379423176822356]
  We introduce ss2DNS, a novel DNS scheme designed to mitigate the security and privacy vulnerabilities in the resolution process between resolvers and authoritative nameservers.<n>We show that for server-side processing latency, resolution time, and CPU usage, ss2DNS is comparable to less-secure schemes but significantly outperforms DNS-over-TLS.
  arXiv  Detail & Related papers  (2024-08-02T01:25:14Z)
• Towards Universal Dense Blocking for Entity Resolution [49.06313308481536]
  We propose UniBlocker, a dense blocker that is pre-trained on a domain-independent, easily-obtainable corpus. By conducting domain-independent pre-training, UniBlocker can be adapted to various downstream blocking scenarios without requiring domain-specific fine-tuning. Our experiments show that the proposed UniBlocker, without any domain-specific learning, significantly outperforms previous self- and unsupervised dense blocking methods.
  arXiv  Detail & Related papers  (2024-04-23T08:39:29Z)
• Survey and Analysis of DNS Filtering Components [0.0]
  cybercriminals often use DNS for malicious purposes, such as phishing, malware distribution, and botnet communication. To combat these threats, filtering resolvers have become increasingly popular, employing various techniques to identify and block malicious requests. We survey several techniques to implement and enhance the capabilities of filtering resolvers including response policy zones, threat intelligence feeds, and detection of algorithmically generated domains.
  arXiv  Detail & Related papers  (2024-01-08T12:52:59Z)
• TI-DNS: A Trusted and Incentive DNS Resolution Architecture based on Blockchain [8.38094558878305]
  Domain Name System (DNS) is vulnerable to some malicious attacks, including DNS cache poisoning. This paper presents TI-DNS, a blockchain-based DNS resolution architecture designed to detect and correct the forged DNS records. TI-DNS is easy to be adopted as it only requires modifications to the resolver side of current DNS infrastructure.
  arXiv  Detail & Related papers  (2023-12-07T08:03:10Z)
• Model Barrier: A Compact Un-Transferable Isolation Domain for Model Intellectual Property Protection [52.08301776698373]
  We propose a novel approach called Compact Un-Transferable Isolation Domain (CUTI-domain) CUTI-domain acts as a barrier to block illegal transfers from authorized to unauthorized domains. We show that CUTI-domain can be easily implemented as a plug-and-play module with different backbones.
  arXiv  Detail & Related papers  (2023-03-20T13:07:11Z)
• Quarantine: Sparsity Can Uncover the Trojan Attack Trigger for Free [126.15842954405929]
  Trojan attacks threaten deep neural networks (DNNs) by poisoning them to behave normally on most samples, yet to produce manipulated results for inputs attached with a trigger. We propose a novel Trojan network detection regime: first locating a "winning Trojan lottery ticket" which preserves nearly full Trojan information yet only chance-level performance on clean inputs; then recovering the trigger embedded in this already isolated subnetwork.
  arXiv  Detail & Related papers  (2022-05-24T06:33:31Z)
• Open-Domain Question-Answering for COVID-19 and Other Emergent Domains [61.615197623034085]
  We present an open-domain question-answering system for the emergent biomedical domain of COVID-19. Despite the small data size, we are able to successfully train the system to retrieve answers from a large-scale corpus of published COVID-19 scientific papers.
  arXiv  Detail & Related papers  (2021-10-13T18:06:14Z)
• Practical Detection of Trojan Neural Networks: Data-Limited and Data-Free Cases [87.69818690239627]
  We study the problem of the Trojan network (TrojanNet) detection in the data-scarce regime. We propose a data-limited TrojanNet detector (TND), when only a few data samples are available for TrojanNet detection. In addition, we propose a data-free TND, which can detect a TrojanNet without accessing any data samples.
  arXiv  Detail & Related papers  (2020-07-31T02:00:38Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.