For everyone that wants to know more: our tutorial paper about the DNS
About the basics, real world deployments, and open challenges
The original blog is in Dutch. This is the English translation.
Authors: Olivier van der Toorn, Moritz Müller, Sara Dickinson, Cristian Hesselman, Anna Sperotto, Roland van Rijswijk-Deij
Earlier this year, our tutorial paper 'Addressing the challenges of modern DNS: A comprehensive tutorial' was published. The paper was co-authored with colleagues at the University of Twente and sinodun. It describes the Domain Name System (DNS) from two perspectives: what the modern DNS actually looks like in practice, and what security challenges currently face the DNS. The paper is aimed at technical personnel who want to know more about the DNS, and at DNS specialists looking for somewhere to get started on a more detailed exploration of the subject.
Why a(nother) DNS tutorial?
We wrote the tutorial because finding out about the current state of the DNS can be quite an undertaking. Numerous DNS tutorials can be found online, but most explain only the basics of how the system works. And few of them cover recent developments such as DNS-over-HTTPS or DNS centralisation. Another problem is that the formal documentation on the DNS is very extensive. In the early days of the DNS, the RFCs defining the system ran to maybe a hundred pages. Now, there are more than two hundred documents numbering a total of more than 3,500 pages. Anyone who wants to get to grips with the subject therefore needs to get hold of and read a huge number of documents, and then consider which parts of them actually apply in the modern world.
Our paper is intended to help people get past those problems. We explain what the modern DNS looks like in practice, and we help (budding) DNS specialists identify the key security issues currently associated with the DNS. Our target audience consists of two groups. First, technical personnel who are relatively new to the DNS (e.g. students, researchers and software developers). Second, people who already have significant expertise and want somewhere to get started on a more detailed exploration of the subject (for which our reference list is potentially useful). The paper draws on our own DNS research, our operational experience and our familiarity with the DNS RFCs and academic literature.
Ultimately, we hope to contribute to further reinforcement of the DNS community in the Netherlands, Europe and beyond. That's an important goal because the DNS is one of the internet's core systems, playing a role in almost every internet transaction. A strong technical community of DNS experts is therefore vital for the health of the internet.
Perspective 1: the modern DNS in practice
Our tutorial considers the DNS first from the perspective of recent developments in DNS practice. Examples include the encryption of DNS messages, progressive centralisation of the DNS infrastructure, and the influence of centralisation on DNS functionality and on users, operators, developers and researchers. In other words, we portray the DNS as a dynamic, continuously evolving (eco)system.
Our tutorial also explains how large-scale measurements can be performed to shed light on the evolutionary changes taking place in the DNS. Broadly speaking, there are two approaches to large-scale DNS measurement. One is active measurement: querying the DNS 'from outside', e.g. with OpenINTEL. The other is passive measurement: gathering data on DNS servers, e.g. using ENTRADA. In our paper, we describe how you can set up such measurements yourself, and what the pros and cons of the different measurement methods are.
Perspective 2: four key security challenges for the DNS
The second perspective offered by our tutorial is a description of four key security challenges for the current DNS: increasing the confidentiality, integrity and availability of the DNS, and tackling abuse.
We explain why each challenge requires a response and what solutions the DNS community has devised. Solutions we consider include DNS-over-TLS for the encryption of DNS messages and DNSSEC to assure their integrity. We also look at BGP anycast, which increases the availability of DNS systems, and we summarise the many ways that malicious DNS activity can be identified and stopped.
We explain how such solutions work and how they are currently used in the DNS. The tutorial shows that many solutions are imperfect and themselves create further issues. In addition, we flag up various challenges for which no solution has yet been found, and highlight the potential of alternative naming systems (e.g. based on blockchains, SCION or NDN).
Our hope is that the tutorial's second perspective may inspire and motivate academics and the wider DNS community to embark on new research and develop new solutions.
Of course, the basics are covered too
Naturally, our tutorial includes a thorough explanation of DNS basics. We go over the system's main components, and we explain what DNS messages look like and how they are exchanged by the system's components. Throughout the paper, practical examples are given to aid understanding.
Want to know more?
Following publication in the Elsevier Computer Science Review, access to our paper is now open. Fancy taking a look? The tutorial is available to download from our website in PDF form, or to read online.
Finally, if you'd like to keep abreast of future DNS developments, why not subscribe to the blogs published on this site? We also hope that our paper will help you to follow more complex DNS community debates, such as those that take place within the IETF.
