APNIC’s Chief Scientist, Geoff Huston, joins PING to discuss three related presentations by Google, Internet Systems Consortium (ISC), and Mozilla that caught his attention during the recent IETF 114 and DNS-OARC 38 meetings on securing the DNS against spoofing.
DNS spoofing involves third parties intercepting and responding to queries for benign or malicious purposes, and recent studies show that DNS spoofing has more than doubled since 2016.
Google is protecting its DNS service against spoofing using multiple methods including using a combination of DNS cookies, randomizing the choice of nameservers, stripping duplicate queries from outbound queues, performing rate limiting, and unilaterally probing for support of Authoritative DNS over TLS (ADoT). Google projects that these measures will cover 99% of queries after the various rollouts are complete.
While such results are impressive, Geoff and others argue that the widespread use of DNSSEC could do the job just as well but with little impact on performance, as ISC’s and Mozilla’s findings in their recent studies have shown.
Read more about DNS Spoofing and DNSSEC on the APNIC Blog:
- Geoff’s Notes from DNS-OARC 38 and IETF 114 for more detail on and links to these presentations.
- Whac-A-Mole: Six years of DNS spoofing
- Spoofing packets: What is it, and why do people do it?
- DNSSEC: The long and bumpy road of algorithm deployment
Subscribe and share your story
You can stream and subscribe to PING via the following channels:
If you’re interested in sharing your insights or research, please get in touch — we’re always on the lookout for great stories from the community. And please do let us know what you think of the podcast as well as the APNIC Blog so we can keep improving.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.