Abstract by Cade Daniel
Quantification and Identification of Obstacles to Strict DNS Cookie Enforcement in the Domain Name System
DNS Cookies close several attack vectors in the DNS, including DNSSEC reflection attacks, by allowing agents to drop packets from unauthenticated sources. Unfortunately, strictly enforcing DNS Cookies will break DNS service for the majority of DNS clients and servers. In order to understand how enforcement of DNS cookies will affect the Internet, we query a large sample of server-domain pairs with various query settings and capture the responses. We analyze these responses to identify particular server and network configurations that complicate DNS Cookie deployment and enforcement, such as round-robin load balancers. We quantify the nameservers that support DNSSEC, EDNS0, and DNS Cookies. These results will inform DNS architects and enable them to eventually enforce DNS Cookies, further securing the DNS.