Internet scalability: properties and evolution

Copyright © 2008 IEEEMatthew Roughan; Steve Uhlig; Walter Willinge

Evaluation of Dnssec in Microsoft Windows and Microsoft Windows Server 2008 R2

The Domain Name System (DNS) provides important name resolution services on the Internet. The DNS has been found to have security flaws which have the potential to undermine the reliability of many Internet-based systems. DNS Security Extensions (DNSSEC) offers a long-term solution these DNS security flaws. However, DNSSEC adoption has been slow because it is challenging to deploy and administer. DNSSEC has also been criticized for not being an end-toend solution. Microsoft included support for DNSSEC in its latest operating systems, Windows Server 2008 R2 and Windows 7. This thesis concluded that DNSSEC features in Windows Server 2008 R2 and Windows 7 are not fully developed and are unlikely to impact DNSSEC adoption rates

Anomaly Detection in DNS Traffic

Tato diplomová práce je napsána ve spolupráci s firmou NIC.CZ a zabývá se anomáliemi v provozu systému DNS. Obsahuje popis základních principů tohoto systému a vlastností, kterými se jeho provoz vyznačuje. Účelem této práce je pokusit se vytvořit klasifikátor některých z anomálií v této práci uvedených a ověřit jeho schopnosti teoreticky i v praktických podmínkách.This master thesis is written in collaboration with NIC.CZ company. It describes basic principles of DNS system and properties of DNS traffic. It's goal an implementation of DNS anomaly classifier and its evaluation in practice.

Making NSEC5 Practical for DNSSEC

NSEC5 is a proposed modification to DNSSEC that guarantees two security properties: (1) privacy against offline zone enumeration, and (2) integrity of zone contents, even if an adversary compromises the authoritative nameserver responsible for responding to DNS queries for the zone. In this work, we redesign NSEC5 in order to make it practical and performant. Our NSEC5 redesign features a new verifiable random function (VRF) based on elliptic curve cryptography (ECC), along with a cryptographic proof of its security. This VRF is also of independent interest, as it is being standardized by the IETF and being used by several other projects. We show how to integrate NSEC5 using our ECC-based VRF into DNSSEC, leveraging precomputation to improve performance and DNS protocol-level optimizations to shorten responses. Next, we present the first full-fledged implementation of NSEC5 for both nameserver and recursive resolver, and evaluate performance under aggressive DNS query loads. We find that our redesigned NSEC5 can be viable even for high-throughput scenarios