[Chugalug] Signing DNS Queries

David White dwrudy at gmail.com
Wed Sep 4 14:21:31 UTC 2013

Many of you guys know that DNS is something I'm interested in and continue
to do a lot of research and work in. I'm nowhere near an expert, but find
this aspect of the interwebs fascinating, and have done what I can to
understand it better and advocate for best DNS practices.

I'm doing some brainstorming right now, and think I've come up with a
theory that could possibly work in practice, but is probably a dumb idea.
What do ya'll think? Is this a stupid idea? (In theory, I think its good,
but in practice, I do think its dumb).

Here's a recent article on DNS Amplification attacks and how millions of
home routers around the world are being used for the attacks:

My theory is to create some sort of signing system for devices querying DNS
resolvers that would authenticate the device making the query.

Sort of like DKIM for email, each router would generate a unique public /
private key pair (different from the MAC address) that would then tie into
the router's owner's domain system.

The public key for the router would go into public DNS, and the private key
would be stored on the router. If the keys don't match, then the resolver
doesn't respond / denies the request.

I see a few major disadvantages to a system like this, including:

   - Added bandwidth to the DNS system
   - No incentive for home users (or anyone, for that matter) to implement
   the system on their routers
   - Low incentive for system administrators who operate resolvers to
   implement it onto their servers
   - Too much data to track in the DNS system (millions of DNS records - 1
   for each router - would be absurd.... unless each router were given a
   unique subdomain name that the ISP tracked and updated automatically)

I see this system giving the most benefit to home ISP providers.

David White
Founder & CEO
*Develop CENTS *
Computing, Equipping, Networking, Training & Supporting
Nonprofit Organizations Worldwide
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20130904/a6161bce/attachment.html>

More information about the Chugalug mailing list