A Client Based DNSSEC Validation Mechanism with Recursive DNS Server Separation

DNSSEC has been proposed to provide data origin authentication and data integrity between recursive DNS server and authoritative zone server. Although DNSSEC is an effective countermeasure to DNS cache poisoning attack, it still has low deployment rate in the Internet due to the significant workload increase on recursive DNS servers. Moreover, current DNSSEC operation does not cover end clients and the recursive DNS server separation has not been considered so that end users do not intend to use free and powerful public recursive DNS servers due to security concerns. In this paper, we propose a client based DNSSEC validation mechanism with recursive DNS server separation based on query types. DNSSEC related record types such as RRSIG, DNSKEY, DS, etc. will be forwarded to a trusted internal recursive DNS server while normal record types such as A, AAAA, MX, etc. will be forwarded to public recursive DNS server, and eventually, DNSSEC validation will be performed on end clients. Consequently, not only end clients can obtain the benefit of DNSSEC but also the workload increase of internal recursive DNS servers can be mitigated. We implemented a prototype system and evaluated the features on a local experimental network. Based on the results, we confirmed that the prototype system worked effectively and it is possible to prevent end clients from DNS cache poisoning attacks by the proposed mechanism.