What is it about?
The Domain Name System (DNS) is a critical component of the web. Recently, there has been significant progress towards DNS-over-TLS (DoT), which provides a secure communication channel between clients and DNS recursive resolvers. But what happens once the queries reach the resolver? In this paper, we present a new system that provides strong security and privacy guarantees from DNS recursive resolvers. To do this, we place the core components of the resolver inside a hardware-enforced Trusted Execution Environment (TEE), which isolates the resolver from other software on the system, and provides strong technical assurances about its behavior. We implemented our design using Intel's Software Guard Extensions (SGX) and performed comprehensive security and performance evaluations. Our implementation is open source and available on Github.
Featured Image
Photo by NASA on Unsplash
Why is it important?
Operators of DNS-over-TLS recursive resolvers expend significant effort to assure their users of their trustworthiness. For example, CloudFlare has contracted independent auditors to audit the security and privacy guarantees of their DoT resolver. Our approach allows resolver operators to provide users with strong technical assurance of the resolver's precise behavior, which they can use to determine whether the resolver is trustworthy.
Read the Original
This page is a summary of: PDoT, ACM Transactions on Computing Education, March 2021, ACM (Association for Computing Machinery),
DOI: 10.1145/3431171.
You can read the full text:
Resources
Contributors
The following have contributed to this page
