DNSCurve: Usable security for DNS


Introduction
DNS users:
Why DNSCurve?
Installing DNSCurve
DNS data managers:
Why DNSCurve?
Installing DNSCurve
DNS implementors:
Caches
Forwarders
Protocol designers:
Cryptography
DNS integration
Attackers:
Forgery
Negative forgery
Replays
Query espionage
Database espionage
+ nsec3walker
CPU flooding
Amplification
+ dnssecamp

Introduction to DNSCurve

DNSCurve uses high-speed high-security elliptic-curve cryptography to drastically improve every dimension of DNS security:
  • Confidentiality: DNS requests and responses today are completely unencrypted and are broadcast to any attacker who cares to look. DNSCurve encrypts all DNS packets.
  • Integrity: DNS today uses "UDP source-port randomization" and "TXID randomization" to create some speed bumps for blind attackers, but patient attackers and sniffing attackers can easily forge DNS records. DNSCurve cryptographically authenticates all DNS responses, eliminating forged DNS packets.
  • Availability: DNS today has no protection against denial of service. A sniffing attacker can disable all of your DNS lookups by sending just a few forged packets per second. DNSCurve very quickly recognizes and discards forged packets, so attackers have much more trouble preventing DNS data from getting through. Protection is also needed for SMTP, HTTP, HTTPS, etc., but protecting DNS is the first step.

Despite its extremely high level of security, DNSCurve is very easy for software authors to implement, and very easy for administrators to deploy.

DNSCurve is part of a larger project to encrypt and authenticate all Internet packets. The techniques used in DNSCurve are easily adapted to other Internet protocols.

Version

This is version 2009.06.22 of the index.html web page.