Rami Al-Dalky, Michael Rabinovich, Mark Allman. Practical Challenge-Response for DNS. ACM Computer Communication Review, 48(3), July 2018.
PDF | Review

Abstract:

Authoritative DNS servers are susceptible to being leveraged in denial of service attacks in which the attacker sends DNS queries while masquerading as a victim---and hence causing the DNS server to send the responses to the victim. This reflection off innocent DNS servers hides the attackers identity and often allows the attackers to amplify their traffic by employing small requests to elicit large responses. Several challenge-response techniques have been proposed to establish a requester's identity before sending a full answer. However, none of these are practical in that they do not work in the face of "resolver pools"---or groups of DNS resolvers that work in concert to lookup records in the DNS. In these cases a challenge transmitted to some resolver R₁ may be handled by a resolver R₂, hence leaving an authoritative DNS server wondering whether R₂ is in fact another resolver in the pool or a victim. We offer a practical challenge-response mechanism that uses challenge chains to establish identity in the face of resolver pools. We illustrate that the practical cost of our scheme in terms of added delay is small.

BibTeX:

@article{ARA18,
    author  = "Rami Al-Dalky and Michael Rabinovich and Mark Allman",
    title   = "{Practical Challenge-Response for DNS}",
    journal = "ACM Computer Communication Review",
    year    = 2018,
    volume  = 48,
    number  = 3,
    month   = jul,
}

Rami presented a posted based on this paper at ANRW 2018. The poster is available.