English

ss2DNS: A Secure DNS Scheme in Stage 2

Cryptography and Security 2025-06-27 v3

Abstract

The absence of security and privacy measures between DNS recursive resolvers and authoritative nameservers has been exploited by both on-path and off-path attackers. Although numerous security proposals have been introduced in practice and in the literature, they often face deployability barriers and/or lack a compelling set of security and privacy properties, resulting in limited adoption. We introduce ss2DNS, a novel DNS scheme designed to mitigate the security and privacy vulnerabilities in the resolution process between resolvers and authoritative nameservers, while preserving efficiency by maintaining a single round-trip. ss2DNS takes advantage of a hierarchical trust model that does not rely on entities external to DNS zones, and delegates nameserver replicas within each zone to serve zone data securely for short, renewable time intervals. This design enables real-time security properties for DNS messages without requiring the duplication of long-term private keys on replicas, thereby minimizing exposure to compromise. We implement a proof of concept of ss2DNS for evaluation and show that for server-side processing latency, resolution time, and CPU usage, ss2DNS is comparable to less-secure schemes but significantly outperforms DNS-over-TLS.

Keywords

Cite

@article{arxiv.2408.00968,
  title  = {ss2DNS: A Secure DNS Scheme in Stage 2},
  author = {Ali Sadeghi Jahromi and AbdelRahman Abdou and Paul C. van Oorschot},
  journal= {arXiv preprint arXiv:2408.00968},
  year   = {2025}
}

Comments

15 pages, 7 figures

R2 v1 2026-06-28T18:01:41.954Z