The Domain Name System (DNS) has become the fundamental building block for navigating from names to resources on the internet. DNS has been employed continuously ever since its introduction in 1983, by essentially every internet-connected application and device that wants to interact online.
Emerging from an era where interconnection rather than information security was the primary motivation, DNS has gradually improved its security features. DNS has also gradually enhanced its navigational capabilities, as computing costs have decreased over the decades. And thanks to further developments that are now underway, new opportunities are available in both areas.
(Caveat: Certain concepts discussed in this document are protected by patents and patent applications assigned to Verisign.1)
Enhancing the DNS with Authenticated and Adaptive Resolution
The recent introduction of DNS encryption — which has focused so far primarily, and appropriately, on providing privacy and security benefits to end-users — has opened the door for further enhancements that can also provide security and navigational benefits to network operators, enterprises, applications and end-users alike.
These enhancements can add two new roles to DNS name servers that support DNS encryption:
- Authenticated resolution adds an enhanced security control point. With authenticated resolution, a name server returns a response to a requester if and only if the requester is authorized to receive the response, or ultimately, access the resources associated with the response.
- Adaptive resolution adds a new navigation capability. With adaptive resolution, the requester provides information about a user’s preferences, the user’s device, the information that the user is ultimately looking for, the user’s location, or the action that the user wants to perform. The name server then optimizes its response based on these additional details in order to both provide the best response and to minimize unnecessary subsequent transactions or computations.
Both technologies (collectively referred to as “AAR”) front-load operations that have conventionally been performed deeper in the transaction set (e.g., within a content delivery network, at a web server or as part of an application-layer function). They give DNS name servers an important new role in improving a network’s security and performance capabilities, providing a more efficient solution while minimizing an entity’s attack surface as well.
The technologies described here are primarily targeted for the interaction between clients and special-purpose recursive name servers (i.e., resolvers) that serve designated namespaces at the lower levels of the DNS hierarchy, such as those operated by enterprises and application providers.2
Figure 1 shows a conceptual architecture where the client — for instance, a VPN client, a browser, or an application — routes DNS queries for most domain names to an ordinary resolver. However, when the domain names belong to a designated namespace, the queries are routed to an AAR resolver that provides the additional functions described here.
The technologies may also be applied to the interaction between recursive resolvers and authoritative name servers at the lower levels of the DNS hierarchy. They are not intended for the root servers or the top-level domain (TLD) servers that Verisign currently operates.
Authenticated Resolution: Enhancing DNS as a Security Control Point
In typical deployments, the network addresses of security control points such as firewalls and virtual private networking (VPN) gateways — or the resources they protect — are published as DNS records. This is done so that devices and applications which know their names can locate and connect to (or through) them.
With conventional DNS resolution, this means that the network addresses of externally facing control points are visible to anyone who knows the name of the control point or resource and can reach its name server — legitimate users as well as attackers. This isn’t in line with today’s zero-trust architecture, which “treats all users as potential threats and prevents access to data and resources until the users can be properly authenticated and their access authorized.”
Authenticated resolution brings DNS resolution in line with zero-trust principles:
- The name server returns a response to a requester if and only if the requester is authorized to receive the information or ultimately access the associated resource.
With authenticated resolution, not only will attackers and other unauthorized requesters need to find a way through traditional network control points such as VPN gateways to get into the network, they’ll also need to discover these control points (i.e., their locations in the network), because they won’t be able to learn their addresses via DNS3. Further, custom responses can be crafted based on threat level: while authorized clients are directed to the “correct” address, unauthorized requesters can be directed to a non-existent user portal, a known bad actor deception environment, etc.
Adaptive Resolution: DNS as a New Navigation Capability
With conventional DNS resolution, the process of getting from a web address to the content of a web page involves two steps:
- The client obtains the network address of the host (in this case, a web server) identified in the web address.
- The application connects to the host at the specified network address and requests the web page at the specified web address.
The first step can be relatively fast thanks to high-performance DNS servers and caching of previous responses.
With conventional web optimization, the second step could in turn involve further steps:
- If the request is from a mobile device browser, then the web server might redirect the browser to another page (or even another server) that optimizes the user experience for mobile devices (e.g., screen size, connection speed and user interface) and features of the browser.
- The web page might need to be customized based on the user’s language, location, or other preferences.
These extra steps can introduce additional computing and communications requirements for both the client and the web server, often requiring web redirects and multiple additional DNS lookups before resolving the ultimate user-desired content.
Adaptive resolution avoids the additional processing by doing as much as possible up front, in DNS:
- The requester provides the name server information about a user’s preferences, the user’s device, the information that the user is ultimately looking for, the action that the user wants to perform, and an array of other useful attributes. The name server then optimizes its response based on these details.
With adaptive resolution, clients won’t need to wait for as many, or even any, additional steps after obtaining a network address from a name server in order to get to the resource of interest. The network address returned will automatically take the client to a version of the web content that is already customized for the user and their operating environment (e.g., device, app, location, etc.).
There are many ways that authenticated resolution could be applied, such as:
- An enterprise can help protect against unauthorized access to its VPN gateway or email server, by requiring that requesters first authenticate themselves to the DNS name server that provides the addresses of these resources, else the network addresses will not be disclosed.
- An online platform could similarly separate requesters that have been verified by the AAR name server, from those that haven’t (e.g., a banking or social media app where different network addresses are provided for authenticated members versus new users, versus non-application-originated DNS queries).
- A web site could separate paying users from free users.
- An enterprise could divert unauthorized or known bad actors to a honeypot or deception environment.
Authenticated resolution can also help defend against distributed denial-of-service (DDoS) attacks by keeping the actual addresses of resources away from unauthorized requesters.
With adaptive resolution, a web server operator can help speed up authorized access to its web pages.
As an example, an application could provide the name server detail about the user’s device and browser type as well as other attributes such as location. The name server could then return the network address of a web server hosting web pages that are optimized for this environment. The application could also provide the user’s language preferences, so the name server can return the network address of a language-optimized web server instance, a function that today often occurs many transactions deep in the process.
It’s worth remembering, as noted above, that the name server implementing adaptive resolution will typically be operated under the same administrative oversight as the web server itself — so the additional details wouldn’t be provided to yet another party, they’d effectively be provided to the same party as usual, just earlier in the process.
Adaptive resolution also offers the intriguing possibility that the name server could resolve every authorized request to a unique, virtual server instance, customized to the specific user and application. This approach would provide strong isolation between interactions with different users, both from a security and a performance perspective.
The benefits offered by authenticated resolution and adaptive resolution technologies are worthy of consideration as DNS encryption enters wider use in the internet ecosystem. Here are three reasons why:
- DNS encryption is reopening the software “stack” across the DNS architecture, an infrequent occurrence in the nearly four-decade history of the protocol, which makes it a good time to consider further changes to the feature set. (The last major reopening was the deployment of the DNS Security Extensions [DNSSEC] a decade ago.)
- DNS encryption offers standardized support for two of the main features that authenticated and adaptive resolution build on: client authentication and transport encryption.
- DNS encryption is facilitating an emerging DNS architecture where clients interact directly with enterprise- or application-specific resolvers. In this new architecture, the security and navigational features of authenticated and adaptive resolution can be directly applied end-to-end, on a per-client, per-enterprise / per-application basis.
Authenticated and adaptive resolution complete the story (at least for now) of the transition of DNS practice into a modern mode of operation based on principles such as zero trust. These technologies give DNS a new role in meeting network security and performance objectives, adding both a new security control point and a new navigation capability to network operators’ portfolios.
We look forward to further discussions on the new concepts described here and welcome any feedback.
1. These patents and patent applications include the following: U.S. Patent No. 8990356; U.S. Patent No. 10270755; U.S. Patent No. 10819697; U.S. Patent App. No. 17/062,147; EP Patent No. 2579539. ↩
2. One significant benefit of this architecture: The service provider for the protected resources will often be the same as the service provider for the AAR resolver that provides the address of those resources. This means the additional user details will just be sent earlier in the transaction stack— not to someone new.↩
3. This assumes, of course, that they can’t just guess the address, which is a motivation for IPv6 with its larger and potentially less predictable address space.↩