Unveiling the Weak Links: Exploring DNS Infrastructure Vulnerabilities and Fortifying Defenses

In the past decades, DNS has gradually risen into one of the most important systems on the Internet. Malicious actors have long misused it in reflection and amplification DDoS attacks, but given its criticality, DNS quickly became an attractive attack target itself. There appeared a number of activities that make use of domain names and the DNS protocol to perform illegal actions, collectively referred to as DNS abuse. In this paper, we measure the landscape of DNS infrastructure vulnerabilities across millions of recursive resolvers and authoritative nameservers. We enumerate domain names deploying cache poisoning protection (DNSSEC), email authentication (SPF/DMARC), and resolvers accepting DNS requests from arbitrary clients. We show that DNS infrastructure is not sufficiently protected against cybersecurity threats and propose a set of recommendations to mitigate the existing problems. Conducted in the frame of a European Commission project, our findings will be considered for inclusion in the upcoming European Union legislation on cybersecurity.