[Dnsmasq-discuss] DNS-Denial-of-Service protection via Distributed Hashtable

Rene Bartsch ml at bartschnet.de
Fri Aug 22 14:02:27 BST 2014


Hi,

because of the hierararchical structure of the DNS-system DDoS-attacks 
on nameservers or ISP-resolvers can make the internet unusable for 
Dnsmasq users.

Taking the huge number of Dnsmasq installations into account, nearly 
every DNS resource record is cached on a Dnsmasq node somewhere on this 
planet. If the Dnsmasq nodes connect to each other in a P2P-network they 
can even resolve records when upstream resolvers or upstream nameserver 
fail temporarily.

So I suggest to map the DNSSEC-cache in Dnsmasq to a Kademlia DHT and 
exchange DNSSEC-signed resource records via peer-2-peer.

What do you think?


-- 
Best regards,

Renne



More information about the Dnsmasq-discuss mailing list