MTDNS: Moving Target Defense for Resilient DNS Infrastructure
Abdullah Aydeger, Pei Zhou, Sanzida Hoque, Marco Carvalho, Engin Zeydan
TL;DR
This paper tackles DNS-based DDoS floods and the risk of legitimate packet loss in mitigation. It introduces MTDNS, a moving target defense that uses SDN to redirect traffic to on-demand backup DNS VNFs managed via NFV, with zone file synchronization. In experiments, MTDNS achieved near-100 percent DNS query completion under flood conditions and significantly lower latency compared to conventional setups, with mitigation typically within a couple of seconds. The work demonstrates a practical, flexible defense for SDN-enabled DNS infrastructures and suggests directions for extending to DNSSEC and DNS-over-TLS extensions.
Abstract
One of the most critical components of the Internet that an attacker could exploit is the DNS (Domain Name System) protocol and infrastructure. Researchers have been constantly developing methods to detect and defend against the attacks against DNS, specifically DNS flooding attacks. However, most solutions discard packets for defensive approaches, which can cause legitimate packets to be dropped, making them highly dependable on detection strategies. In this paper, we propose MTDNS, a resilient MTD-based approach that employs Moving Target Defense techniques through Software Defined Networking (SDN) switches to redirect traffic to alternate DNS servers that are dynamically created and run under the Network Function Virtualization (NFV) framework. The proposed approach is implemented in a testbed environment by running our DNS servers as separate Virtual Network Functions, NFV Manager, SDN switches, and an SDN Controller. The experimental result shows that the MTDNS approach achieves a much higher success rate in resolving DNS queries and significantly reduces average latency even if there is a DNS flooding attack.