Optimizing Negative Caching for DNSSEC-Oblivious Resolvers

A large amount of DNS queries ask for error names or error records, and therefore they are negatively answered. Those negative responses, however, are sub optimally cached by today´s DNS and DNSSEC. This weakness of negative caching may exhibit low negative cache hit rate so as to be vulnerable to DoS/DDoS attacks utilizing name error queries. This paper proposes a high efficient Negative Caching for DNSSEC-Oblivious resolvers (NCDO). NCDO utilizes the concept of name space span featured by NSEC/NSEC3 record to indicate the coverage of domain name´s nonexistence. Under NCDO, the NSEC/NSEC3 records received to prove the non-existence of a name could be reused to prove the non-existence of any name in the name range it spans. So negative cache hit rate and thereby response time can be significantly improved in most cases. Compared with DNSSEC, it is light-weighted due to a stripping away of any crypto graphical operations such as key management, zone signing, and record authentication. The by products of NCDO include the enhanced cache consistency through cache consistency checking and proactive updating. Trace-driven simulations show the effectiveness of NCDO in promoting negative cache hit rate.