JOURNAL OF COMPUTING, VOLUME 3, ISSUE 4, APRIL 2011, ISSN 2151-9617

HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 120

Securing DNS Using Elliptical Curve

Cryptography: An Overview
M. Junaid Arshad and M. Abrar

Abstract— Vital importance of domain name server demands it to be more robust against attacks. Due to the absence of any
good security model for DNS data, Domain Name Space has always been a good target for attacker. So there was a real need
of some security protocol that could provide utmost security to DNS. This work is a step to achieve this goal. Elliptical Curve
Cryptography is one of the most proficient methods of encryption. This model uses elliptic curve cryptography to provide
confidentiality, integrity and availability of DNS data and DNS resources. DNS queries and responses will be encrypted to make
it secure against DNS cache poisoning, DNS data spoofing, DoS and some other attacks.

Index Terms— Domain Name Server (DNS), Elliptical Curve Cryptography (ECC), IP, DNSKEY and Encruption

——————————  ——————————

1. INTRODUCTION AND PROBLEM STATEMENT

D OMAIN Name System [1] plays a very vital and

unnoticed role in the life of Internet. Its job starts
before any protocol starts working. When a client
enters the address of a website into address bar of Inter-
net explorer and presses enter key, its job starts. Human
can remember easily readable names of websites whereas
computers can only read and store binary data. So for
computers, it is not possible to store alphabetical charac-
ters. To solve this problem, websites are assigned IP ad-
dresses [10] which are 4-byte number and for the ease of
human, these IP addresses are converted into their cor-
responding alphabetical names or vice versa by the Do-
main Name System.
With continuous progress in Information Technology
and other fields, DNS experienced many attacks. These
attacks include DNS Cache Poisoning [7], DNS Data
Spoofing [3], DoS attacks and many more. Also attackers
can read the outgoing DNS data of a client and can attack
on client’s computer with a shadow server. So it shows
that confidentiality of DNS data is equally important with
all other safety measures.
In 1994 a package for DNS security was proposed [4] to
keep it safe from the vulnerabilities and attacks. This se-
curity package is known as DNSSEC. It introduced some
new Resource Records in DNS to provide authentication
of DNS data origin and integrity of DNS data. It uses
public key cryptography to keep DNS data secure and
safe from attackers. It also distributes the public key of
DNS data sender so that the receiver could authenticate
that the DNS data has been sent by the original sender
————————————————
 M. Junaid Arshad is with the Department of Computer Science & member them. Man can easily remember the names com-
Engineeirng, Unversity of Engineering and Technology, Lahore-Pakistan.
 M. Abrar is with the Department of Computer Science & Engineeirng,
Unversity of Engineering and Technology, Lahore-Pakistan.
not by any man in the middle. But in spite of all this,
DNSSEC does not provide protection against many types
of attacks. For example it does not provide the confiden-
tiality of DNS data and also it has no protection against
DoS attacks.
Due to the absence of any good security model for DNS
data [8], Domain Name Space has always been a good
target for attacker. So there was a real need of some secu-
rity protocol that could provide utmost security to DNS.
This work is a step to achieve this goal. In this work a
security model for DNS protection has been analyzed.
This model uses elliptic curve cryptography (ECC) to
provide availability, integrity and confidentiality of DNS
data and DNS resources. A brief introduction of all the
sections is given below.
Daniel J. Bernstein [2] proposed a new model of DNS
security. This new model uses Elliptic Curve Cryptogra-
phy to encrypt all DNS Resource Records. DNSCurve
enhances the DNS security [9] in a much better way as
compared to DNS-SEC. It provides some extra security
properties than the previous proposed models notably
confidentiality and authentication of both queries and
responses.
2. DNS OVERVIEW
All the addresses on the world of Internet use 4-byte
numbers. They are called IP ad-dresses. For example
2:1:1:2 is an IP address. Every resource either it is client,
server, router or some other, they are located using their
IP address. Machines easily understand these IP address
in binary form but for human, it is very difficult to re-
posed of their language alphabets. Now the problem
comes here is that how to relate an IP address to some-
thing human can remember and understand?

© 2011 Journal of Computing

http://sites.google.com/site/journalofcomputing/
JOURNAL OF COMPUTING, VOLUME 3, ISSUE 4, APRIL 2011, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG
At beginning, the solution used for this problem was to
use a “hosts.txt” file. This file contained all the hostnames
and their corresponding addresses in use. All the names
in the file had to be unique and with the growing number
of Internet hosts, the size of this file increased. This in-
creasing size became a problem. There are other threats
too faced by this file which include hijacking by some
cracker or may be customized to readdress traffic from an
intentional target to sites hosting content that may be un-
pleasant or intrusive to the user or user’s computer sys-
tem.
Until the middle 1980’s, all the computers connected to
Internet used “hosts.txt” to find addresses of other hosts
when another system was proposed, much secure and
much reliable. This system is known as DNS, the Domain
Name System. DNS is globally distributed and removes
the single system dependability bottleneck. DNS is very
simple and has, so far, succeeded very well in being al-
most invisible. Most Internet users will never know that
DNS is working under the hood. It’s because the user has
to do nothing of DNS and all work is done for him by the
applications he uses e.g. a web browser [6].
2.1 DNS Network Structure
Domain Name System is structured in a tree like for-
mation and this tree is generally called Domain Name
Space. A general hierarchy of Domain Name Space is
shown in Figure 1. Every node in this tree has a label
called Domain Name. The information on DNS is orga-
nized and indexed according to these domain names.
Each sibling of each node should be unique to avoid colli-
sion. DNS can also be viewed in another perspective. In
this perspective Name Servers are viewed according to
their function that they perform in resolving the queries.
In the following, a brief introduction of them is given in
sections 2.2 and 2.3.
Fig. 1: DNS Hierarchy
121
2.2 DNS Cache
Every time a client wants to browse a webpage, it con-
tacts a Name Server first to get the IP address of that
webpage to know where it locates on the globe. This
communication between client and server takes only a
few hundred milliseconds and it seems to be very small
amount of time. But when the client needs to contact
Name Server again and again, this time adds up to make
a bigger amount. Hence in a big picture, there will be a
massive load on the network. On the other hand, if the
client tries to contact some Name Server later and Name
Server is down for some reason then the responses to the
queries may be very slow and it will be difficult to browse
the Internet.
Figure 2 shows a general functioning of DNS cache.
Cache Entries after before query
IP (www,myweb2.com)=2.3.4.6
IP (www,myweb.com) = ? 
Other Name Server
IP (www,myweb.com) = 2.3.4.5 
Cache Entries after new query
IP (www,myweb.com) = 2.3.4.5
IP (www,myweb3.com)=2.3.4.6
 
DNS Cache Server
IP (www,myweb.com)=? 
IP (www,myweb.com)=2.3.4.5
Client Local Cache
Fig. 2: Structure of DNS Cache
2.3 DNS Forwarder
The DNS Server that frontwards DNS queries to other
Name Server is called Forwarder. It sends the DNS que-
ries that it cannot resolve to other Name Servers. When a
DNS server is designated as a forwarder, it is responsible
to handle external traffic. In this way network load can be
reduced. A forwarder can be coupled with a cache to
store the external DNS information so that next time if it
has to resolve a query that it has done already, it will use
this cache to resolve that DNS queries. In this way, the
forwarder will resolve a good segment of external DNS
queries in less time and thus will reduce the response
time for clients and traffic on the network. Figure 3 shows
where a forwarder exists in Domain Name Space.
JOURNAL OF COMPUTING, VOLUME 3, ISSUE 4, APRIL 2011, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG
Header
Question
Answer
Authority
Additional
Fig. 3: DNS Packet Structure
2.4 DSN Query Structure
Information sent on Internet travels in form of packets.
These packets have different structure for every different
protocol. Here we will talk only about DNS message for-
mat. DNS message format contains 5 sections, some of
which contain necessary information and others are op-
tional. These packets contain query made by client, re-
sponse sent by server, header of the packet which is most
important and contains all the necessary information
about the packet and many other information. Figure 2.4
shows a general look of DNS message format. A brief
explanation of all these message sections is given [6].
Fig. 4: DNS Packet Headre Structure
2.5 DSN Attack Types
Some of the attacks that can be made on DNS are given
below [1].
2.5.1 DNS Spoofing
Every Name Server tries to keep the response of every
query in its cache for the duration of TTL (Time to Live).
DNS can be spoofed by inserting the wrong information
in the cache with a long TTL so that the host is redirected
to this fake site instead of original one.
2.5.2 DNS Cache Poisoning
DNS Spoofing can be obtained by another way called
DNS Cache Poisoning [7]. The victim Name Server is
urged to make a query on attacker’s Name Server. In re-
sponse to the query, many other responses are also sent to
the victim Name Server to corrupt its cache. We can see
the working of this attack in Figure 2.9. Attacker makes a
request to DNS Cache Server that can be served only by
Name Server owned by attacker. The DNS Cache Server
122
does not have any entry to fulfill the request of attacker so
the only option is to contact the attacker’s own Authorita-
tive Name Server to acquire the IP address of the re-
quested page.
2.5.3 The Birthday Attack
It is based on a mathematical phenomenon called
Birthday Paradox which is stated as: If there are 23 per-
sons in a room then the probability that two of them were
born on the same day is greater than 50%; with 30 persons
the probability is greater than 70%. This attack type is
closely related to the DNS Cache Poisoning problem and
exploits a weakness discovered in BIND (Berkeley Inter-
net Domain Name). In its older versions, BIND used to
send multiple recursive DNS queries to the same IP ad-
dress. Keeping this behavior in mind, “Birthday Paradox”
can be used to ehance the chance of successful attack on a
Name Server by reducing the number of spoofed guesses
of the DNS query.
2.5.4 Denial of Service
A Denial of Service attack is used to destroy, shutdown
or exhaust the network resources of victim. In this attack
type, a huge amount of DNS requests is directed towards
victim Name Server. The packets sent to the Name Server
might look real but in actual they are not. A popular kind
of DoS attacks is Distributed Denial of Service (DDoS)
attack. In DDos attack, the victim is targeted with tens of
thousands of DNS requests by many senders at the same
time and its effect on the target is more severe than the
DoS attack.
2.5.5 Shadow Server
The shadow server has to be fast enough that it sends a
response to the victim’s computer before the answer from
the legitimate DNS server arrive because if the victim’s
computer gets an answer from the legitimate DNS server
then it stops listening and ignores the forged packets.
2.6 DSN SEC (Security)
Domain Name System lies in the bottom of Internet
and holds a very important role. The original implemen-
tations did not consist of the security of information that
it holds e.g. IP addresses and host names. With a gradual
increase in IP based applications, the need of making
DNS secure increased. Another factor pertaining to the
DNS vulner-abilities is that it was presented to be a public
database where the acceptance or restricting the access to
the information in the databases is not component of the
protocol. So some efforts were made for the security of
Domain Name System one of which is the Domain Name
System Security Extensions.
2.6.1 DNS-SEC Scope
The scope of DNSSEC can be summarized into three
services, key distribution, and data origin authentication
and authenticating of Names and Types that do not exist
[1].
 Data Origin Authentication
JOURNAL OF COMPUTING, VOLUME 3, ISSUE 4, APRIL 2011, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG
 Key Distribution
 Authenticating Name and Type Non-Existence
2.6.2 DNS-SEC Resource Records
Security is DNS-SEC is based on the structure of Re-
source Records (RR) and a new set of RRs was defined to
hold the security information. A brief description of these
new RRs is given below [1].
 RRSIG - Resource Record SIGnature
 NSEC - Next SECure
 DS - Delegation Signer
 DNSKEY - DNS public KEY
2.6.3 Service not offered by DNS-SEC
DNS-SEC design viewpoint calls for every DNS data to
be public & uniformly replies to all queries. Accordingly,
neither confidentiality for inquiries/answers in not of-
fered, nor any type of access controlling list or other
means to distinguish inquiries. DNSSEC does not provide
any protection against Denial of Service (DoS) attacks.
Furthermore DNS-SEC [5] provides security only be-
tween the name servers. It does not provide any kind of
protection for the DNS traffic between client and name
server. So clients don’t have any services provided by
DNS-SEC for the security of their DNS queries.
3. ELLIPTIC CURE CRYPTOGRAPHY (ECC)
OVERVIEW
Question is why the use of elliptic curve cryptography
[12] is becoming a de-facto standard in the security cipher
system. In RSA (Rivest Shamir Adleman) Integer Factori-
zation (IF) can be resolved sub-exponentially and in ECC
the ECDLP-Elliptic Curve Discrete Logarithms Problem
can be resolved exponentially. ECC is nowadays consi-
dered more interesting than RSA [11] because there are
not sub-exponential algorithms able to resolve the ECDLP
problem. As a consequence the key size of the ECC sys-
tems is less than RSA systems for the same level of securi-
ty. This is a very important benets because we can use
elliptic curves to guarantee a high level of security in
many embedded systems like mobile phones, smart cards
and PDA (Personal Digital Assistant) where we have to
pay attention about power consumption and performance
[4].
Elliptic Curve Cryptography is believed to be perfect
for resources-constrained system since it offers additional
“security per bit” than other sorts of asymmetric crypto-
graphy. It has smaller key size compared to RSA algo-
rithm and it is also high speed as key sizes are short.
3.1 Advantages of ECC
As an asymmetric cryptographic key pair is used for
encryption and decryption, so these keys have some ma-
thematical relationship. This mathematical function might
be comparatively simple to compute in one direction, but
its inverse should be impossible to calculate. This proper-
123
ty that functions can only be computed in only one way
and not the other is used to compute key-pairs in all
asymmetric cryptographic systems including Elliptic
Curve Cryptography. There are three different problems
when keeping in mind the security of data.
 Cryptography includes encryption and its inverse
operation i.e. decryption
 The difficulty of an operation and its inverse opera-
tion increases with the increase in key length
 The processing power of computers increases every
one and half year according to Moore’s Law
4. DSNCURVE
Daniel J. Bernstein proposed a new model of DNS se-
curity. This new model uses Elliptic Curve Cryptography
to encrypt all DNS Resource Records. DNSCurve en-
hances the DNS security [9] in a much better way as com-
pared to DNS-SEC [5]. It provides some extra security
properties than the previous proposed models notably
confidentiality and authentication of both queries and
responses [3].
4.1 Characteristics of DNSCurve
DNSCurve provides many security features for DNS. It
provides three main security features known as CIA
which stands for Confidentiality, Integrity and Availabili-
ty.
4.2 DNSCurve for Clients
The DNS queries that a client sends to the name servers
and DNS responses that he will receive from name serv-
ers, will all be encrypted using high speed, high security
elliptic curve cryptography. This cryptographically re-
trieval of DNS resource records has several advantages
like:
Since the packets that computer sends or receives are
encrypted using elliptic curve cryptography, so if an at-
tacker manages to sniff network traffic, even then he will
not be able to understand the contents of packets. So DNS
queries and responses will remain confidential.
If an attacker succeeds in forging incoming DNS res-
ponses, even then he will not be able to fool computer.
Because as soon as DNSCurve enabled cache sees a pack-
et that is forged, it immediately drops the packet and
waits for the original packet. In this way client is made
secure against spoofing attacks.
Every client that wants to use Internet has to interact
with DNS first of all. Whenever he wants to browse In-
ternet, the first thing that he has to deal with is to get the
IP address of webpage. Once he gets the IP address then
he can easily connect to webpage with the help of other
protocols.
4.3 DNSCurve Cache
DNSCurve cache is very easy to use. User simply has to
upgrade his existing dnscache or PowerDNS Recursor or
MaraDNS or Nominum CNS or Unbound or BIND to the
JOURNAL OF COMPUTING, VOLUME 3, ISSUE 4, APRIL 2011, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG
cache that supports DNSCurve. He does not need any
extra configuration for this because when DNSCurve is
installed, dnscache will configure itself automatically. For
firewalls, DNSCurve queries and responses are like nor-
mal DNS packets so if a firewall is used to secure cache
from intruders, firewall will let these packets pass just
like normal DNS packets and no extra configuration is
required.
4.4 DNSCurve for DNS Data Administrtors
It is the responsibility of an authoritative name server
to provide a legitimate, authentic and original response to
a query for the zones for which it is authoritative. But it
might happen that a client receives forged DNS responses
and is directed to some other website instead of that the
client was intended to connect. As already discussed, to
avoid this problem DNS clients are expected to migrate to
DNS caches that use DNSCurve for the security of out-
going DNS traffic. So if name servers manage to send and
receive DNS packets with DNSCurve in some way then
they will easily communicate with DNSCurve enabled
clients and will ensure authentic and valid responses to
clients.
4.5 Cryptography Integration with DNS
DNSCurve is conceptually an integration of link-level
cryptography into DNS. DNSCurve is being designed
keeping in mind the requirements and limitations that
encryption and decryption of packets can face. As fire-
walls are used on many machines to stay safe and secure
from intruders and attackers, DNSCurve will also comply
with the limitations imposed by firewalls on DNS traffic.
Here is a small explanation about how DNSCurve is
made to easily settle with the current DNS system:
4.5.1 TXT Message Format
DNSCurve client can send all expanded query packets
in streamlined format because it knows that DNSCurve
server will easily handle all this traffic. However some-
times clients are behind the firewall. The firewall may not
expect any DNS packet format except than the simplest
DNS packet format.
4.5.2 Encoding of Public Keys
As DNSCurve uses public key cryptography for en-
cryption and decryption of DNS packets so all the nodes
using DNSCurve should have a public/private key pair.
Public key of every node should be distributed all over
the network. The distribution of public key can be done
by embedding it into a new Resource Record as is done in
DNS-SEC by using DNSKEY. But introducing a new RR
type creates interoperability problems and this would
require extensive software upgrades in all the name serv-
ers. This approach of introducing a new RR type can
create a mess. But this can be achieved by encoding pub-
lic keys of DNSCurve servers into their names.
4.5.3 Migration Mechanism
DNSCurve provides a migration path to smoothly
switch cryptographic suites in case of disaster. The magic
124
string uz5 in server names distinguishes DNSCurve
names not only from existing server names as discussed
above, but also from other DNS extension mechanisms
that may be added in future. For example, uz7 could be a
cryptographic system other than uz5.
5. CONCLUSIONS
In this work we presented the structure of DNS and
how it works to provide its services to end users, either
they are clients or servers, the possible and known securi-
ty threats and the solutions that have been proposed for
them until now. DNS is like a backbone in the Internet
structure but unfortunately there has not been any good
security model that could be used for securing DNS pack-
et from all known attacks.
From the work presented and all the material analyzed,
we can conclude that DNSCurve is the best solution at the
present time for most of the security features. It provides
Confidentiality and Integrity of DNS data and also it pro-
tects clients and servers from particular DoS attacks by
recognizing and droping forged DNS packets.
6. REFERENCES
[1] R. Arends, R. Austein, M. Larson, D. Massey, and S.
Rose, “Resource Records for the DNS Security Exten-
sions”, RFC 4034 (Proposed Standard), March 2005.
(Updated by RFC 4470)
[2] Daniel J. Bernstein, “Curve25519: New Diffie-Hellman
Speed Records”, Public Key Cryptography, 2006, 207–
228.
[3] Daniel J. Bernstein, “DNSCurve”, June 2009 (URL:
http://dnscurve.org )
[4] N. Koblitz, “Elliptic curve cryptosystems”, Mathemat-
ics of Computation 48, 1987, 203–209
[5] Hao Yang, Eric Osterweil, Dan Massey, Lixia Zhang,
“Deploying Cryptography in Internet-Scale Systems: A
Case Study on DNSSEC”, 2009
[6] Mockapetris, P., "Domain Names - Concepts and Facili-
ties", STD 13, RFC 1034, November 1987
[7] US-CERT, "Vulnerability note vu#800113: Multiple dns
implementations vulnerable to cache poisonings", No-
vember, 2009
[8] Eastlake, D., "DNS Operational Security Considera-
tions", RFC 2541, March 1999. (URL:
ftp://ftp.isi.edu/in-notes/rfc2541.txt )
[9] R. Arends, R. Austein, M. Larson, D. Massey, and S.
Rose, "DNS Security Introduction and Requirements",
RFC 4033, 2005
[10] S. Deering , R. Hinden, “Internet Protocol, Version 6
(IPv6) Specification”, December 1998
(URL: http://www.ietf.org/rfc/rfc2460.txt)
[11] Song Y. Yan. "The Road Ahead", Cryptanalytic Attacks
on RSA, 2008
[12] A. Menezes, P. van Oorschot and S. Vanstone, Hand-
book of Applied Cryptography, CRC Press, 1997