Toshio Murakami

The Domain Name System (DNS) plays an important and indispensable role in supporting the modern Internet. Meanwhile, if the DNS message is not encrypted anyway, malicious third parties can exploit the communication channel and cause phishing scams and malware infection. Several countermeasures against this issue already exist, such as Domain Name System Security Extensions (DNSSEC), which guarantees the validity of DNS resource records by adding digital signatures to the DNS messages, and DNS over TLS (DoT), which encrypts a part of the communication channel of domain name resolution process. However, each of these solutions has its own merit and demerit, and neither of them has been implemented on a global scale. Therefore, in this paper, a trustworthy domain name resolution method using TLS certificates with DoT-enabled authoritative DNS servers is proposed. Specifically, the DoT-based name resolution is extended to authoritative DNS servers and the certificate validation is allowed on the end terminals. Moreover, the domain name resolution process is accelerated by obtaining the certificates on the end terminal via the DNS full-service resolver. The evaluation results confirmed that the prototype system worked as designed and it is expected to provide trustworthy domain name resolution service with privacy preservation.

DNS over Transport Layer Security (DoT) has been standardized in the Domain Name System (DNS) to protect the confidentiality of communications between stub resolvers and recursive resolvers. In addition, the standardization for introducing encrypted communication between recursive resolvers and authoritative servers is in progress in IETF. In this paper, we assume that authoritative servers have X.509 certificates to support DoT and propose a mechanism that enables users to determine whether or not a domain name that is similar to or closely associated with a legitimate domain name (possibly a "cousin domain") is actually associated with it.