● Three important questions
○ How do attackers target DNS in general?
○ How do attackers spy on your DNS queries?
○ How do attackers forge DNS responses?
Image Credit: 
○ responses are authenticated but not encrypted
○ DNSSEC only signs RRs
○ does not protect against DoS attacks directly
○ DNSSEC cannot protect against false assumptions
Introduction to DNSCurve
● Uses elliptic-curve cryptography , not RSA
● Daniel J. Bernstein
● Uses a particular elliptic curve, Curve25519
○ 1 chance in 1000000000000000000000000000 !
○ 3000-bit RSA
● What does DNSCurve do for me?
○ other aspects
uz5………………………………...51-byte 255-bit public key
● What are sent to the server?
● How does the server open the box?
● What does the server send back?
○ The server
○ The cache
● Computing Curve25519 shared secrets for ten million servers : 10 mins
DNSCurve: How to get it
● Simply upgrade your DNS cache
○ dnscache /BIND
○ PowerDNS Recursor /nominum
○ MaraDNS /Unbound
● No extra cache configuration is required.
● No extra firewall configuration is required
● Network bandwidth remains essentially unchanged
● ISP's DNS vs. Cache DNS (side benefits)
● Daily copies of root zone (side benefits)
○ allows DNS administrators to protect existing
installations without patching
● DNSCrypt from OpenDNS
○ protects the channel between OpenDNS and its users
○ for common services like DNS, SSH, HTTP, and
References and bibliography
2. "Curve25519: new Diffie–Hellman speed records", 2006, Daniel J. Bernstein
3. NSA: The Case for Elliptic Curve Cryptography
4. Adam Langley: What a difference a prime makes
5. CURVEPROTECT SOFTWARE (EXPERIMENTAL)
6. DNS Cache Poisoning: Definition and Prevention
The slides are published under a permissive license (Creative Commons: BY-SA)