Identification for nodes on the Internet can take the form of a domain name, such as “cisco.com”. Alternatively, nodes can be identified using an Internet Protocol (IP) addresses, such as “198.133.219.25” (IPv4) or 2001:db8:1756:5:d90:e6bf:fe35:46cf′ (IPv6). The IP address is the form of identification that is actually used for enabling communication through standard Internet equipment. Thus, when a user or a computer program specifies an identifier in the form of a domain name, the identifier needs to be translated into an IP address before communication takes place. This translation is typically done with the assistance of a domain name system (DNS) server, also known as a name server. A DNS lookup request (also known as a DNS query, or DNS resolution request) is sent to the DNS server. The lookup request indicates the domain name that needs to be translated. The DNS server responds to the lookup request with a DNS lookup reply (also known as a DNS reply or DNS resolution) that includes responsive information for the lookup request. The responsive information can include the corresponding IP address for that domain name, or information on how to obtain that address from a different DNS server, or a “not found” notice, or an error message, or other information.
Although the domain name format requires this extra step of translation, it is widely used for several reasons. First, it is generally easier for users to remember a domain name than to remember the corresponding IP address. Second, an owner of the domain may wish to move the domain from one computer site to another. When such moves occur, the IP address of the domain generally changes but the domain name stays the same. Thus, customers and other users do not need to be apprised of the new IP address; it is sufficient for users to continue using the familiar domain name.
The correspondence between IP addresses and domain names is stored in DNS servers, which provide DNS lookup services. Rather than using a single point of reference, the Internet uses a variety of authoritative DNS servers as the defining sources of information regarding translation between domain names and IP addresses. Each authoritative DNS server is assigned responsibility for a set of domain names, and can sub-assign some responsibilities to other authoritative DNS servers.
In addition to the authoritative DNS servers, additional computers can also provide translation information between domain names and IP addresses. Such computers can operate a local (non-authoritative) DNS server to support their local environments, such as a corporate/enterprise environment, an Internet service provider's (ISP) customer base, or other groups of subscribers or users.
A local DNS server can obtain translation information from the authoritative servers, either directly or through other local DNS servers. The local DNS server's users or subscribers can query the local DNS server when a translation is needed. The deployment of local DNS servers allows for faster lookups and mitigates the load that would otherwise be placed on the authoritative DNS servers.
Communication between DNS servers and their users needs to be secure, to avoid cache poisoning, DNS redirects, spoofing, man-in-the-middle attacks, and other compromises of DNS replies that are sent to the users. Thus, ISPs and other corporate environments or enterprises may deploy their own local DNS servers that are directly accessible to their users. Such measures may partly mitigate the risk of interference by a malicious party. Nonetheless, it would be beneficial to have techniques for protecting this communication in a manner that supports detection of compromises.