ZeroDNS: Towards Better Zero Trust Security Using DNS.

Due to the increasing adoption of public cloud services, virtualization, IoT, and emerging 5G technologies, enterprise network services and users, e.g., remote workforce, can be at any physical location. This results in that network perimeter cannot be defined precisely anymore, making adequate access control with traditional perimeter-based network security models (e.g., firewall, DMZ) challenging. The Zero Trust (ZT) network access framework breaks with this traditional approach by removing the implicit trust in the network. ZT demands strong authentication, authorization, and encryption techniques irrespective of the physical location of the devices. While several prominent companies have embraced ZT (e.g., Google, Microsoft, Cloudflare), its adoption has several obstacles. In this paper, we focus on three problems with practical deployment of ZT. First, the DNS infrastructure, a critical entity in every network, does not adhere to ZT principles, i.e., anyone can access the DNS and resolve a domain name or leverage it with malicious intent. Second, ZT's authorization procedures require new entities in the network to authorize and verify access requests, which can result in changes in preferred network routes (hence requiring additional traffic engineering), as well as introduce potential bottlenecks. Thirdly, ZT adds additional time cost, increasing the time-to-first-byte (TTFB). We propose ZeroDNS, wherein the control plane of Zero Trust is implemented using the DNS infrastructure, obviating the need for a separate entity to issue authorization tokens. Since the control plane is implemented using DNS, it reduces the number of round-trips authorized clients require before accessing an enterprise resource (e.g., web service). Furthermore, we apply ZT principles to DNS, meaning access to DNS requires authentication, authorization, and encrypted communication. ZeroDNS uses mutual TLS for DNS communication for authentication, and only permitted clients with valid certificates can query domain names. We implement ZeroDNS on top of NGINX, a reverse proxy typically used as a load-balancer in enterprise settings. We show that the additional packet processing time in ZeroDNS has a negligible impact on the overall name resolution latency, yet it decreases TTFB.