Secure Consensus Generation with Distributed DoH
This addresses a security problem for applications and protocols relying on DNS-based consensus, though it appears incremental as it builds on existing DoH technology.
The paper tackles the vulnerability of using plain DNS for server pool generation in consensus mechanisms, which was exploited in attacks against NTP and Chronos, by proposing a secure method using distributed DNS-over-HTTPS (DoH) resolvers that is backward-compatible.
Many applications and protocols depend on the ability to generate a pool of servers to conduct majority-based consensus mechanisms and often this is done by doing plain DNS queries. A recent off-path attack [1] against NTP and security enhanced NTP with Chronos [2] showed that relying on DNS for generating the pool of NTP servers introduces a weak link. In this work, we propose a secure, backward-compatible address pool generation method using distributed DNS-over-HTTPS (DoH) resolvers which is aimed to prevent such attacks against server pool generation.