In this talk, we analyze the BGP routes leading to root and generic Top Level Domain (gTLD) DNS servers and explore a protection mechanism for these critical routes. A fault or attack that creates a false route to these servers could deny access to millions of DNS zones or incorrectly redirect DNS queries to a malicious impostor. However, the temporary loss of a single server can be tolerated by the DNS.

Our approach is to apply BGP AS path filters that make the BGP routes to these critical servers less dynamic. This provides strong protection against false routes, but some potentially valid back-up routes can be rejected. We have validated our design against over one year of BGP route logs from nine diverse ISPs. Our results show that routers using our AS path filtering could effectively detect the insertion of invalid routes, while maintaining reachability to the top level DNS servers.