TY - GEN
T1 - Unilateral antidotes to DNS poisoning
AU - Herzberg, Amir
AU - Shulman, Haya
PY - 2012
Y1 - 2012
N2 - We investigate defenses against DNS cache poisoning focusing on mechanisms that can be readily deployed unilaterally by the resolving organisation, preferably in a single gateway or a proxy. DNS poisoning is (still) a major threat to Internet security; determined spoofing attackers are often able to circumvent currently deployed antidotes such as port randomisation. The adoption of DNSSEC, which would foil DNS poisoning, remains a long-term challenge. We discuss limitations of the prominent resolver-only defenses, mainly port and IP randomisation, 0x20 encoding and birthday protection. We then present two new (unilateral) defenses: the sandwich antidote and the NAT antidote. The defenses are simple, effective and efficient, and can be implemented in a gateway connecting the resolver to the Internet. The sandwich antidote is composed of two phases: poisoning-attack detection and then prevention. The NAT antidote adds entropy to DNS requests by switching the resolver's IP address to a random address (belonging to the same autonomous system). Finally, we show how to implement the birthday protection mechanism in the gateway, thus allowing to restrict the number of DNS requests with the same query to 1 even when the resolver does not support this.
AB - We investigate defenses against DNS cache poisoning focusing on mechanisms that can be readily deployed unilaterally by the resolving organisation, preferably in a single gateway or a proxy. DNS poisoning is (still) a major threat to Internet security; determined spoofing attackers are often able to circumvent currently deployed antidotes such as port randomisation. The adoption of DNSSEC, which would foil DNS poisoning, remains a long-term challenge. We discuss limitations of the prominent resolver-only defenses, mainly port and IP randomisation, 0x20 encoding and birthday protection. We then present two new (unilateral) defenses: the sandwich antidote and the NAT antidote. The defenses are simple, effective and efficient, and can be implemented in a gateway connecting the resolver to the Internet. The sandwich antidote is composed of two phases: poisoning-attack detection and then prevention. The NAT antidote adds entropy to DNS requests by switching the resolver's IP address to a random address (belonging to the same autonomous system). Finally, we show how to implement the birthday protection mechanism in the gateway, thus allowing to restrict the number of DNS requests with the same query to 1 even when the resolver does not support this.
KW - dns poisoning
KW - network security
KW - secure dns
UR - http://www.scopus.com/inward/record.url?scp=84869597435&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-31909-9_18
DO - 10.1007/978-3-642-31909-9_18
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:84869597435
SN - 9783642319082
T3 - Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering
SP - 319
EP - 336
BT - Security and Privacy in Communication Networks - 7th International ICST Conference, SecureComm 2011, Revised Selected Papers
T2 - 7th International ICST Conference on Security and Privacy in Communication Networks, SecureComm 2011
Y2 - 7 September 2011 through 9 September 2011
ER -