Unilateral antidotes to DNS poisoning

Amir Herzberg, Haya Shulman

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

7 Scopus citations

Abstract

We investigate defenses against DNS cache poisoning focusing on mechanisms that can be readily deployed unilaterally by the resolving organisation, preferably in a single gateway or a proxy. DNS poisoning is (still) a major threat to Internet security; determined spoofing attackers are often able to circumvent currently deployed antidotes such as port randomisation. The adoption of DNSSEC, which would foil DNS poisoning, remains a long-term challenge. We discuss limitations of the prominent resolver-only defenses, mainly port and IP randomisation, 0x20 encoding and birthday protection. We then present two new (unilateral) defenses: the sandwich antidote and the NAT antidote. The defenses are simple, effective and efficient, and can be implemented in a gateway connecting the resolver to the Internet. The sandwich antidote is composed of two phases: poisoning-attack detection and then prevention. The NAT antidote adds entropy to DNS requests by switching the resolver's IP address to a random address (belonging to the same autonomous system). Finally, we show how to implement the birthday protection mechanism in the gateway, thus allowing to restrict the number of DNS requests with the same query to 1 even when the resolver does not support this.

Original languageEnglish
Title of host publicationSecurity and Privacy in Communication Networks - 7th International ICST Conference, SecureComm 2011, Revised Selected Papers
Pages319-336
Number of pages18
DOIs
StatePublished - 2012
Event7th International ICST Conference on Security and Privacy in Communication Networks, SecureComm 2011 - London, United Kingdom
Duration: 7 Sep 20119 Sep 2011

Publication series

NameLecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering
Volume96 LNICST
ISSN (Print)1867-8211

Conference

Conference7th International ICST Conference on Security and Privacy in Communication Networks, SecureComm 2011
Country/TerritoryUnited Kingdom
CityLondon
Period7/09/119/09/11

Keywords

  • dns poisoning
  • network security
  • secure dns

Fingerprint

Dive into the research topics of 'Unilateral antidotes to DNS poisoning'. Together they form a unique fingerprint.

Cite this