DNS is vulnerable to cache poisoning attacks, whereby an attacker sends a spoofed reply to its own query. Historically, an attacker only needed to guess a predictable, or more recently, a 16 bit pseudorandom ID in order to be successful. The Kaminsky attack [7] demonstrated successful poisoning attacks that required only 6 seconds on typical networks. Since then, source port randomization (spr) has been used for additional protection. Nevetheless, E. Polyakov demonstrated successful poisoning attacks against spr given a Gigabit network, on the order of 10 hours. Even with slower network speeds, an attack is likely to be successful in a moderate time period. DNSSEC [3] will provide a strong countermeasure to poisoning as well as other attacks against the DNS. However, until DNSSEC is actually deployed, there is a need for additional countermeasures that can be deployed in the near term. In this paper, we describe a new approach that is based on detecting a poisoning attack, then sending an additional request for the same DNS Resource Record. Since the defense is only activated when attacks occur, we expect the performance impact to be minimal. The countermeasure requires no changes to the DNS standards, and only requires modifications to the caching server. Thus it can be deployed incrementally in order to obtain immediate security benefits. We show that our proposed defense makes poisoning attacks substantially more difficult. We have implemented the countermeasure using a local proxy for the BIND caching server, and our tests show that the performance impact is minimal.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.