Adaptive Deterrence of DNS Cache Poisoning

  • Sze Yiu ChauEmail author
  • Omar Chowdhury
  • Victor Gonsalves
  • Huangyi Ge
  • Weining Yang
  • Sonia Fahmy
  • Ninghui Li
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 255)


Many long-lived network protocols were not designed with adversarial environments in mind; security is often an afterthought. Developing security mechanisms for protecting such systems is often very challenging as they are required to maintain compatibility with existing implementations, minimize deployment cost and performance overhead. The Domain Name System (DNS) is one such noteworthy example; the lack of source authentication has made DNS susceptible to cache poisoning. Existing countermeasures often suffer from at least one of the following limitations: insufficient protection; modest deployment; complex configuration; dependent on domain owners’ participation. We propose CGuard which is an adaptive defense framework for caching DNS resolvers: CGuard actively tries to detect cache poisoning attempts and protect the cache entries under attack by only updating them through available high confidence channels. CGuard’s effective defense is immediately deployable by the caching resolvers without having to rely on domain owners’ assistance and is compatible with existing and future solutions. We have empirically demonstrated the efficacy of CGuard. We envision that by taking away the attacker’s incentive to launch DNS cache poisoning attacks, CGuard essentially turns the existence of high confidence channels into a deterrence. Deterrence-based defense mechanisms can be applicable to other systems beyond DNS.


  1. 1.
    5 Myths about Content Delivery Networks and the truths you should know.
  2. 2.
    Vulnerability Note VU 800113: Multiple DNS implementations vulnerable to cache poisoning. Technical report, US CERT Vulnerability Notes Database (2008)Google Scholar
  3. 3.
    DNS Census 2013 (2013).
  4. 4.
    DNS, DNSSEC and Google’s Public DNS Service (2013).
  5. 5.
  6. 6.
    DNS poisoning slams web traffic from millions in China into the wrong hole (2014).
  7. 7.
    Google Public DNS - Security Benefits (2014).
  8. 8.
  9. 9.
    DNSSEC name and shame! (2015).
  10. 10.
    Ager, B., Dreger, H., Feldmann, A.: Predicting the DNSSEC overhead using DNS traces. In: 40th IEEE CISS (2006)Google Scholar
  11. 11.
    Antonakakis, M., Dagon, D., Luo, X., Perdisci, R., Lee, W., Bellmor, J.: A centralized monitoring infrastructure for improving DNS security. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 18–37. Springer, Heidelberg (2010). Scholar
  12. 12.
    APNIC Labs: Use of DNSSEC validation for world (2015).
  13. 13.
    Assolini, F.: Attacks against Boletos (2014).
  14. 14.
    Bernstein, D.J.: DNSCurve: usable security for DNS (2009).
  15. 15.
    Bernstein, D.J.: DNS forgery (2002).
  16. 16.
    Calder, M., Flavel, A., Katz-Bassett, E., Mahajan, R., Padhye, J.: Analyzing the performance of an anycast CDN. In: Proceedings of ACM IMC, pp. 531–537 (2015)Google Scholar
  17. 17.
    CCCen: An overview of secure name resolution [29c3] (2013).
  18. 18.
    Catalin Cimpanu: Around four in five DNSSEC servers can be hijacked for DDoS attacks (2016).
  19. 19.
    CommunityDNS: Performance testing of BIND, NSD and CDNS platforms on identical hardware (2010).
  20. 20.
    Constantin, L.: DNS cache poisoning used in Brazilian phishing attack (2011).
  21. 21.
    Czarny, M.: How anycast IP routing is used at MaxCDN (2013).
  22. 22.
    Dagon, D., Antonakakis, M., Vixie, P., Jinmei, T., Lee, W.: Increased DNS forgery resistance through 0x20-bit encoding: security via LeET queries. In: Proceedings of the 15th ACM CCS, pp. 211–222 (2008)Google Scholar
  23. 23.
    Duan, H., et al.: Hold-on: protecting against on-path DNS poisoning. In: Securing and Trusting Internet Names (SATIN) (2012)Google Scholar
  24. 24.
    Flavel, A., et al.: FastRoute: a scalable load-aware anycast routing architecture for modern CDNs. In: 12th USENIX NSDI, pp. 381–394 (2015)Google Scholar
  25. 25.
    Godard, S.: sysstat - system Performance tools for the Linux operating system (2015).
  26. 26.
    Guðmundsson, Ó., Crocker, S.D.: Observing DNSSEC validation in the wild. In: Securing and Trusting Internet Names (SATIN) (2011)Google Scholar
  27. 27.
    Herzberg, A., Shulman, H.: Retrofitting security into network protocols: the case of DNSSEC. IEEE Internet Comput. 18(1), 66–71 (2014)CrossRefGoogle Scholar
  28. 28.
    Herzberg, A., Shulman, H.: Security of patched DNS. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 271–288. Springer, Heidelberg (2012). Scholar
  29. 29.
    Hubert, A., van Mook, R.: Measures for making DNS more resilient against forged answers, January 2009.
  30. 30.
  31. 31.
  32. 32.
    Huston, G., Michaelson, G.: Measuring DNSSEC performance (2013).
  33. 33.
  34. 34.
    JUNIPER TechLibrary: Network address translation feature guide for security devices - disabling port randomization for source NAT (CLI Procedure) (2016).
  35. 35.
    Kaminsky, D.: Black Ops 2008: It’s The End Of The Cache As We Know It (2008)Google Scholar
  36. 36.
    Kaminsky, D.: DNSSEC Interlude 2: DJB@CCC | Dan Kaminsky’s Blog (2011).
  37. 37.
    Levine, M.: Measuring throughput performance: DNS vs. TCP anycast routing (2014).
  38. 38.
    Lian, W., Rescorla, E., Shacham, H., Savage, S.: Measuring the practical impact of DNSSEC deployment. In: USENIX Security, pp. 573–588 (2013)Google Scholar
  39. 39.
    Lindstrom, A.: DNSSEC implementation in Sweden (2012).
  40. 40.
    Lowe, G., Winters, P., Marcus, M.L.: The great DNS wall of china, December 2007Google Scholar
  41. 41.
    Nice, B.V.: High performance DNS needs high performance security (2012).
  42. 42.
    NIST National Vulnerability Database: CVE-2002-2211 (2002).
  43. 43.
    Park, K., Pai, V.S., Peterson, L.L., Wang, Z.: CoDNS: improving DNS performance and reliability via cooperative lookups. OSDI 4, 14 (2004)Google Scholar
  44. 44.
    Perdisci, R., Antonakakis, M., Luo, X., Lee, W.: WSEC DNS: Protecting recursive DNS resolvers from poisoning attacks. In: IEEE/IFIP International Conference on Dependable Systems & Networks, DSN 2009, pp. 3–12. IEEE (2009)Google Scholar
  45. 45.
    Poole, L., Pai, V.S.: ConfiDNS: leveraging scale and history to improve DNS security. In: WORLDS (2006)Google Scholar
  46. 46.
    Prince, M.: A brief primer on Anycast (2011).
  47. 47.
    Rashid, F.Y.: Poorly configured DNSSEC servers at root of DDoS attacks (2016).
  48. 48.
    Raywood, D.: Irish ISP Eircom hit by multiple attacks that restrict service for users (2009).
  49. 49.
    Schuba, C.: Addressing weaknesses in the domain name system protocol. Ph.D. thesis, Purdue University (1993)Google Scholar
  50. 50.
    Seltzer, L.: Report claims DNS cache poisoning attack against Brazilian Bank and ISP (2009).
  51. 51.
    Shulman, H., Waidner, M.: One key to sign them all considered vulnerable: evaluation of DNSSEC in the Internet. In: NSDI, pp. 131–144 (2017)Google Scholar
  52. 52.
    Son, S., Shmatikov, V.: The Hitchhiker’s guide to DNS cache poisoning. In: Security and Privacy in Communication Networks, pp. 466–483 (2010)Google Scholar
  53. 53.
    Spring, J.: Probable cache poisoning of mail handling domains (2014).
  54. 54.
    StatDNS: TLD zone file statistics (2016).
  55. 55.
    KeyCDN Support: Anycast (2016).
  56. 56.
    Tatuya, J.: queryperf++ (2014).
  57. 57.
    Verisign Labs: DNSSEC Scoreboard.
  58. 58.
    Virus Bulletin: DNS cache poisoning used to steal emails (2014).
  59. 59.
    Wikipedia: Deterrence theory – Wikipedia, The Free Encyclopedia.
  60. 60.
    Yao, Y., He, L., Xiong, G.: Security and cost analyses of DNSSEC protocol. In: Yuan, Y., Wu, X., Lu, Y. (eds.) ISCTCS 2012. CCIS, vol. 320, pp. 429–435. Springer, Heidelberg (2013). Scholar
  61. 61.
    Yuan, L., Kant, K., Mohapatra, P., Chuah, C.N.: DoX: a peer-to-peer antidote for DNS cache poisoning attacks. In: IEEE ICC 2006, vol. 5 (2006)Google Scholar
  62. 62.
    Zhu, L., Hu, Z., Heidemann, J., Wessels, D., Mankin, A., Somaiya, N.: Connection-oriented DNS to improve privacy and security (extended). Technical Report ISI-TR-2015-695, Febuary 2015.

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018

Authors and Affiliations

  • Sze Yiu Chau
    • 1
    Email author
  • Omar Chowdhury
    • 2
  • Victor Gonsalves
    • 1
  • Huangyi Ge
    • 1
  • Weining Yang
    • 3
  • Sonia Fahmy
    • 1
  • Ninghui Li
    • 1
  1. 1.Purdue UniversityWest LafayetteUSA
  2. 2.The University of IowaIowa CityUSA
  3. 3.Google Inc.Mountain ViewUSA

Personalised recommendations