Abstract
We investigate defenses against DNS cache poisoning focusing on mechanisms that can be readily deployed unilaterally by the resolving organisation, preferably in a single gateway or a proxy. DNS poisoning is (still) a major threat to Internet security; determined spoofing attackers are often able to circumvent currently deployed antidotes such as port randomisation. The adoption of DNSSEC, which would foil DNS poisoning, remains a long-term challenge.
We discuss limitations of the prominent resolver-only defenses, mainly port and IP randomisation, 0x20 encoding and birthday protection. We then present two new (unilateral) defenses: the sandwich antidote and the NAT antidote. The defenses are simple, effective and efficient, and can be implemented in a gateway connecting the resolver to the Internet.
The sandwich antidote is composed of two phases: poisoning-attack detection and then prevention. The NAT antidote adds entropy to DNS requests by switching the resolver’s IP address to a random address (belonging to the same autonomous system). Finally, we show how to implement the birthday protection mechanism in the gateway, thus allowing to restrict the number of DNS requests with the same query to 1 even when the resolver does not support this.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
The web information company, http://www.alexa.com/
AlFardan, N.J., Paterson, K.G.: An Analysis of DepenDNS. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 31–38. Springer, Heidelberg (2011)
Antonakakis, M., Dagon, D., Luo, X., Perdisci, R., Lee, W., Bellmor, J.: A Centralized Monitoring Infrastructure for Improving DNS Security. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 18–37. Springer, Heidelberg (2010)
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: DNS Security Introduction and Requirements. RFC 4033 (2005)
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: Protocol Modifications for the DNS Security Extensions. RFC 4035 (Proposed Standard), Updated by RFC 4470 (March 2005)
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: Resource Records for the DNS Security Extensions. RFC 4034 (Proposed Standard), Updated by RFC 4470 (March 2005)
Bellovin, S.M.: Security problems in the TCP/IP protocol suite. Computer Communication Review 19(2), 32–48 (1989)
Bellovin, S.M.: Using the domain name system for system break-ins. In: Proceedings of the 5th Symposium on UNIX Security, pp. 199–208. USENIX Association, Berkeley (1995)
Bernstein, D.J.: DNS Forgery (November 2002), Internet publication at http://cr.yp.to/djbdns/forgery.html
CERT. Multiple DNS implementations vulnerable to cache poisoning. Technical Report Vulnerability Note 800113, CERT (2008)
CNET News. Major outage hits comcast customers (2010), http://news.cnet.com/8301-1023_3-20023949-93.html
Cross, T.: (updated) DNS cache poisoning and network address translation. Post at IBM’s Frequency X blog (July 2008), http://blogs.iss.net/archive/dnsnat.html
Dagon, D., Antonakakis, M., Day, K., Luo, X., Lee, C.P., Lee, W.: Recursive DNS architectures and vulnerability implications. In: Sixteenth Network and Distributed Systems Security (NDSS) Symposium. The Internet Society (2009)
Dagon, D., Antonakakis, M., Vixie, P., Jinmei, T., Lee, W.: Increased DNS forgery resistance through 0x20-bit encoding: security via leet queries. In: Ning, P., Syverson, P.F., Jha, S. (eds.) ACM Conference on Computer and Communications Security, pp. 211–222. ACM (2008)
Vixie, P., Dagon, D.: Setting dns’s hair on fire (July 2008), http://www.usenix.org/events/sec08/tech/
Ford, B., Srisuresh, P., Kegel, D.: Peer-to-peer communication across network address translators. In: USENIX Annual Technical Conference, General Track. USENIX (2005)
Hubert, A., van Mook, R.: Measures for Making DNS More Resilient against Forged Answers. RFC 5452 (January 2009)
Infoblox. Sixth annual DNS survey (2010), http://www.infoblox.com/content/dam/infoblox/documents/press-releases/dns-survey-2010-press-release.pdf?orgSearch=google.com
Kaminsky, D.: It’s the end of the cache as we know it. Presentation at Blackhat Briefings (August 2008)
Markoff, J.: Leaks in patch for web security hole. Cryptology ePrint Archive, Report 2010/449 (2008), http://www.nytimes.com/2008/08/09/technology/09flaw.html?r=1
Park, K.S., Pai, V.S., Peterson, L., Wang, Z.: CoDNS: Improving DNS performance and reliability via cooperative lookups. In: Proceedings of the 6th Conference on Symposium on Opearting Systems Design & Implementation, vol. 6, p. 14. USENIX Association (2004)
PCWorld: Glitch knocks rollingstone.com offline (2010), http://www.pcworld.com/article/189966/glitch_knocks_rollingstonecom_offline.html
Perdisci, R., Antonakakis, M., Lee, W.: Solving the dns cache poisoning problem without changing the protocol (2008)
Poole, L., Pai, V.S.: ConfiDNS: leveraging scale and history to improve DNS security. In: Proceedings of the 3rd Conference on USENIX Workshop on Real, Large Distributed Systems, vol. 3, p. 3. USENIX Association (2006)
Rosenberg, J., Weinberger, J., Huitema, C., Mahy, R.: STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs). RFC 3489 (2003)
Sisson, G.: DNS survey (2010), http://dns.measurement-factory.com/surveys/201010/
Stewart, J.: DNS cache poisoning - the next generation
Sun, H.-M., Chang, W.-H., Chang, S.-Y., Lin, Y.-H.: DepenDNS: Dependable Mechanism against DNS Cache Poisoning. In: Garay, J.A., Miyaji, A., Otsuka, A. (eds.) CANS 2009. LNCS, vol. 5888, pp. 174–188. Springer, Heidelberg (2009)
Vixie, P.: Extension Mechanisms for DNS (EDNS0). RFC 2671 (1999)
Vixie, P.: DNS and BIND security issues. In: Proceedings of the 5th Symposium on UNIX Security, pp. 209–216. USENIX Association, Berkeley (1995)
Yuan, L., Kant, K., Mohapatra, P., Chuah, C.N.: DoX: A peer-to-peer antidote for DNS cache poisoning attacks. In: IEEE International Conference on Communications, ICC 2006, vol. 5, pp. 2345–2350. IEEE (2006)
ZDay. Hd moore pwned with his own DNS exploit, vulnerable AT&T DNS servers to blame (2008), http://www.zdnet.com/blog/security/hd-moore-pwned-with-his-own-dns-exploit-vulnerable-at-t-dns-servers-to-blame/1608
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Herzberg, A., Shulman, H. (2012). Unilateral Antidotes to DNS Poisoning. In: Rajarajan, M., Piper, F., Wang, H., Kesidis, G. (eds) Security and Privacy in Communication Networks. SecureComm 2011. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 96. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31909-9_18
Download citation
DOI: https://doi.org/10.1007/978-3-642-31909-9_18
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-31908-2
Online ISBN: 978-3-642-31909-9
eBook Packages: Computer ScienceComputer Science (R0)