Skip to main content
SpringerLink
Log in

Unilateral Antidotes to DNS Poisoning

  • Conference paper
Security and Privacy in Communication Networks (SecureComm 2011)

Abstract

We investigate defenses against DNS cache poisoning focusing on mechanisms that can be readily deployed unilaterally by the resolving organisation, preferably in a single gateway or a proxy. DNS poisoning is (still) a major threat to Internet security; determined spoofing attackers are often able to circumvent currently deployed antidotes such as port randomisation. The adoption of DNSSEC, which would foil DNS poisoning, remains a long-term challenge.

We discuss limitations of the prominent resolver-only defenses, mainly port and IP randomisation, 0x20 encoding and birthday protection. We then present two new (unilateral) defenses: the sandwich antidote and the NAT antidote. The defenses are simple, effective and efficient, and can be implemented in a gateway connecting the resolver to the Internet.

The sandwich antidote is composed of two phases: poisoning-attack detection and then prevention. The NAT antidote adds entropy to DNS requests by switching the resolver’s IP address to a random address (belonging to the same autonomous system). Finally, we show how to implement the birthday protection mechanism in the gateway, thus allowing to restrict the number of DNS requests with the same query to 1 even when the resolver does not support this.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. The web information company, http://www.alexa.com/

  2. AlFardan, N.J., Paterson, K.G.: An Analysis of DepenDNS. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 31–38. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  3. Antonakakis, M., Dagon, D., Luo, X., Perdisci, R., Lee, W., Bellmor, J.: A Centralized Monitoring Infrastructure for Improving DNS Security. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 18–37. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  4. Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: DNS Security Introduction and Requirements. RFC 4033 (2005)

    Google Scholar 

  5. Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: Protocol Modifications for the DNS Security Extensions. RFC 4035 (Proposed Standard), Updated by RFC 4470 (March 2005)

    Google Scholar 

  6. Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: Resource Records for the DNS Security Extensions. RFC 4034 (Proposed Standard), Updated by RFC 4470 (March 2005)

    Google Scholar 

  7. Bellovin, S.M.: Security problems in the TCP/IP protocol suite. Computer Communication Review 19(2), 32–48 (1989)

    Article  Google Scholar 

  8. Bellovin, S.M.: Using the domain name system for system break-ins. In: Proceedings of the 5th Symposium on UNIX Security, pp. 199–208. USENIX Association, Berkeley (1995)

    Google Scholar 

  9. Bernstein, D.J.: DNS Forgery (November 2002), Internet publication at http://cr.yp.to/djbdns/forgery.html

  10. CERT. Multiple DNS implementations vulnerable to cache poisoning. Technical Report Vulnerability Note 800113, CERT (2008)

    Google Scholar 

  11. CNET News. Major outage hits comcast customers (2010), http://news.cnet.com/8301-1023_3-20023949-93.html

  12. Cross, T.: (updated) DNS cache poisoning and network address translation. Post at IBM’s Frequency X blog (July 2008), http://blogs.iss.net/archive/dnsnat.html

  13. Dagon, D., Antonakakis, M., Day, K., Luo, X., Lee, C.P., Lee, W.: Recursive DNS architectures and vulnerability implications. In: Sixteenth Network and Distributed Systems Security (NDSS) Symposium. The Internet Society (2009)

    Google Scholar 

  14. Dagon, D., Antonakakis, M., Vixie, P., Jinmei, T., Lee, W.: Increased DNS forgery resistance through 0x20-bit encoding: security via leet queries. In: Ning, P., Syverson, P.F., Jha, S. (eds.) ACM Conference on Computer and Communications Security, pp. 211–222. ACM (2008)

    Google Scholar 

  15. Vixie, P., Dagon, D.: Setting dns’s hair on fire (July 2008), http://www.usenix.org/events/sec08/tech/

  16. Ford, B., Srisuresh, P., Kegel, D.: Peer-to-peer communication across network address translators. In: USENIX Annual Technical Conference, General Track. USENIX (2005)

    Google Scholar 

  17. Hubert, A., van Mook, R.: Measures for Making DNS More Resilient against Forged Answers. RFC 5452 (January 2009)

    Google Scholar 

  18. Infoblox. Sixth annual DNS survey (2010), http://www.infoblox.com/content/dam/infoblox/documents/press-releases/dns-survey-2010-press-release.pdf?orgSearch=google.com

  19. Kaminsky, D.: It’s the end of the cache as we know it. Presentation at Blackhat Briefings (August 2008)

    Google Scholar 

  20. Markoff, J.: Leaks in patch for web security hole. Cryptology ePrint Archive, Report 2010/449 (2008), http://www.nytimes.com/2008/08/09/technology/09flaw.html?r=1

  21. Park, K.S., Pai, V.S., Peterson, L., Wang, Z.: CoDNS: Improving DNS performance and reliability via cooperative lookups. In: Proceedings of the 6th Conference on Symposium on Opearting Systems Design & Implementation, vol. 6, p. 14. USENIX Association (2004)

    Google Scholar 

  22. PCWorld: Glitch knocks rollingstone.com offline (2010), http://www.pcworld.com/article/189966/glitch_knocks_rollingstonecom_offline.html

  23. Perdisci, R., Antonakakis, M., Lee, W.: Solving the dns cache poisoning problem without changing the protocol (2008)

    Google Scholar 

  24. Poole, L., Pai, V.S.: ConfiDNS: leveraging scale and history to improve DNS security. In: Proceedings of the 3rd Conference on USENIX Workshop on Real, Large Distributed Systems, vol. 3, p. 3. USENIX Association (2006)

    Google Scholar 

  25. Rosenberg, J., Weinberger, J., Huitema, C., Mahy, R.: STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs). RFC 3489 (2003)

    Google Scholar 

  26. Sisson, G.: DNS survey (2010), http://dns.measurement-factory.com/surveys/201010/

  27. Stewart, J.: DNS cache poisoning - the next generation

    Google Scholar 

  28. Sun, H.-M., Chang, W.-H., Chang, S.-Y., Lin, Y.-H.: DepenDNS: Dependable Mechanism against DNS Cache Poisoning. In: Garay, J.A., Miyaji, A., Otsuka, A. (eds.) CANS 2009. LNCS, vol. 5888, pp. 174–188. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  29. Vixie, P.: Extension Mechanisms for DNS (EDNS0). RFC 2671 (1999)

    Google Scholar 

  30. Vixie, P.: DNS and BIND security issues. In: Proceedings of the 5th Symposium on UNIX Security, pp. 209–216. USENIX Association, Berkeley (1995)

    Google Scholar 

  31. Yuan, L., Kant, K., Mohapatra, P., Chuah, C.N.: DoX: A peer-to-peer antidote for DNS cache poisoning attacks. In: IEEE International Conference on Communications, ICC 2006, vol. 5, pp. 2345–2350. IEEE (2006)

    Google Scholar 

  32. ZDay. Hd moore pwned with his own DNS exploit, vulnerable AT&T DNS servers to blame (2008), http://www.zdnet.com/blog/security/hd-moore-pwned-with-his-own-dns-exploit-vulnerable-at-t-dns-servers-to-blame/1608

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, Bar Ilan University, Ramat Gan, Israel

    Amir Herzberg & Haya Shulman

Authors
  1. Amir Herzberg
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Haya Shulman
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. City University London, 10 Northampton Square, EC1V 0HB, London, UK

    Muttukrishnan Rajarajan

  2. Royal Holloway University of London, TW20 0EX, Egham Hill, UK

    Fred Piper

  3. College of William and Mary, P.O. Box 8795, 23187, Williamsburg, VA, USA

    Haining Wang

  4. Pennsylvania State University, 338J IST Buillding, 16802, University Park, PA, USA

    George Kesidis

Rights and permissions

Reprints and permissions

Copyright information

© 2012 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Herzberg, A., Shulman, H. (2012). Unilateral Antidotes to DNS Poisoning. In: Rajarajan, M., Piper, F., Wang, H., Kesidis, G. (eds) Security and Privacy in Communication Networks. SecureComm 2011. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 96. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31909-9_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-31909-9_18

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-31908-2

  • Online ISBN: 978-3-642-31909-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation