We investigate defenses against DNS cache poisoning focus- ing on mechanisms that can be readily deployed unilaterally by the re- solving organisation, preferably in a single gateway or a proxy. DNS poisoning is (still) a major threat to Internet security; determined spoof- ing attackers are often able to circumvent currently deployed antidotes such as port randomisation. The adoption of DNSSEC, which would foil DNS poisoning, remains a long-term challenge. We discuss limitations of the prominent resolver-only defenses, mainly port and IP randomisation, 0x20 encoding and birthday protection. We then present two new (unilateral) defenses: the sandwich antidote and the NAT antidote. The defenses are simple, effective and efficient, and can be implemented in a gateway connecting the resolver to the Internet. The sandwich antidote is composed of two phases: poisoning-attack de- tection and then prevention. The NAT antidote adds entropy to DNS requests by switching the resolver’s IP address to a random address (be- longing to the same autonomous system). Finally, we show how to imple- ment the birthday protection mechanism in the gateway, thus allowing to restrict the number of DNS requests with the same query to 1 even when the resolver does not support this.
Mendeley saves you time finding and organizing research
Choose a citation style from the tabs below