Unilateral antidotes to DNS poisoning

  • Herzberg A
  • Shulman H
  • 15


    Mendeley users who have this article in their library.
  • 8


    Citations of this article.


We investigate defenses against DNS cache poisoning focus- ing on mechanisms that can be readily deployed unilaterally by the re- solving organisation, preferably in a single gateway or a proxy. DNS poisoning is (still) a major threat to Internet security; determined spoof- ing attackers are often able to circumvent currently deployed antidotes such as port randomisation. The adoption of DNSSEC, which would foil DNS poisoning, remains a long-term challenge. We discuss limitations of the prominent resolver-only defenses, mainly port and IP randomisation, 0x20 encoding and birthday protection. We then present two new (unilateral) defenses: the sandwich antidote and the NAT antidote. The defenses are simple, effective and efficient, and can be implemented in a gateway connecting the resolver to the Internet. The sandwich antidote is composed of two phases: poisoning-attack de- tection and then prevention. The NAT antidote adds entropy to DNS requests by switching the resolver’s IP address to a random address (be- longing to the same autonomous system). Finally, we show how to imple- ment the birthday protection mechanism in the gateway, thus allowing to restrict the number of DNS requests with the same query to 1 even when the resolver does not support this.

Author-supplied keywords

  • dns poisoning
  • network security
  • secure dns

Get free article suggestions today

Mendeley saves you time finding and organizing research

Sign up here
Already have an account ?Sign in

Find this document


  • Amir Herzberg

  • Haya Shulman

Cite this document

Choose a citation style from the tabs below

Save time finding and organizing research with Mendeley

Sign up for free