Unilateral Antidotes to DNS Poisoning

We investigate defenses against DNS cache poisoning focusing on mechanisms that can be readily deployed unilaterally by the resolving organisation, preferably in a single gateway or a proxy. DNS poisoning is (still) a major threat to Internet security; determined spoofing attackers are often able to circumvent currently deployed antidotes such as port randomisation. The adoption of DNSSEC, which would foil DNS poisoning, remains a long-term challenge.

[1]  Mark Manulis,et al.  Cryptology and Network Security , 2012, Lecture Notes in Computer Science.

[2]  Xiapu Luo,et al.  Recursive DNS Architectures and Vulnerability Implications , 2009, NDSS.

[3]  Remco van Mook,et al.  Measures for Making DNS More Resilient against Forged Answers , 2009, RFC.

[4]  Chen-Nee Chuah,et al.  DoX: A Peer-to-Peer Antidote for DNS Cache Poisoning Attacks , 2006, 2006 IEEE International Conference on Communications.

[5]  Christian Huitema,et al.  STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs) , 2003, RFC.

[6]  Zhe Wang,et al.  CoDNS: Improving DNS Performance and Reliability via Cooperative Lookups , 2004, OSDI.

[7]  Wenke Lee,et al.  Solving the DNS Cache Poisoning Problem Without Changing the Protocol , 2008 .

[8]  Steven M. Bellovin,et al.  Using the Domain Name System for System Break-ins , 1995, USENIX Security Symposium.

[9]  Scott Rose,et al.  DNS Security Introduction and Requirements , 2005, RFC.

[10]  Scott Rose,et al.  Protocol Modifications for the DNS Security Extensions , 2005, RFC.

[11]  G. W. Stewart Dns cache poisoning-the next generation , 2003 .

[12]  Bryan Ford,et al.  Peer-to-Peer Communication Across Network Address Translators , 2005, USENIX Annual Technical Conference, General Track.

[13]  Hung-Min Sun,et al.  DepenDNS: Dependable Mechanism against DNS Cache Poisoning , 2009, CANS.

[14]  S. M. Bellovin,et al.  Security problems in the TCP/IP protocol suite , 1989, CCRV.

[15]  Scott Rose,et al.  Resource Records for the DNS Security Extensions , 2005, RFC.

[16]  Paul Vixie,et al.  Extension Mechanisms for DNS (EDNS0) , 1999, RFC.

[17]  Xiapu Luo,et al.  A Centralized Monitoring Infrastructure for Improving DNS Security , 2010, RAID.

[18]  Scott Rose,et al.  DNS Security Introduction and Requirements , 2005, RFC.

[19]  Wenke Lee,et al.  Increased DNS forgery resistance through 0x20-bit encoding: security via leet queries , 2008, CCS.

[20]  Vivek S. Pai,et al.  ConfiDNS: Leveraging Scale and History to Improve DNS Security , 2006, WORLDS.

[21]  Paul Vixie,et al.  DNS and BIND Security Issues , 1995, USENIX Security Symposium.

[22]  Kenneth G. Paterson,et al.  An Analysis of DepenDNS , 2010, ISC.