Abstract
Many long-lived network protocols were not designed with adversarial environments in mind; security is often an afterthought. Developing security mechanisms for protecting such systems is often very challenging as they are required to maintain compatibility with existing implementations, minimize deployment cost and performance overhead. The Domain Name System (DNS) is one such noteworthy example; the lack of source authentication has made DNS susceptible to cache poisoning. Existing countermeasures often suffer from at least one of the following limitations: insufficient protection; modest deployment; complex configuration; dependent on domain owners’ participation. We propose CGuard which is an adaptive defense framework for caching DNS resolvers: CGuard actively tries to detect cache poisoning attempts and protect the cache entries under attack by only updating them through available high confidence channels. CGuard’s effective defense is immediately deployable by the caching resolvers without having to rely on domain owners’ assistance and is compatible with existing and future solutions. We have empirically demonstrated the efficacy of CGuard. We envision that by taking away the attacker’s incentive to launch DNS cache poisoning attacks, CGuard essentially turns the existence of high confidence channels into a deterrence. Deterrence-based defense mechanisms can be applicable to other systems beyond DNS.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We obtained \({18,\!075}\) unique IP addresses from \({19,\!669}\) authoritative name servers of the top 20, 000 domains as ranked by Alexa. Many of our subsequent experiments are also based on this data.
References
5 Myths about Content Delivery Networks and the truths you should know. https://www.thatwhitepaperguy.com/downloads/5-CDN-Myths.pdf
Vulnerability Note VU 800113: Multiple DNS implementations vulnerable to cache poisoning. Technical report, US CERT Vulnerability Notes Database (2008)
DNS Census 2013 (2013). https://dnscensus2013.neocities.org
DNS, DNSSEC and Google’s Public DNS Service (2013). http://www.circleid.com/posts/20130717_dns_dnssec_and_googles_public_dns_service/
Google’s Malaysian domains hit with DNS cache poisoning attack (2013). http://www.tripwire.com/state-of-security/latest-security-news/googles-malaysian-domains-hit-dns-cache-poisoning-attack/
DNS poisoning slams web traffic from millions in China into the wrong hole (2014). http://www.theregister.co.uk/2014/01/21/china_dns_poisoning_attack/
Google Public DNS - Security Benefits (2014). https://developers.google.com/speed/public-dns/docs/security
CloudFlare Enables Universal DNSSEC for Its Millions of Customers for Free (2015). http://www.marketwired.com/press-release/cloudflare-enables-universal-dnssec-for-its-millions-of-customers-for-free-2072174.htm
DNSSEC name and shame! (2015). https://dnssec-name-and-shame.com/
Ager, B., Dreger, H., Feldmann, A.: Predicting the DNSSEC overhead using DNS traces. In: 40th IEEE CISS (2006)
Antonakakis, M., Dagon, D., Luo, X., Perdisci, R., Lee, W., Bellmor, J.: A centralized monitoring infrastructure for improving DNS security. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 18–37. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15512-3_2
APNIC Labs: Use of DNSSEC validation for world (2015). http://stats.labs.apnic.net/dnssec/XA
Assolini, F.: Attacks against Boletos (2014). https://securelist.com/attacks-against-boletos/66591/
Bernstein, D.J.: DNSCurve: usable security for DNS (2009). http://dnscurve.org/
Bernstein, D.J.: DNS forgery (2002). http://cr.yp.to/djbdns/forgery.html
Calder, M., Flavel, A., Katz-Bassett, E., Mahajan, R., Padhye, J.: Analyzing the performance of an anycast CDN. In: Proceedings of ACM IMC, pp. 531–537 (2015)
CCCen: An overview of secure name resolution [29c3] (2013). https://www.youtube.com/watch?v=eOGezLjlzFU
Catalin Cimpanu: Around four in five DNSSEC servers can be hijacked for DDoS attacks (2016). http://news.softpedia.com/news/around-four-in-five-dnssec-servers-can-be-used-in-ddos-attacks-507503.shtml
CommunityDNS: Performance testing of BIND, NSD and CDNS platforms on identical hardware (2010). http://communitydns.net/DNSSEC-Performance.pdf
Constantin, L.: DNS cache poisoning used in Brazilian phishing attack (2011). http://news.softpedia.com/news/DNS-Cache-Poisoning-Used-in-Brazilian-Phishing-Attack-212328.shtml
Czarny, M.: How anycast IP routing is used at MaxCDN (2013). https://www.maxcdn.com/blog/anycast-ip-routing-used-maxcdn/
Dagon, D., Antonakakis, M., Vixie, P., Jinmei, T., Lee, W.: Increased DNS forgery resistance through 0x20-bit encoding: security via LeET queries. In: Proceedings of the 15th ACM CCS, pp. 211–222 (2008)
Duan, H., et al.: Hold-on: protecting against on-path DNS poisoning. In: Securing and Trusting Internet Names (SATIN) (2012)
Flavel, A., et al.: FastRoute: a scalable load-aware anycast routing architecture for modern CDNs. In: 12th USENIX NSDI, pp. 381–394 (2015)
Godard, S.: sysstat - system Performance tools for the Linux operating system (2015). https://github.com/sysstat/sysstat
Guðmundsson, Ó., Crocker, S.D.: Observing DNSSEC validation in the wild. In: Securing and Trusting Internet Names (SATIN) (2011)
Herzberg, A., Shulman, H.: Retrofitting security into network protocols: the case of DNSSEC. IEEE Internet Comput. 18(1), 66–71 (2014)
Herzberg, A., Shulman, H.: Security of patched DNS. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 271–288. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33167-1_16
Hubert, A., van Mook, R.: Measures for making DNS more resilient against forged answers, January 2009. https://www.rfc-editor.org/rfc/rfc5452.txt
Hussain, I.: Google.com.bd down (2016). http://www.dhakatribune.com/feature/2016/12/20/google-com-bd/
Huston, G.: Measuring DNSSEC use (2013). https://labs.apnic.net/presentations/store/2013-08-27-dnssec-apnic.pdf
Huston, G., Michaelson, G.: Measuring DNSSEC performance (2013). http://impossible.rand.apnic.net/ispcol/2013-05/dnssec-performance.pdf
Infoblox: Infoblox DNS Threat Index (2015). https://www.infoblox.com/sites/infobloxcom/files/resources/infoblox-white-paper-dns-threat-index-q2-2015-report.pdf
JUNIPER TechLibrary: Network address translation feature guide for security devices - disabling port randomization for source NAT (CLI Procedure) (2016). https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/nat-security-source-port-randomization-disabiling-cli.html
Kaminsky, D.: Black Ops 2008: It’s The End Of The Cache As We Know It (2008)
Kaminsky, D.: DNSSEC Interlude 2: DJB@CCC | Dan Kaminsky’s Blog (2011). http://dankaminsky.com/2011/01/05/djb-ccc/
Levine, M.: Measuring throughput performance: DNS vs. TCP anycast routing (2014). http://www.cachefly.com/2014/07/11/measuring-throughput-performance-dns-vs-tcp-anycast-routing/
Lian, W., Rescorla, E., Shacham, H., Savage, S.: Measuring the practical impact of DNSSEC deployment. In: USENIX Security, pp. 573–588 (2013)
Lindstrom, A.: DNSSEC implementation in Sweden (2012). https://www.antonlindstrom.com/2012/01/02/dnssec-implementation-in-sweden.html
Lowe, G., Winters, P., Marcus, M.L.: The great DNS wall of china, December 2007
Nice, B.V.: High performance DNS needs high performance security (2012). http://nominum.com/high-performance-dns-needs-high-performance-security/
NIST National Vulnerability Database: CVE-2002-2211 (2002). http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-2211
Park, K., Pai, V.S., Peterson, L.L., Wang, Z.: CoDNS: improving DNS performance and reliability via cooperative lookups. OSDI 4, 14 (2004)
Perdisci, R., Antonakakis, M., Luo, X., Lee, W.: WSEC DNS: Protecting recursive DNS resolvers from poisoning attacks. In: IEEE/IFIP International Conference on Dependable Systems & Networks, DSN 2009, pp. 3–12. IEEE (2009)
Poole, L., Pai, V.S.: ConfiDNS: leveraging scale and history to improve DNS security. In: WORLDS (2006)
Prince, M.: A brief primer on Anycast (2011). https://blog.cloudflare.com/a-brief-anycast-primer/
Rashid, F.Y.: Poorly configured DNSSEC servers at root of DDoS attacks (2016). http://www.infoworld.com/article/3109581/security/poorly-configured-dnssec-servers-at-root-of-ddos-attacks.html
Raywood, D.: Irish ISP Eircom hit by multiple attacks that restrict service for users (2009). http://www.scmagazineuk.com/irish-isp-eircom-hit-by-multiple-attacks-that-restrict-service-for-users/article/140243/
Schuba, C.: Addressing weaknesses in the domain name system protocol. Ph.D. thesis, Purdue University (1993)
Seltzer, L.: Report claims DNS cache poisoning attack against Brazilian Bank and ISP (2009). http://www.eweek.com/c/a/Security/Report-Claims-DNS-Cache-Poisoning-Attack-Against-Brazilian-Bank-and-ISP-761709
Shulman, H., Waidner, M.: One key to sign them all considered vulnerable: evaluation of DNSSEC in the Internet. In: NSDI, pp. 131–144 (2017)
Son, S., Shmatikov, V.: The Hitchhiker’s guide to DNS cache poisoning. In: Security and Privacy in Communication Networks, pp. 466–483 (2010)
Spring, J.: Probable cache poisoning of mail handling domains (2014). https://insights.sei.cmu.edu/cert/2014/09/-probable-cache-poisoning-of-mail-handling-domains.html
StatDNS: TLD zone file statistics (2016). http://www.statdns.com/
KeyCDN Support: Anycast (2016). https://www.keycdn.com/support/anycast/
Tatuya, J.: queryperf++ (2014). https://github.com/jinmei/queryperfpp
Verisign Labs: DNSSEC Scoreboard. http://scoreboard.verisignlabs.com/
Virus Bulletin: DNS cache poisoning used to steal emails (2014). https://www.virusbtn.com/blog/2014/09_12.xml
Wikipedia: Deterrence theory – Wikipedia, The Free Encyclopedia. https://en.wikipedia.org/w/index.php?title=Deterrence_theory
Yao, Y., He, L., Xiong, G.: Security and cost analyses of DNSSEC protocol. In: Yuan, Y., Wu, X., Lu, Y. (eds.) ISCTCS 2012. CCIS, vol. 320, pp. 429–435. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-35795-4_54
Yuan, L., Kant, K., Mohapatra, P., Chuah, C.N.: DoX: a peer-to-peer antidote for DNS cache poisoning attacks. In: IEEE ICC 2006, vol. 5 (2006)
Zhu, L., Hu, Z., Heidemann, J., Wessels, D., Mankin, A., Somaiya, N.: Connection-oriented DNS to improve privacy and security (extended). Technical Report ISI-TR-2015-695, Febuary 2015. http://www.isi.edu/~johnh/PAPERS/Zhu15c.html
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Chau, S.Y. et al. (2018). Adaptive Deterrence of DNS Cache Poisoning. In: Beyah, R., Chang, B., Li, Y., Zhu, S. (eds) Security and Privacy in Communication Networks. SecureComm 2018. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 255. Springer, Cham. https://doi.org/10.1007/978-3-030-01704-0_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-01704-0_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-01703-3
Online ISBN: 978-3-030-01704-0
eBook Packages: Computer ScienceComputer Science (R0)