Skip to main content
SpringerLink
Log in

Adaptive Deterrence of DNS Cache Poisoning

  • Conference paper
  • First Online:
Security and Privacy in Communication Networks (SecureComm 2018)

Abstract

Many long-lived network protocols were not designed with adversarial environments in mind; security is often an afterthought. Developing security mechanisms for protecting such systems is often very challenging as they are required to maintain compatibility with existing implementations, minimize deployment cost and performance overhead. The Domain Name System (DNS) is one such noteworthy example; the lack of source authentication has made DNS susceptible to cache poisoning. Existing countermeasures often suffer from at least one of the following limitations: insufficient protection; modest deployment; complex configuration; dependent on domain owners’ participation. We propose CGuard which is an adaptive defense framework for caching DNS resolvers: CGuard actively tries to detect cache poisoning attempts and protect the cache entries under attack by only updating them through available high confidence channels. CGuard’s effective defense is immediately deployable by the caching resolvers without having to rely on domain owners’ assistance and is compatible with existing and future solutions. We have empirically demonstrated the efficacy of CGuard. We envision that by taking away the attacker’s incentive to launch DNS cache poisoning attacks, CGuard essentially turns the existence of high confidence channels into a deterrence. Deterrence-based defense mechanisms can be applicable to other systems beyond DNS.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    We obtained \({18,\!075}\) unique IP addresses from \({19,\!669}\) authoritative name servers of the top 20, 000 domains as ranked by Alexa. Many of our subsequent experiments are also based on this data.

References

  1. 5 Myths about Content Delivery Networks and the truths you should know. https://www.thatwhitepaperguy.com/downloads/5-CDN-Myths.pdf

  2. Vulnerability Note VU 800113: Multiple DNS implementations vulnerable to cache poisoning. Technical report, US CERT Vulnerability Notes Database (2008)

    Google Scholar 

  3. DNS Census 2013 (2013). https://dnscensus2013.neocities.org

  4. DNS, DNSSEC and Google’s Public DNS Service (2013). http://www.circleid.com/posts/20130717_dns_dnssec_and_googles_public_dns_service/

  5. Google’s Malaysian domains hit with DNS cache poisoning attack (2013). http://www.tripwire.com/state-of-security/latest-security-news/googles-malaysian-domains-hit-dns-cache-poisoning-attack/

  6. DNS poisoning slams web traffic from millions in China into the wrong hole (2014). http://www.theregister.co.uk/2014/01/21/china_dns_poisoning_attack/

  7. Google Public DNS - Security Benefits (2014). https://developers.google.com/speed/public-dns/docs/security

  8. CloudFlare Enables Universal DNSSEC for Its Millions of Customers for Free (2015). http://www.marketwired.com/press-release/cloudflare-enables-universal-dnssec-for-its-millions-of-customers-for-free-2072174.htm

  9. DNSSEC name and shame! (2015). https://dnssec-name-and-shame.com/

  10. Ager, B., Dreger, H., Feldmann, A.: Predicting the DNSSEC overhead using DNS traces. In: 40th IEEE CISS (2006)

    Google Scholar 

  11. Antonakakis, M., Dagon, D., Luo, X., Perdisci, R., Lee, W., Bellmor, J.: A centralized monitoring infrastructure for improving DNS security. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 18–37. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15512-3_2

    Chapter  Google Scholar 

  12. APNIC Labs: Use of DNSSEC validation for world (2015). http://stats.labs.apnic.net/dnssec/XA

  13. Assolini, F.: Attacks against Boletos (2014). https://securelist.com/attacks-against-boletos/66591/

  14. Bernstein, D.J.: DNSCurve: usable security for DNS (2009). http://dnscurve.org/

  15. Bernstein, D.J.: DNS forgery (2002). http://cr.yp.to/djbdns/forgery.html

  16. Calder, M., Flavel, A., Katz-Bassett, E., Mahajan, R., Padhye, J.: Analyzing the performance of an anycast CDN. In: Proceedings of ACM IMC, pp. 531–537 (2015)

    Google Scholar 

  17. CCCen: An overview of secure name resolution [29c3] (2013). https://www.youtube.com/watch?v=eOGezLjlzFU

  18. Catalin Cimpanu: Around four in five DNSSEC servers can be hijacked for DDoS attacks (2016). http://news.softpedia.com/news/around-four-in-five-dnssec-servers-can-be-used-in-ddos-attacks-507503.shtml

  19. CommunityDNS: Performance testing of BIND, NSD and CDNS platforms on identical hardware (2010). http://communitydns.net/DNSSEC-Performance.pdf

  20. Constantin, L.: DNS cache poisoning used in Brazilian phishing attack (2011). http://news.softpedia.com/news/DNS-Cache-Poisoning-Used-in-Brazilian-Phishing-Attack-212328.shtml

  21. Czarny, M.: How anycast IP routing is used at MaxCDN (2013). https://www.maxcdn.com/blog/anycast-ip-routing-used-maxcdn/

  22. Dagon, D., Antonakakis, M., Vixie, P., Jinmei, T., Lee, W.: Increased DNS forgery resistance through 0x20-bit encoding: security via LeET queries. In: Proceedings of the 15th ACM CCS, pp. 211–222 (2008)

    Google Scholar 

  23. Duan, H., et al.: Hold-on: protecting against on-path DNS poisoning. In: Securing and Trusting Internet Names (SATIN) (2012)

    Google Scholar 

  24. Flavel, A., et al.: FastRoute: a scalable load-aware anycast routing architecture for modern CDNs. In: 12th USENIX NSDI, pp. 381–394 (2015)

    Google Scholar 

  25. Godard, S.: sysstat - system Performance tools for the Linux operating system (2015). https://github.com/sysstat/sysstat

  26. Guðmundsson, Ó., Crocker, S.D.: Observing DNSSEC validation in the wild. In: Securing and Trusting Internet Names (SATIN) (2011)

    Google Scholar 

  27. Herzberg, A., Shulman, H.: Retrofitting security into network protocols: the case of DNSSEC. IEEE Internet Comput. 18(1), 66–71 (2014)

    Article  Google Scholar 

  28. Herzberg, A., Shulman, H.: Security of patched DNS. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 271–288. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33167-1_16

    Chapter  Google Scholar 

  29. Hubert, A., van Mook, R.: Measures for making DNS more resilient against forged answers, January 2009. https://www.rfc-editor.org/rfc/rfc5452.txt

  30. Hussain, I.: Google.com.bd down (2016). http://www.dhakatribune.com/feature/2016/12/20/google-com-bd/

  31. Huston, G.: Measuring DNSSEC use (2013). https://labs.apnic.net/presentations/store/2013-08-27-dnssec-apnic.pdf

  32. Huston, G., Michaelson, G.: Measuring DNSSEC performance (2013). http://impossible.rand.apnic.net/ispcol/2013-05/dnssec-performance.pdf

  33. Infoblox: Infoblox DNS Threat Index (2015). https://www.infoblox.com/sites/infobloxcom/files/resources/infoblox-white-paper-dns-threat-index-q2-2015-report.pdf

  34. JUNIPER TechLibrary: Network address translation feature guide for security devices - disabling port randomization for source NAT (CLI Procedure) (2016). https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/nat-security-source-port-randomization-disabiling-cli.html

  35. Kaminsky, D.: Black Ops 2008: It’s The End Of The Cache As We Know It (2008)

    Google Scholar 

  36. Kaminsky, D.: DNSSEC Interlude 2: DJB@CCC | Dan Kaminsky’s Blog (2011). http://dankaminsky.com/2011/01/05/djb-ccc/

  37. Levine, M.: Measuring throughput performance: DNS vs. TCP anycast routing (2014). http://www.cachefly.com/2014/07/11/measuring-throughput-performance-dns-vs-tcp-anycast-routing/

  38. Lian, W., Rescorla, E., Shacham, H., Savage, S.: Measuring the practical impact of DNSSEC deployment. In: USENIX Security, pp. 573–588 (2013)

    Google Scholar 

  39. Lindstrom, A.: DNSSEC implementation in Sweden (2012). https://www.antonlindstrom.com/2012/01/02/dnssec-implementation-in-sweden.html

  40. Lowe, G., Winters, P., Marcus, M.L.: The great DNS wall of china, December 2007

    Google Scholar 

  41. Nice, B.V.: High performance DNS needs high performance security (2012). http://nominum.com/high-performance-dns-needs-high-performance-security/

  42. NIST National Vulnerability Database: CVE-2002-2211 (2002). http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-2211

  43. Park, K., Pai, V.S., Peterson, L.L., Wang, Z.: CoDNS: improving DNS performance and reliability via cooperative lookups. OSDI 4, 14 (2004)

    Google Scholar 

  44. Perdisci, R., Antonakakis, M., Luo, X., Lee, W.: WSEC DNS: Protecting recursive DNS resolvers from poisoning attacks. In: IEEE/IFIP International Conference on Dependable Systems & Networks, DSN 2009, pp. 3–12. IEEE (2009)

    Google Scholar 

  45. Poole, L., Pai, V.S.: ConfiDNS: leveraging scale and history to improve DNS security. In: WORLDS (2006)

    Google Scholar 

  46. Prince, M.: A brief primer on Anycast (2011). https://blog.cloudflare.com/a-brief-anycast-primer/

  47. Rashid, F.Y.: Poorly configured DNSSEC servers at root of DDoS attacks (2016). http://www.infoworld.com/article/3109581/security/poorly-configured-dnssec-servers-at-root-of-ddos-attacks.html

  48. Raywood, D.: Irish ISP Eircom hit by multiple attacks that restrict service for users (2009). http://www.scmagazineuk.com/irish-isp-eircom-hit-by-multiple-attacks-that-restrict-service-for-users/article/140243/

  49. Schuba, C.: Addressing weaknesses in the domain name system protocol. Ph.D. thesis, Purdue University (1993)

    Google Scholar 

  50. Seltzer, L.: Report claims DNS cache poisoning attack against Brazilian Bank and ISP (2009). http://www.eweek.com/c/a/Security/Report-Claims-DNS-Cache-Poisoning-Attack-Against-Brazilian-Bank-and-ISP-761709

  51. Shulman, H., Waidner, M.: One key to sign them all considered vulnerable: evaluation of DNSSEC in the Internet. In: NSDI, pp. 131–144 (2017)

    Google Scholar 

  52. Son, S., Shmatikov, V.: The Hitchhiker’s guide to DNS cache poisoning. In: Security and Privacy in Communication Networks, pp. 466–483 (2010)

    Google Scholar 

  53. Spring, J.: Probable cache poisoning of mail handling domains (2014). https://insights.sei.cmu.edu/cert/2014/09/-probable-cache-poisoning-of-mail-handling-domains.html

  54. StatDNS: TLD zone file statistics (2016). http://www.statdns.com/

  55. KeyCDN Support: Anycast (2016). https://www.keycdn.com/support/anycast/

  56. Tatuya, J.: queryperf++ (2014). https://github.com/jinmei/queryperfpp

  57. Verisign Labs: DNSSEC Scoreboard. http://scoreboard.verisignlabs.com/

  58. Virus Bulletin: DNS cache poisoning used to steal emails (2014). https://www.virusbtn.com/blog/2014/09_12.xml

  59. Wikipedia: Deterrence theory – Wikipedia, The Free Encyclopedia. https://en.wikipedia.org/w/index.php?title=Deterrence_theory

  60. Yao, Y., He, L., Xiong, G.: Security and cost analyses of DNSSEC protocol. In: Yuan, Y., Wu, X., Lu, Y. (eds.) ISCTCS 2012. CCIS, vol. 320, pp. 429–435. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-35795-4_54

    Chapter  Google Scholar 

  61. Yuan, L., Kant, K., Mohapatra, P., Chuah, C.N.: DoX: a peer-to-peer antidote for DNS cache poisoning attacks. In: IEEE ICC 2006, vol. 5 (2006)

    Google Scholar 

  62. Zhu, L., Hu, Z., Heidemann, J., Wessels, D., Mankin, A., Somaiya, N.: Connection-oriented DNS to improve privacy and security (extended). Technical Report ISI-TR-2015-695, Febuary 2015. http://www.isi.edu/~johnh/PAPERS/Zhu15c.html

Download references

Author information

Authors and Affiliations

  1. Purdue University, West Lafayette, IN, USA

    Sze Yiu Chau, Victor Gonsalves, Huangyi Ge, Sonia Fahmy & Ninghui Li

  2. The University of Iowa, Iowa City, IA, USA

    Omar Chowdhury

  3. Google Inc., Mountain View, CA, USA

    Weining Yang

Authors
  1. Sze Yiu Chau
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Omar Chowdhury
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Victor Gonsalves
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Huangyi Ge
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Weining Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Sonia Fahmy
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Ninghui Li
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sze Yiu Chau .

Editor information

Editors and Affiliations

  1. Klaus Advanced Computing Building, Georgia Institute of Technology, Atlanta, GA, USA

    Raheem Beyah

  2. Singapore Management University, Singapore, Singapore

    Bing Chang

  3. School of Information Systems, Singapore Management University, Singapore, Singapore

    Yingjiu Li

  4. Pennsylvania State University, University Park, PA, USA

    Sencun Zhu

Rights and permissions

Reprints and permissions

Copyright information

© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Chau, S.Y. et al. (2018). Adaptive Deterrence of DNS Cache Poisoning. In: Beyah, R., Chang, B., Li, Y., Zhu, S. (eds) Security and Privacy in Communication Networks. SecureComm 2018. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 255. Springer, Cham. https://doi.org/10.1007/978-3-030-01704-0_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-01704-0_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-01703-3

  • Online ISBN: 978-3-030-01704-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation