Abstract
DNS cache poisoning attacks have been proposed for a long time. In 2008, Kaminsky enhanced the attacks to be powerful based on nonce query method. By leveraging Kaminsky’s attack, phishing becomes large-scale since victims are hard to detect attacks. Hence, DNS cache poisoning is a serious threat in the current DNS infrastructure. In this paper, we propose a countermeasure, DepenDNS, to prevent from cache poisoning attacks. DepenDNS queries multiple resolvers concurrently to verify an trustworthy answer while users perform payment transactions, e.g., auction, banking. Without modifying any resolver or authority server, DepenDNS is conveniently deployed on client side. In the end of paper, we conduct several experiments on DepenDNS to show its efficiency. We believe DepenDNS is a comprehensive solution against cache poisoning attacks.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Ariyapperuma, S., Mitchell, C.J.: Security vulnerabilities in dns and dnssec. In: ARES 2007: Proceedings of The Second International Conference on Availability, Reliability and Security, pp. 335–342. IEEE Computer Society, Los Alamitos (2007)
Chatzis, N.: Motivation for behaviour-based dns security: A taxonomy of dns-related internet threats. In: International Conference on Emerging Security Information, Systems, and Technologies. SecureWare 2007, pp. 36–41 (October 2007)
Ollmann, G.: The phishing guide. Next Generation Security Software Ltd. (2004)
Friedlander, A., Mankin, A., Maughan, W., Crocker, S.: DNSSEC: a protocol toward securing the internet infrastructure. Communications of the ACM 50(6), 44–50 (2007)
Eastlake, D.: Secret key establishment for DNS (TKEY RR). RFC 2930 (September 2000)
Vixie, P., Gudmundsson, O., Eastlake, D., Wellington, B.: Secret key transaction authentication for DNS (TSIG). RFC 2845 (May 2000)
Oppliger, R., Hauser, R., Basin, D.: SSL/TLS session-aware user authentication–Or how to effectively thwart the man-in-the-middle. Computer Communications 29(12), 2238–2246 (2006)
Ju, Y.W., Song, K.H., Lee, E.J., Shin, Y.T.: Cache poisoning detection method for improving security of recursive DNS. In: The 9th International Conference on Advanced Communication Technology, vol. 3, pp. 1961–1965 (2007)
Ren, P., Kristoff, J., Gooch, B.: Visualizing DNS traffic. In: VizSEC 2006: Proceedings of the 3rd international workshop on Visualization for computer security, pp. 23–30. ACM, New York (2006)
Zdrnja, B.: Security Monitoring of DNS traffic. CompSci780 project, University of Auckland (May 2006)
Roolvink, S.: Detecting attacks involving dns servers: a netflow data based approach (December 2008), http://essay.utwente.nl/58497/
Yuan, L., Kant, K., Mohapatra, P., Chuah, C.N.: Dox: A peer-to-peer antidote for DNS cache poisoning attacks. In: ICC 2006: Proceedings of the International Conference on Communications, vol. 5, pp. 2345–2350 (2006)
Dagon, D., Antonakakis, M., Vixie, P., Jinmei, T., Lee, W.: Increased dns forgery resistance through 0x20-bit encoding: security via leet queries. In: CCS 2008: Proceedings of the 15th ACM conference on Computer and communications security, pp. 211–222. ACM, New York (2008)
Poole, L., Pai, V.S.: Confidns: leveraging scale and history to improve dns security. In: WORLDS 2006: Proceedings of the 3rd conference on USENIX Workshop on Real, Large Distributed Systems, p. 3. USENIX Association, Berkeley (2006)
Park, K., Pai, V., Peterson, L., Wang, Z.: CoDNS: improving DNS performance and reliability via cooperative lookups. In: OSDI: Proceedings of the 6th USENIX Symposium on Operating Systems Design and Implementation, USENIX Association Berkeley, CA, USA, pp. 14–14 (2004)
Brisco, T.: DNS support for load balancing. RFC 1794 (April 1995)
Cardellini, V., Colajanni, M., Yu, P.: Dynamic load balancing on web-server systems. Internet Computing, IEEE 3(3), 28–39 (1999)
Hong, Y., No, J., Kim, S.: Dns-based load balancing in distributed web-server systems. In: SEUS 2006/WCCIA 2006: Proceedings of the Fourth International Workshop on Software Technologies for Future Embedded and Ubiquitous Systems and the 2006 Second International Workshop on Collaborative Computing, Integration, and Assurance, vol. 4 (April 2006)
Ballani, H., Francis, P.: Mitigating DNS dos attacks. In: CCS 2008: Proceedings of the 15th ACM conference on Computer and communications security, pp. 189–198. ACM, New York (2008)
Ylonen, T., Lonvick, C.: Rfc 4251: The secure shell (ssh) protocol architecture (January 2006), http://www.ietf.org/rfc/rfc4251.txt
Rescorla, E.: Http over TLS (May 2000)
Wendlandt, D., Andersen, D., Perrig, A.: Perspectives: improving SSH-style host authentication with multi-path probing. In: USENIX 2008 Annual Technical Conference on Annual Technical Conference table of contents, USENIX Association Berkeley, CA, USA, pp. 321–334 (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Sun, HM., Chang, WH., Chang, SY., Lin, YH. (2009). DepenDNS: Dependable Mechanism against DNS Cache Poisoning. In: Garay, J.A., Miyaji, A., Otsuka, A. (eds) Cryptology and Network Security. CANS 2009. Lecture Notes in Computer Science, vol 5888. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-10433-6_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-10433-6_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-10432-9
Online ISBN: 978-3-642-10433-6
eBook Packages: Computer ScienceComputer Science (R0)