Reducing DNS cache poisoning attacks

摘要

The increasing attacks on The Domain Name System (DNS) and the problems faced in deploying Domain Name System Security Extensions (DNSSEC) on a large scale, result in the need of a simple, and a practical approach to safeguard the DNS. In this paper, we present an efficient approach to significantly reduce the success rate of DNS cache poisoning attacks. The proposed Shift Key(S-Key) based domain name encoding scheme considerably raises the entropy of the DNS packet by encoding the domain name, using the randomly generated 4 bit S-Keys. To successfully poison a DNS cache, the attacker must now guess the 4 bit S-key as well as the encoded domain name, in addition to the port number and the transaction ID. The Bi-Query scheme captures the malicious reply packets by initiating a re-query or pairing up two consecutive requests to resolve the same domain name, thereby validating the Internet Protocol (IP) address retrieved for each domain name, before caching it. The first method proposed makes it difficult for the attacker to guess the DNS packet fields, while the latter detects and discards any packet that has been forged.