WSEC DNS: Protecting recursive DNS resolvers from poisoning attacks

Roberto Perdisci, Manos Antonakakis, Xiapu Luo, Wenke Lee

Research output: Chapter in book / Conference proceedingConference article published in proceeding or bookAcademic researchpeer-review

38 Citations (Scopus)

Abstract

Recently, a new attack for poisoning the cache of Recursive DNS (RDNS) resolvers was discovered and revealed to the public. In response, major DNS vendors released a patch to their software. However, the released patch does not completely protect DNS servers from cache poisoning attacks in a number of practical scenarios. DNSSEC seems to offer a definitive solution to the vulnerabilities of the DNS protocol, but unfortunately DNSSEC has not yet been widely deployed. In this paper, we proposeWild-card SECure DNS (WSEC DNS), a novel solution to DNS cache poisoning attacks. WSEC DNS relies on existing properties of the DNS protocol and is based on wild-card domain names. We show that WSEC DNS is able to decrease the probability of success of cache poisoning attacks by several orders of magnitude. That is, with WSEC DNS in place, an attacker has to persistently run a cache poisoning attack for years, before having a non-negligible chance of success. Furthermore, WSEC DNS offers complete backward compatibility to DNS servers that may for any reason decide not to implement it, therefore allowing an incremental large-scale deployment. Contrary to DNSSEC, WSEC DNS is deployable immediately because it does not have the technical and political problems that have so far hampered a large-scale deployment of DNSSEC.
Original languageEnglish
Title of host publicationProceedings of the 2009 IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2009
Pages3-12
Number of pages10
DOIs
Publication statusPublished - 25 Nov 2009
Externally publishedYes
Event2009 IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2009 - Lisbon, Portugal
Duration: 29 Jun 20092 Jul 2009

Conference

Conference2009 IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2009
Country/TerritoryPortugal
CityLisbon
Period29/06/092/07/09

ASJC Scopus subject areas

  • Software
  • Hardware and Architecture
  • Computer Networks and Communications

Cite this