Hold-On: Protecting Against On-Path DNS Poisoning
Title | Hold-On: Protecting Against On-Path DNS Poisoning |
Publication Type | Conference Paper |
Year of Publication | 2012 |
Authors | Duan, H., Weaver N., Zhao Z., Hu M., Liang J., Jiang J., Li K., & Paxson V. |
Other Numbers | 3374 |
Abstract | Several attacks on DNS inject forged DNS replies without suppressing the legitimate replies. Current implementations of DNS resolvers are vulnerable to accepting the injected replies if the attackers reply arrives before the legitimate one. In the case of regular DNS, this behavior allows an attacker to corrupt a victims interpretation of a name; for DNSSEC-protected names, it enables denial-of-service. We argue that the resolver should wait after receiving an initial reply for a Hold-On period to allow a subsequent legitimate reply to also arrive. We evaluate the feasibility of such an approach and discuss our implementation of a prototype stub resolver/forwarder that validates DNS replies using Hold-On. By validating the IP TTL and the timing of the replies, we show that the resolver can identify DNS packets injected by a nation-state censorship system, and that it functions without perceptible performance decrease for undisrupted lookups. |
Acknowledgment | This work was partially supported by funding provided to ICSI through National Science Foundation grants CNS-0831780 (Relationship-Oriented Networking), CNS-0905631 ("Invigorating Empirical Network Research via Mediated Trace Analysis"), and CNS-1015835 ("Understanding and Taming the Web's Privacy Footprint"). Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the National Science Foundation. |
URL | http://www.icsi.berkeley.edu/pubs/networking/dnspoisoning12.pdf |
Bibliographic Notes | Proceedings of the Conference on Securing and Trusting Internet Names (SATIN 2012), Teddington, United Kingdom |
Abbreviated Authors | H. Duan, N. Weaver, Z. Zhao, M. Hu, J. Liang, Jinjin Jiang, Kang Li, and V. Paxson |
ICSI Research Group | Networking and Security |
ICSI Publication Type | Article in conference proceedings |