Hold-On: Protecting Against On-Path DNS Poisoning

TitleHold-On: Protecting Against On-Path DNS Poisoning
Publication TypeConference Paper
Year of Publication2012
AuthorsDuan, H., Weaver N., Zhao Z., Hu M., Liang J., Jiang J., Li K., & Paxson V.
Other Numbers3374

Several attacks on DNS inject forged DNS replies without suppressing the legitimate replies. Current implementations of DNS resolvers are vulnerable to accepting the injected replies if the attacker’s reply arrives before the legitimate one. In the case of regular DNS, this behavior allows an attacker to corrupt a victim’s interpretation of a name; for DNSSEC-protected names, it enables denial-of-service.

We argue that the resolver should wait after receiving an initial reply for a “Hold-On” period to allow a subsequent legitimate reply to also arrive. We evaluate the feasibility of such an approach and discuss our implementation of a prototype stub resolver/forwarder that validates DNS replies using Hold-On. By validating the IP TTL and the timing of the replies, we show that the resolver can identify DNS packets injected by a nation-state censorship system, and that it functions without perceptible performance decrease for undisrupted lookups.


This work was partially supported by funding provided to ICSI through National Science Foundation grants CNS-0831780 (“Relationship-Oriented Networking”), CNS-0905631 ("Invigorating Empirical Network Research via Mediated Trace Analysis"), and CNS-1015835 ("Understanding and Taming the Web's Privacy Footprint"). Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the National Science Foundation.

Bibliographic Notes

Proceedings of the Conference on Securing and Trusting Internet Names (SATIN 2012), Teddington, United Kingdom

Abbreviated Authors

H. Duan, N. Weaver, Z. Zhao, M. Hu, J. Liang, Jinjin Jiang, Kang Li, and V. Paxson

ICSI Research Group

Networking and Security

ICSI Publication Type

Article in conference proceedings