Abstract
Domain Name System (DNS) cache poisoning is a stepping stone towards advanced (cyber) attacks. DNS cache poisoning can be used to monitor users’ activities for censorship, to distribute malware and spam and to subvert correctness and availability of Internet clients and services. Currently, the DNS infrastructure relies on challenge-response defences against attacks by (the common) off-path adversaries. Such defences do not suffice against stronger, man-in-the-middle (MitM), adversaries. However, MitM is not believed to be common; hence, there seems to be little motivation to adopt systematic, cryptographic mechanisms. We show that challenge-response do not protect against cache poisoning. In particular, we review common situations where (1) attackers can frequently obtain MitM capabilities and (2) even weaker attackers can subvert DNS security. We also experimentally study dependencies in the DNS infrastructure, in particular, dependencies within domain registrars and within domains, and show that multiple dependencies result in more vulnerable DNS. We review domain name system security extensions (DNSSEC), the defence against DNS cache poisoning, and argue that not only it is the most suitable mechanism for preventing cache poisoning but it is also the only proposed defence that enables a posteriori forensic analysis of attacks.
Highlights
During the recent decade, the Internet has experienced an increase in sophisticated attacks, subverting stability and correctness of many networks and services
Our goal is to encourage deployment of domain name system security extensions (DNSSEC), and we hope that our work will foster research efforts on the specific aspects which we identified as deterrents towards DNSSEC deployment
We show that DNSSEC provides cryptographic evidences that can be used in forensic analysis and detection of attacks long after they occured, in particular even attacks launched by state entities, domain operators or MitM adversaries
Summary
The Internet has experienced an increase in sophisticated attacks, subverting stability and correctness of many networks and services. The attacks inflict economical losses to businesses and have a devastating impact on e-commerce, security and critical infrastructure. We focus on DNS, whose correctness and availability are critical to the functionality of the Internet. In a cache poisoning attack, the adversary causes recursive DNS resolvers to accept and cache a spoofed DNS response which contains malicious records. These records redirect the victim clients to incorrect (possibly malicious) hosts. DNS cache poisoning is detrimental to correct functionality of Internet services and can be used to distribute malware and
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
