Abstract
DNS is vulnerable to cache poisoning attacks, whereby an attacker sends a spoofed reply to its own query. Historically, an attacker only needed to guess a predictable, or more recently, a 16 bit pseudorandom ID in order to be successful. The Kaminsky attack demonstrated successful poisoning attacks that required only 6 seconds on typical networks. Since then, source port randomization (spr) has been used for additional protection. Nevetheless, E. Polyakov demonstrated successful poisoning attacks against spr given a Gigabit network, on the order of 10 hours. Even with slower network speeds, an attack is likely to be successful in a moderate time period. DNSSEC will provide a strong countermeasure to poisoning as well as other attacks against the DNS. However, until DNSSEC is actually deployed, there is a need for additional countermeasures that can be deployed in the near term. In this paper, we describe a new approach that is based on detecting a poisoning attack, then sending an additional request for the same DNS Resource Record. Since the defense is only activated when attacks occur, we expect the performance impact to be minimal. The countermeasure requires no changes to the DNS standards, and only requires modifications to the caching server. Thus it can be deployed incrementally in order to obtain immediate security benefits. We show that our proposed defense makes poisoning attacks substantially more difficult. We have implemented the countermeasure using a local proxy for the BIND caching server, and our tests show that the performance impact is minimal.