An On-Demand Defense Scheme Against DNS Cache Poisoning Attacks

Zheng Wang; Shui Yu; Scott Rose

doi:10.4108/eai.15-5-2018.154771

EAI Endorsed Transactions on Security and Safety (May 2018)

An On-Demand Defense Scheme Against DNS Cache Poisoning Attacks

Zheng Wang,
Shui Yu,
Scott Rose

Affiliations

Zheng Wang: National Institute of Standards and Technology, Gaithersburg, MD 20899, USA; [email protected]
Shui Yu: School of Information Technology, Deakin University, Burwood, VIC 3125, Australia
Scott Rose: National Institute of Standards and Technology, Gaithersburg, MD 20899, USA

DOI: https://doi.org/10.4108/eai.15-5-2018.154771
Journal volume & issue: Vol. 4, no. 14
pp. 1 – 17

Abstract

Read online

The threats of caching poisoning attacks largely stimulate the deployment of DNSSEC. Being a strong but demanding cryptographical defense, DNSSEC has its universal adoption predicted to go through a lengthy transition. Thus the DNSSEC practitioners call for a secure yet lightweight solution to speed up DNSSEC deployment while oﬀering an acceptable DNSSEC-like defense. This paper proposes a new On-Demand Defense (ODD) scheme against cache poisoning attacks, still using but lightly using DNSSEC. In the solution, DNS operates in DNSSEC-oblivious mode unless a potential attack is detected and triggers a switch to DNSSEC-aware mode. The modeling checking results demonstrate that only a small DNSSEC query load is needed by the ODD scheme to ensure a small enough cache poisoning success rate.

Published in EAI Endorsed Transactions on Security and Safety

ISSN: 2032-9393 (Online)
Publisher: European Alliance for Innovation (EAI)
Country of publisher: Belgium
LCC subjects: Technology
Website: https://eudl.eu/journal/sesa

About the journal

Abstract

Keywords