Publication Details
Title: Hold-On: Protecting Against On-Path DNS Poisoning
Author: H. Duan, N. Weaver, Z. Zhao, M. Hu, J. Liang, J. Jiang, K. Li, and V. Paxson
Group: Networking
Date: March 2012
PDF: http://www.icsi.berkeley.edu/pubs/networking/dnspoisoning12.pdf
Overview:
Several attacks on DNS inject forged DNS replies without suppressing the legitimate replies. Current implementations of DNS resolvers are vulnerable to accepting the injected replies if the attacker’s reply arrives before the legitimate one. In the case of regular DNS, this behavior allows an attacker to corrupt a victim’s interpretation of a name; for DNSSEC-protected names, it enables denial-of-service. We argue that the resolver should wait after receiving an initial reply for a “Hold-On” period to allow a subsequent legitimate reply to also arrive. We evaluate the feasibility of such an approach and discuss our implementation of a prototype stub resolver/forwarder that validates DNS replies using Hold-On. By validating the IP TTL and the timing of the replies, we show that the resolver can identify DNS packets injected by a nation-state censorship system, and that it functions without perceptible performance decrease for undisrupted lookups.
Acknowledgements:
This work was partially supported by funding provided to ICSI through National Science Foundation grants CNS-0831780 (“Relationship-Oriented Networking”), CNS-0905631 ("Invigorating Empirical Network Research via Mediated Trace Analysis"), and CNS-1015835 ("Understanding and Taming the Web's Privacy Footprint"). Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the National Science Foundation.
Bibliographic Information:
Proceedings of the Conference on Securing and Trusting Internet Names (SATIN 2012), Teddington, United Kingdom
Bibliographic Reference:
H. Duan, N. Weaver, Z. Zhao, M. Hu, J. Liang, J. Jiang, K. Li, and V. Paxson. Hold-On: Protecting Against On-Path DNS Poisoning. Proceedings of the Conference on Securing and Trusting Internet Names (SATIN 2012), Teddington, United Kingdom, March 2012
Author: H. Duan, N. Weaver, Z. Zhao, M. Hu, J. Liang, J. Jiang, K. Li, and V. Paxson
Group: Networking
Date: March 2012
PDF: http://www.icsi.berkeley.edu/pubs/networking/dnspoisoning12.pdf
Overview:
Several attacks on DNS inject forged DNS replies without suppressing the legitimate replies. Current implementations of DNS resolvers are vulnerable to accepting the injected replies if the attacker’s reply arrives before the legitimate one. In the case of regular DNS, this behavior allows an attacker to corrupt a victim’s interpretation of a name; for DNSSEC-protected names, it enables denial-of-service. We argue that the resolver should wait after receiving an initial reply for a “Hold-On” period to allow a subsequent legitimate reply to also arrive. We evaluate the feasibility of such an approach and discuss our implementation of a prototype stub resolver/forwarder that validates DNS replies using Hold-On. By validating the IP TTL and the timing of the replies, we show that the resolver can identify DNS packets injected by a nation-state censorship system, and that it functions without perceptible performance decrease for undisrupted lookups.
Acknowledgements:
This work was partially supported by funding provided to ICSI through National Science Foundation grants CNS-0831780 (“Relationship-Oriented Networking”), CNS-0905631 ("Invigorating Empirical Network Research via Mediated Trace Analysis"), and CNS-1015835 ("Understanding and Taming the Web's Privacy Footprint"). Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the National Science Foundation.
Bibliographic Information:
Proceedings of the Conference on Securing and Trusting Internet Names (SATIN 2012), Teddington, United Kingdom
Bibliographic Reference:
H. Duan, N. Weaver, Z. Zhao, M. Hu, J. Liang, J. Jiang, K. Li, and V. Paxson. Hold-On: Protecting Against On-Path DNS Poisoning. Proceedings of the Conference on Securing and Trusting Internet Names (SATIN 2012), Teddington, United Kingdom, March 2012