Research Article
An On-Demand Defense Scheme Against DNS Cache Poisoning Attacks
@ARTICLE{10.4108/eai.15-5-2018.154771, author={Zheng Wang and Shui Yu and Scott Rose}, title={An On-Demand Defense Scheme Against DNS Cache Poisoning Attacks}, journal={EAI Endorsed Transactions on Security and Safety}, volume={4}, number={14}, publisher={EAI}, journal_a={SESA}, year={2018}, month={5}, keywords={NS Security Extensions, DNS cache poisoning, model checking, query load, success rate.}, doi={10.4108/eai.15-5-2018.154771} }- Zheng Wang
Shui Yu
Scott Rose
Year: 2018
An On-Demand Defense Scheme Against DNS Cache Poisoning Attacks
SESA
EAI
DOI: 10.4108/eai.15-5-2018.154771
Abstract
The threats of caching poisoning attacks largely stimulate the deployment of DNSSEC. Being a strong but demanding cryptographical defense, DNSSEC has its universal adoption predicted to go through a lengthy transition. Thus the DNSSEC practitioners call for a secure yet lightweight solution to speed up DNSSEC deployment while offering an acceptable DNSSEC-like defense. This paper proposes a new On-Demand Defense (ODD) scheme against cache poisoning attacks, still using but lightly using DNSSEC. In the solution, DNS operates in DNSSEC-oblivious mode unless a potential attack is detected and triggers a switch to DNSSEC-aware mode. The modeling checking results demonstrate that only a small DNSSEC query load is needed by the ODD scheme to ensure a small enough cache poisoning success rate.
Copyright © 2018 Zheng Wang et al., licensed to EAI. This is an open access article distributed under the terms of the Creative Commons Attribution license (http://creativecommons.org/licenses/by/3.0/), which permits unlimited use, distribution and reproduction in any medium so long as the original work is properly cited.