WCSE

Forged Cache Isolation on DNS Full-Service Resolvers and Identification of Infected End Clients

Abstract— Domain Name System (DNS) plays an indispensable role in the Internet nowadays. Meanwhile, the cyber-attacks via the DNS based domain name resolution have become a critical issue especially DNS cache poisoning attack. DNS Security Extensions (DNSSEC) is one solution for mitigating the threats but the deployment rate is still very low throughout the whole Internet due to the high overhead on the DNS fullservice resolvers and the high operational cost. DNS over TLS (DoT)/DNS over HTTPS (DoH), which are two ongoing standards only cover the communication between the end clients and the DNS full-service resolvers thus they cannot effectively mitigate the cache poisoning attacks. In this research, we propose a mechanism that isolates the forged or poisoned cache on the DNS full-service resolvers and identifies the infected end clients in order to mitigate further infections within an internal network. In this paper, we describe the design of the proposed mechanism and introduce a simple prototype implementation in a local network environment first. Then we show the preliminary evaluation results of basic functions of the proposed mechanism. Finally, we discuss some extra features may require for the further approach against DNS cache poisoning attacks and describe some future work regarding the deployment of the proposed system in a real network environment.

Index Terms—DNS, full-service resolver, cache poisoning attack, forged cache isolation, DNSSEC, DoH

Yong Jin, Masahiko Tomoishi, Satoshi Matsuura
Tokyo Institute of Technology, JAPAN

[Download]

Cite:Yong Jin, Masahiko Tomoishi, Satoshi Matsuura, "Forged Cache Isolation on DNS Full-Service Resolvers and Identification of Infected End Clients, " Proceedings of 2022 the 12th International Workshop on Computer Science and Engineering (WCSE 2022), pp. 300-305, June 24-27, 2022.