Domain Name System (DNS) cache poisoning is a stepping stone towards advanced (cyber) attacks. DNS cache\npoisoning can be used to monitor users� activities for censorship, to distribute malware and spam and to subvert\ncorrectness and availability of Internet clients and services. Currently, the DNS infrastructure relies on challengeresponse\ndefences against attacks by (the common) off-path adversaries. Such defences do not suffice against\nstronger, man-in-the-middle (MitM), adversaries. However, MitM is not believed to be common; hence, there seems to\nbe little motivation to adopt systematic, cryptographic mechanisms. We show that challenge-response do not protect\nagainst cache poisoning. In particular, we review common situations where (1) attackers can frequently obtain MitM\ncapabilities and (2) even weaker attackers can subvert DNS security. We also experimentally study dependencies in\nthe DNS infrastructure, in particular, dependencies within domain registrars and within domains, and show that\nmultiple dependencies result in more vulnerable DNS. We review domain name system security extensions (DNSSEC),\nthe defence against DNS cache poisoning, and argue that not only it is the most suitable mechanism for preventing\ncache poisoning but it is also the only proposed defence that enables a posteriori forensic analysis of attacks.
Loading....