WSEC DNS: Protecting recursive DNS resolvers from poisoning attacks

Abstract

Recently, a new attack for poisoning the cache of Recursive DNS (RDNS) resolvers was discovered and revealed to the public. In response, major DNS vendors released a patch to their software. However, the released patch does not completely protect DNS servers from cache poisoning attacks in a number of practical scenarios. DNSSEC seems to offer a definitive solution to the vulnerabilities of the DNS protocol, but unfortunately DNSSEC has not yet been widely deployed. In this paper, we proposeWild-card SECure DNS (WSEC DNS), a novel solution to DNS cache poisoning attacks. WSEC DNS relies on existing properties of the DNS protocol and is based on wild-card domain names. We show that WSEC DNS is able to decrease the probability of success of cache poisoning attacks by several orders of magnitude. That is, with WSEC DNS in place, an attacker has to persistently run a cache poisoning attack for years, before having a non-negligible chance of success. Furthermore, WSEC DNS offers complete backward compatibility to DNS servers that may for any reason decide not to implement it, therefore allowing an incremental large-scale deployment. Contrary to DNSSEC, WSEC DNS is deployable immediately because it does not have the technical and political problems that have so far hampered a large-scale deployment of DNSSEC.