Prevent DNS Cache Poisoning Using Security Proxy

DNS has been suffering from cache poisoning attack for a long time. The attacker sends camouflaged DNS response to trick the domain name server, and inserts malicious resource record into the cached database. Because the original DNS protocol only depends on 16-bit transaction ID to verify the response packet, it is prone to be guessed by the attacker. Although many strategies such as transaction randomizing, source port randomizing and the 0x20 technique have been applied to improve the resistance of DNS, the attacker still has chance to poison DNS server in an acceptable time. Other more complicated strategy such as DNSSEC which provides stricter prevention mechanism is not easy to deploy and is not widely adopted yet. To address the problem, we present a novel strategy called Security Proxy. The architecture can be easily implemented and deployed on existing DNS server without modification of DNS server itself. The embedded two schemes Selective Re-Query and Security Label Communication can cooperate and effectively prevent the cache poisoning attack. We analyze our strategy from both the capability and efficiency. Then we find that our Security Proxy has obvious advantage over the original transaction ID, the source port randomizing and 0x20 techniques.