Increased DNS forgery resistance through 0x20-bit encoding

Dagon, David; Antonakakis, Manos; Vixie, Paul; Jinmei, Tatuya; Lee, Wenke

doi:10.1145/1455770.1455798

Cited by 73 publications

(76 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A number of recently proposed defenses against DNS cache poisoning, including source port randomization, 0x20-bit encoding, XQID, and WSEC-DNS, fundamentally depend on the asymmetric accessibility of the components used for authenticating responses to DNS queries [7,8,11,20].…”

Section: Response Forgery Using Eavesdroppingmentioning

confidence: 99%

“…This patch depends on the configuration of the local network such as the firewall imposing strict constraints on inbound connections. Other solutions aiming to prevent blind response forgery by increasing entropy of queries are 0x20-bit encoding [7], which randomizes capitalization of letters in the query (the amount of entropy depends on the length of the query), and WSEC-DNS [20] and XQID [11], which use a challenge-response scheme with random nonces.…”

Section: Defensesmentioning

confidence: 99%

See 1 more Smart Citation

The Hitchhiker’s Guide to DNS Cache Poisoning

Son

Shmatikov

2010

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

View full text Add to dashboard Cite

Abstract. DNS cache poisoning is a serious threat to today's Internet. We develop a formal model of the semantics of DNS caches, including the bailiwick rule and trust-level logic, and use it to systematically investigate different types of cache poisoning and to generate templates for attack payloads. We explain the impact of the attacks on DNS resolvers such as BIND, MaraDNS, and Unbound and their implications for several defenses against DNS cache poisoning.

show abstract

Section: Response Forgery Using Eavesdroppingmentioning

confidence: 99%

Section: Defensesmentioning

confidence: 99%

The Hitchhiker’s Guide to DNS Cache Poisoning

Son

Shmatikov

2010

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

View full text Add to dashboard Cite

show abstract

“…6 We then query the ODNS for the google.com subdomain and determine 3 We require at least ten transactions for the results in this paper, but in other experiments we find the insights are not sensitive to the exact threshold. 4 We conclude that resolvers do not use static, incrementing, or decrementing transactions IDs by observing a high standard deviation in the transaction ID sequence. 5 Our results may be a lower bound on the adoption of 0x20 encoding as at least one major RDNS pool-Google Public DNS [8]-uses 0x20 encoding on a white-listed set of domains.…”

Section: Bailiwick Rules Violationsmentioning

confidence: 77%

“…While randomizing only the DNS transaction ID is insufficient protection, randomizing both values is an effective strategy [10]. Another technique to increasing entropy is "0x20 encoding" [4] in which the RDNS randomly changes the capitalization throughout query strings. Authoritative servers should be case insensitive when resolving the query yet retain the capitalization in their response [12].…”

Section: Kaminsky's Attackmentioning

confidence: 99%

See 1 more Smart Citation

Assessing DNS Vulnerability to Record Injection

Schomp

Callahan

Rabinovich

et al. 2014

Passive and Active Measurement

View full text Add to dashboard Cite

Abstract. The Domain Name System (DNS) is a critical component of the Internet infrastructure as it maps human-readable names to IP addresses. Injecting fraudulent mappings allows an attacker to divert users from intended destinations to those of an attacker's choosing. In this paper, we measure the Internet's vulnerability to DNS record injection attacks-including a new attack we uncover. We find that record injection vulnerabilities are fairly common-even years after some of them were first uncovered.

show abstract

An intelligent proactive defense against the client‐side DNS cache poisoning attack via self‐checking deep reinforcement learning

Yang

et al. 2022

Int J of Intelligent Sys

View full text Add to dashboard Cite

A new class of poisoning attacks has recently emerged targeting the client-side Domain Name System (DNS) cache. It allows users to visit fake websites unconsciously, thereby revealing their information, such as passwords. However, the current DNS defense architecture does not include DNS clients. Although relative encryption solutions can mitigate this attack, they require the cooperation of multiple parties, and the deployment speed is slow. Therefore, we propose an intelligent-driven proactive defense strategy. First, we model the offensive and defensive process as a stochastic game based on moving target defense. Second, we adopt and optimize Proximal PolicyOptimization (PPO), a deep reinforcement learning method, to solve problems caused by uncertain attack strategies and unknown state transition probability. Third, we design a self-checking component in PPO to solve the uncertainty of action space caused by game state constraints based on our previous work. Thus the convergence speed and stability of PPO are improved. Finally, to the best of our knowledge, we are the first to game with intelligent attackers besides three conventional ones. Our strategy does not require any

show abstract

Increased DNS forgery resistance through 0x20-bit encoding

Cited by 73 publications

References 13 publications

The Hitchhiker’s Guide to DNS Cache Poisoning

The Hitchhiker’s Guide to DNS Cache Poisoning

Assessing DNS Vulnerability to Record Injection

An intelligent proactive defense against the client‐side DNS cache poisoning attack via self‐checking deep reinforcement learning

Contact Info

Product

Resources

About