Abstract
The domain name system (DNS) provides a translation between readable domain names and IP addresses. The DNS is a key infrastructure component of the Internet and a prime target for a variety of attacks. One of the most significant threats to DNS’ well-being is a DNS poisoning attack in which the DNS responses are maliciously replaced, or poisoned, by an attacker. To identify this kind of attack, we start by an analysis of different kinds of response times. We present an analysis of typical and atypical response times, while differentiating between the different levels of DNS servers’ response times, from root servers down to internal caching servers. We successfully identify empirical DNS poisoning attacks based on a novel method for DNS response timing analysis. We then present a system we developed to validate our technique that does not require any changes to the DNS protocol or any existing network equipment. Our validation system tested data from different architectures including LAN and cloud environments and real data from an internet service provider. Our method and system differ from most other DNS poisoning detection methods and achieved high detection rates exceeding 98%. These findings suggest that when used in conjunction with other methods, they can considerably enhance the accuracy of these methods.
Original language | English |
---|---|
Pages (from-to) | 313-329 |
Number of pages | 17 |
Journal | International Journal of Information Security |
Volume | 20 |
Issue number | 3 |
DOIs | |
State | Published - 1 Jun 2021 |
Externally published | Yes |
Keywords
- DNS
- DNS security
- Network protocols
- Network security
ASJC Scopus subject areas
- Software
- Information Systems
- Safety, Risk, Reliability and Quality
- Computer Networks and Communications