TL;DR
This paper introduces a lightweight, adaptive DNS security method that activates DNSSEC only when potential cache poisoning attacks are detected, aiming to improve deployment efficiency.
Contribution
It presents a novel adaptive defense mechanism that switches DNSSEC on-demand, reducing overhead while maintaining security against cache poisoning.
Findings
Small DNSSEC query load suffices for effective protection
Adaptive switching reduces DNSSEC overhead
Validated through modeling and checking
Abstract
The threats of caching poisoning attacks largely stimulate the deployment of DNSSEC. Being a strong but demanding cryptographical defense, DNSSEC has its universal adoption predicted to go through a lengthy transition. Thus the DNSSEC practitioners call for a secure yet lightweight solution to speed up DNSSEC deployment while offering an acceptable DNSSEC-like defense. This paper proposes a new defense against cache poisoning attacks, still using but lightly using DNSSEC. In the solution, DNS operates in the DNSSEC-oblivious mode unless a potential attack is detected and triggers a switch to the DNSSEC-aware mode. The performance of the defense is analyzed and validated. The modeling checking results demonstrate that only a small DNSSEC query load is needed to ensure a small enough cache poisoning success rate.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsNetwork Packet Processing and Optimization · IPv6, Mobility, Handover, Networks, Security · Access Control and Trust